How do I get all events and alerts from an agent via API?

[Fabio Externo]

Hi all,

I need to get all events and alerts from a specific group via the API within a period of 1 month. Any ideas?

I didn't see anything related on the api site 

https://documentation.wazuh.com/current/user-manual/api/reference.html

Thanks in advance.

[Manuel Pedro Gomez Castro]

Hello! Thank you for reaching out to us!

If you have Wazuh Indexer installed, you can explore the alerts using its API. https://opensearch.org/docs/1.2/opensearch/rest-api/search/

For example, to get the alerts from the index wazuh-alerts-4.x-*, this should be the URL to query:

https://{ip_address}:9200/wazuh-alerts-4.x-*/_search?

This is an example body, where you will indicate the search filters:

{

       "query": {

          "bool": {

             "must": [ {

                 "term": {

                     "rule.id": "514"

                  }

              } ] 

          }

       },

       "size": 10,

       "sort": [

          {

             "timestamp": {

                "order": "desc"

             }

          }

       ]

}

As an alternative, using the Wazuh archives without using the API may also work for your case. Your wazuh manager stores all alerts and events in /var/ossec/logs/archives and /var/ossec/logs/alerts both as a logfile and in json format. Older files are moved to subdirectories referenced by the creation date.