Remote command execution is not working on Wazuh 4.14.3
Henry Valero
wazuh_command.remote_commands=1
hasitha.u...@wazuh.com
Please allow me some time. I will replicate this on my end and come up with the findings. Thanks!
hasitha.u...@wazuh.com
I wasn't able to test this on Windows 10, but I did test it on Windows 11, and it's working as expected with the configuration we set up on the agent side.
Followed the steps below.1. Install Wazuh agent on Windows 11 host.
2. Configure the remote command execution on the agent side.
When setting commands in a shared agent configuration, you must enable remote commands for Agent Modules.
This is enabled by adding the following line to the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf in the agent:
wazuh_command.remote_commands=1
Then add windows_hardening.bat into the C: drive on the agent side, and add the blog explain bat script content into that file and save it.
After that, add this configuration into agent.conf file.
Wazuh agent group config
After applying this configuration Click Save. It will restart the Wazuh agent once you save the file.
Then check the logs of the agent if it restarted successfully or not with the timestamp.
If the issue persists, let me know, and I'll try to replicate it on Windows 10. I'm currently using a Mac and can't deploy a Windows 10 Vagrant box since there isn't one available for ARM architecture. Just give me an update, and if it's still not working, I'll find a way to test it on Windows 10.
Let me know the update on this.Henry Valero
hasitha.u...@wazuh.com
I have tested on the Windows 10 Pro host similar to yours, and it's working without any issues.
The earlier score was 28, and it has now changed to 45 after configuring through the agent group.
Please check the Windows agent ossec.log and share it with me to check further.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Make sure to save the file from the GUI after adding this Wazuh config to the agent.conf file, which will trigger an agent restart. Also, ensure the agent has been added to the agent group.
- <wodle name="command">
- <disabled>no</disabled>
- <command>powershell.exe C:\windows_hardening.bat</command>
- <interval>7d</interval>
- <ignore_output>yes</ignore_output>
- <run_on_start>yes</run_on_start>
- <timeout>0</timeout>
- </wodle>
You can share the ossec.log from the agent side, so I can check further.
Henry Valero
C:\Program Files (x86)\ossec-agent\ossec.log
atte,
hasitha.u...@wazuh.com
I suggested checking on the agent side because this issue seems to be specific to Windows 10 Pro. In my testing, it worked fine, so if you can verify things from the agent side as well, it will help us understand exactly where the issue might be.
Also, when you configure and save changes in the agent.conf file, the agent restarts automatically. However, we can’t view the agent’s local logs from the manager, so checking the logs directly on the agent will give us better visibility for further troubleshooting.
If there are no files in that location, could you please confirm whether the Wazuh agent is installed on that host? Those files will only be created after a successful agent installation.
Please press Win + R, type services.msc, and check for the Wazuh service.
See if it is listed and make sure its status is Running.
If the service is not running or not present, you may need to install the agent by following this guide:
https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-windows.html
Also, please try running the following command manually in Command Prompt and share the result so we can investigate further:
powershell.exe C:\windows_hardening.bat
Let me know how it goes.