Wazuh’s OpenSCAP component talk at Linux Days conference, April 29th in Graz, Austria

We thank our friend and contributor Theresa Meiksner for writing and sharing this post!

Wazuh has now integrated OpenSCAP into the brand-new v2.0 release.

I’m presenting this new release on Saturday, April 29th 2017, as part of the Linux Days conference in Graz, Austria. Come and see my talk to find out why Wazuh has integrated OpenSCAP as part of Wazuh v2.0 and how the results of the OpenSCAP definitions and checks can be viewed in your Wazuh environment.

Aligning the company’s infrastructure to comply with specific compliance-requirements usually […]

By |April 27th, 2017|0 Comments

Wazuh v2.0 released!

Hi everyone,

I am happy to announce that Wazuh v2.0 has just been released!

As many of you already know, it includes the integration of our forked version of OSSEC with OpenSCAP and Elastic Stack 5. In addition, we improved some core capabilities for infrastructure security monitoring, and developed a new WUI in the form of a Kibana app.

Here are the highlights of the new release:

Log analysis and management new features

  • Modified OSSEC analysis engine to support dynamic data analysis, being able to extract as many fields from a raw log as […]
By |April 24th, 2017|0 Comments

Blocking attacks with Active Response

In this post, we will discuss how to block an attack using the active response feature in OSSEC. Active response allows OSSEC to run commands on an agent in response to certain triggers. In this example we simulate a SSH Brute Force attack.

Detecting the attack

First of all, we need to know when to execute the response. We can use one of the following options:

  • Rule ID: The response will be executed on any event with the defined ID.
  • Rule group: The response will be executed on any event in the defined group.
  • Level: The response will be executed on any event with this level or higher.

In […]

By |May 19th, 2016|0 Comments

Monitoring Network Devices with OSSEC HIDS

OSSEC can be used to monitor a wide range of network devices. Switches, firewalls, and routers can be monitored for successful or failed logins, alerting if a port is down or if a vlan has changed, as well as reporting if there are any errors on the device. This can be accomplished via syslog data sent from the device (if supported) or through an SSH tunnel to the device in a agentless configuration. In this article, i will discuss the different methods which can be used to monitor network devices and cover some basics on Wazuh HIDS agentless configuration. […]

By |May 17th, 2016|0 Comments

Report Windows Firewall events through Event Channel

Windows Event Channel monitoring in OSSEC is the modern version of Event Log, and unlike this, Event Channel allows you to make queries in order to filter events. In this case we will configure OSSEC to monitor events that log when the Windows Firewall has been started or stopped, and when a rule has been created, modified or removed.

Identifying Windows Firewall events

  • ID 2003: The firewall was activated for a profile.
  • ID 2004: A new rule was created.
  • ID 2005: A rule was modified.
  • ID 2006: A rule was […]
By |May 12th, 2016|0 Comments

Automatically deploying OSSEC to Windows using Wazuh API

In some environments the hardest part of the deployment process is the installation of OSSEC on Windows endpoints. Wazuh has created a tool to install, register and connect Windows agents using the capabilities of the RESTful API combined with a PowerShell script.


  • Wazuh HIDS v1.1+
  • Wazuh RESTful API v1.2+
  • Powershell v2.0+ (built-in Windows Server 2008 R2 or superior)

Process explanation

The Powershell script covers two different processes in order to deploy an agent.

The first one is the installation. The script will run the agent installer, once complete, OSSEC will be installed by default at C:\ossec-agent\ folder.

The second one is the registering the agent, […]

By |May 6th, 2016|0 Comments

Configuring OSSEC to report file changes

In this article we will be learning how to configure OSSEC, using the report_changes option, in order to get the exact content changes from a file that has been previously modified. This configuration option is only available for unix/linux systems, and works only for text files.

The syscheck component works as follows: each agent scans the system, predefined by the user, and sends all checksums to the manager. Then, the manager stores those checksums, compare them with the previous data and looks for those that don’t match. An alert will be triggered for every single mismatch found.


By |May 3rd, 2016|0 Comments

File Integrity Monitoring and Windows security policies

OSSEC is used for file integrity monitoring by thousands of companies. In this tutorial I will show you how to setup windows group policies, create custom decoders for security events, and apply rules for when an event occurs.


  • A Manager with Wazuh HIDS v1.1
  • Windows Agent (in this example, I will be using Windows Server 2012 R2)
  • Test Lab (optional)

Step 1: Create a test user on your windows agent

Tools→ Computer management→ Local Users and Groups → Users

I created Jtest (short for Joe test user) and then added […]

By |May 3rd, 2016|0 Comments

Updating your ruleset automatically

The ruleset is one of the most important parts of OSSEC. Thanks to the ruleset, OSSEC is able to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, etc.

At this time, there are two ways to update the ruleset: wait for a new OSSEC release or review the official repository for new rules, decoders and rootchecks. Wazuh is very aware of this, so we work every day to improve it by updating out-of-the-box rules provided by OSSEC and including new ones. All these changes are published in our repository of rules. I encourage you to visit […]

By |April 25th, 2016|0 Comments

File Integrity Monitoring and Wazuh RESTful API

The goal of this article is to explain how to set up a basic configuration of FIM (File Integrity Monitoring) using the syscheck component in OSSEC. After that, we will to check the files being monitored using Wazuh RESTful API.


  • Wazuh HIDS v1.1
  • Wazuh RESTful API v1.2

Configure FIM in a Windows Agent

The syscheck daemon is the main process used for FIM in OSSEC, however we will need to change some options in order to configure it.

On the OSSEC agent (your Windows host), open the file ossec.conf, usually situated in the default installation folder C:\Program Files (x86)\ossec-agent, look for the section, then add the files […]

By |April 15th, 2016|1 Comment