Can Wazuh Manager Monitor itself?
1,484 views
Skip to first unread message
Dinie Rosli
Oct 13, 2022, 12:20:31 AM10/13/22
to Wazuh mailing list
Hi all, basically the title.
Can a Wazuh Manager (in a single instance, not docker) monitor itself? As in install wazuh-agent as well in the Manager server and pops out in the dashboard?
I tried installing wazuh agent and it kind of made my server haywire and OOM, and I had to reboot it. But that may be due to my instance having low memory.
Henadence Anyam
Oct 13, 2022, 1:25:52 AM10/13/22
to Wazuh mailing list
Hello Dinie!
Thank you for using Wazuh!
By default, the Wazuh server monitors itself. The manager includes an agent with ID: 000 when you install it. So you do not need to install the agent on the manager to achieve this.
Thank you for using Wazuh!
By default, the Wazuh server monitors itself. The manager includes an agent with ID: 000 when you install it. So you do not need to install the agent on the manager to achieve this.
Although the manager is not listed in the dashboard, you can however run the below command with root privilege in your manager to view it:
/var/ossec/bin/agent_control -lc
For checking the server alerts you need to go Security events, Event section and filter by agent.id:"000"
Let me know if that was helpful.
Best regards.
Let me know if that was helpful.
Best regards.
Dinie Rosli
Oct 13, 2022, 5:11:01 AM10/13/22
to Wazuh mailing list
Hi Forku,
Yes it was helpful! Thank you! However, it seems the monitoring of itself is somewhat lacking? All the other agents have over 300+ logs in the security events, but for agent 000 (the manager itself), there's only 34 hits when I filter it by agent ID.
And it was also missing the Vulnerabilities scanning report that comes with the other agents, such as CIS Benchmark for Amazon Linux 2, or PCI DSS. Is there a way for me to view this for the manager?
Henadence Anyam
Oct 13, 2022, 6:46:35 AM10/13/22
to Wazuh mailing list
Hello Dinie,
Security Configuration Assessment (SCA) is enabled by default and provides out-of-the-box checks that are used for systems hardening. It runs configuration checks against pre-defined policies to help meet regulatory compliance.
But Vulnerability scanning is not enabled by default. For you to see the vulnerabilities scanning report, you have to enable the module which I think you already have. Next, you have to also enable the provider for the vulnerability feeds. We currently have support for the following distributions.
So if your server is installed on one of those distributions, kindly enable the provider, and you will be able to see the scanning report for the server.
DG
Oct 27, 2022, 10:53:24 AM10/27/22
to Wazuh mailing list
So I have wazuh installed in single-mode in docker. However, the base OS is not being monitored by wazuh. Do I have to install the agent on the base OS in order to gain visibility? If a user ssh's in to the OS or tries to bruteforce the login page of the Wazuh GUI, how can I get visibility into this?
Thanks
Reply all
Reply to author
Forward
0 new messages