Remote command execution is not working on Wazuh 4.14.3
37 views
Skip to first unread message
Henry Valero
Feb 21, 2026, 5:27:13 PM (2 days ago) Feb 21
to Wazuh | Mailing List
Hello:
I'm following the use case in this article:
wazuh_command.remote_commands=1
in the Windows agent's on the local_internal_options.conf file, but I haven't been able to get it to work.
Can you tell me what I'm missing or what I'm forgetting to do?
I performed the tests in Wazuh Manager v 4.14.3 and as a Windows 10 Pro agent
Thanks
Atte,
Henry
hasitha.u...@wazuh.com
Feb 22, 2026, 12:15:51 AM (2 days ago) Feb 22
to Wazuh | Mailing List
Hi Henry,
Please allow me some time. I will replicate this on my end and come up with the findings. Thanks!
Please allow me some time. I will replicate this on my end and come up with the findings. Thanks!
hasitha.u...@wazuh.com
Feb 22, 2026, 2:25:41 AM (2 days ago) Feb 22
to Wazuh | Mailing List
Hi Henry,
1. Install Wazuh agent on Windows 11 host.
2. Configure the remote command execution on the agent side.
When setting commands in a shared agent configuration, you must enable remote commands for Agent Modules.
This is enabled by adding the following line to the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf in the agent:
wazuh_command.remote_commands=1
Then add windows_hardening.bat into the C: drive on the agent side, and add the blog explain bat script content into that file and save it.
After that, add this configuration into agent.conf file.
Wazuh agent group config
After applying this configuration Click Save. It will restart the Wazuh agent once you save the file.
Then check the logs of the agent if it restarted successfully or not with the timestamp.
I wasn't able to test this on Windows 10, but I did test it on Windows 11, and it's working as expected with the configuration we set up on the agent side.
Followed the steps below.1. Install Wazuh agent on Windows 11 host.
2. Configure the remote command execution on the agent side.
When setting commands in a shared agent configuration, you must enable remote commands for Agent Modules.
This is enabled by adding the following line to the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf in the agent:
wazuh_command.remote_commands=1
Then add windows_hardening.bat into the C: drive on the agent side, and add the blog explain bat script content into that file and save it.
After that, add this configuration into agent.conf file.
Wazuh agent group config
<wodle name="command">
<disabled>no</disabled>
<command>powershell.exe C:\windows_hardening.bat</command>
<interval>7d</interval>
<ignore_output>yes</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
After applying this configuration Click Save. It will restart the Wazuh agent once you save the file.
Then check the logs of the agent if it restarted successfully or not with the timestamp.
If the issue persists, let me know, and I'll try to replicate it on Windows 10. I'm currently using a Mac and can't deploy a Windows 10 Vagrant box since there isn't one available for ARM architecture. Just give me an update, and if it's still not working, I'll find a way to test it on Windows 10.
Let me know the update on this.Henry Valero
Feb 23, 2026, 10:29:01 PM (6 hours ago) Feb 23
to Wazuh | Mailing List
Hi, Thanks Hasitha:
I've tried modifying the ossec.conf file directly in the agent and it works, but it still doesn't work through centralized agents. The tests were done on Windows 10 Pro. Could you please verify this?
Atte,
Henry
hasitha.u...@wazuh.com
2:55 AM (1 hour ago) 2:55 AM
to Wazuh | Mailing List
Hi Henry,
I have tested on the Windows 10 Pro host similar to yours, and it's working without any issues.
The earlier score was 28, and it has now changed to 45 after configuring through the agent group.
Please check the Windows agent ossec.log and share it with me to check further.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Also, please verify that you have placed the windows_hardening.bat file in the C:\ drive?
You can share the ossec.log from the agent side, so I can check further.
I have tested on the Windows 10 Pro host similar to yours, and it's working without any issues.
The earlier score was 28, and it has now changed to 45 after configuring through the agent group.
Please check the Windows agent ossec.log and share it with me to check further.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Make sure to save the file from the GUI after adding this Wazuh config to the agent.conf file, which will trigger an agent restart. Also, ensure the agent has been added to the agent group.
- <wodle name="command">
- <disabled>no</disabled>
- <command>powershell.exe C:\windows_hardening.bat</command>
- <interval>7d</interval>
- <ignore_output>yes</ignore_output>
- <run_on_start>yes</run_on_start>
- <timeout>0</timeout>
- </wodle>
You can share the ossec.log from the agent side, so I can check further.
Reply all
Reply to author
Forward
0 new messages