Wazuh modules
1,417 views
Skip to first unread message
Adebabay Gelaw
Oct 21, 2021, 3:01:16 AM10/21/21
to Wazuh mailing list
How to disable/remove modules?
I want only security events and integrity monitoring (FIM) modules form all wazuh modules
victor....@wazuh.com
Oct 21, 2021, 3:36:32 AM10/21/21
to Wazuh mailing list
Hello adebabay,
You can disable all unwanted modules by changing the manager/agent's configuration (/var/ossec/etc/ossec.conf). In order to do that, change the disabled field value to yes and the enabled to no of every module you want to disable.
If you only want to use FIM and the log data collection module, you should disable the following: rootcheck, syscollector, sca and vulnerability detector :
<rootcheck>
<disabled>yes</disabled>
...
</rootcheck>
<wodle name="syscollector">
<disabled>yes</disabled>
...
</wodle>
<sca>
<enabled>no</enabled>
...
</sca>
<vulnerability-detector>
<enabled>no</enabled>
...
</vulnerability-detector>
<active-response>
<disabled>yes</disabled>
...
</active-response>
If you have multiple agents in which you want to disable certain modules I recommend you to use a centralized configuration. In order to do that follow this documentation page https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
If you have any doubt do not hesitate to ask
You can disable all unwanted modules by changing the manager/agent's configuration (/var/ossec/etc/ossec.conf). In order to do that, change the disabled field value to yes and the enabled to no of every module you want to disable.
If you only want to use FIM and the log data collection module, you should disable the following: rootcheck, syscollector, sca and vulnerability detector :
<rootcheck>
<disabled>yes</disabled>
...
</rootcheck>
<wodle name="syscollector">
<disabled>yes</disabled>
...
</wodle>
<sca>
<enabled>no</enabled>
...
</sca>
<vulnerability-detector>
<enabled>no</enabled>
...
</vulnerability-detector>
<active-response>
<disabled>yes</disabled>
...
</active-response>
If you have multiple agents in which you want to disable certain modules I recommend you to use a centralized configuration. In order to do that follow this documentation page https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
If you have any doubt do not hesitate to ask
Adebabay Gelaw
Oct 21, 2021, 4:10:20 AM10/21/21
to Wazuh mailing list
Thanks a lot !
And how to remove unwanted modules in Wazuh gui?
victor....@wazuh.com
Oct 21, 2021, 6:13:44 AM10/21/21
to Wazuh mailing list
You need to go to Management > Configuration and select Edit configuration.
Now, you can edit your manager ossec.conf configuration file. Remember that every change in the Wazuh configuration requires saving the file and restarting the manager.
Adebabay Gelaw
Oct 26, 2021, 4:39:22 AM10/26/21
to Wazuh mailing list
In this we can disable the function , but am trying to say is how to remove some modules from in kibana GUI ???
victor....@wazuh.com
Oct 28, 2021, 12:22:48 PM10/28/21
to Wazuh mailing list
Sorry for the late reply.
The visibility of some UI modules can be configured through the Settings > Modules menu. The other modules can not be disabled without changing the code of the app.
The visibility of some UI modules can be configured through the Settings > Modules menu. The other modules can not be disabled without changing the code of the app.
Naveed Ahmed
Sep 19, 2022, 2:41:33 AM9/19/22
to Wazuh mailing list
Hi Team,
I have setup Wazuh on docker and I noticed some module were disabled like AWS etc, once I restarted docker.
Can anyone please help on how to keep modules enabled even when I stop and start docker.
I have setup Wazuh on docker and I noticed some module were disabled like AWS etc, once I restarted docker.
Can anyone please help on how to keep modules enabled even when I stop and start docker.
João Paulo Bittencourt
Jun 19, 2024, 4:12:28 PM6/19/24
to Wazuh | Mailing List
The new version 4.8 no have the option modules for DISABLE and ENABLE ?
João Paulo Bittencourt
Jul 18, 2024, 9:19:36 AM7/18/24
to Wazuh | Mailing List
Does anyone have an answer for this? Or has this function really been removed?
Reply all
Reply to author
Forward
0 new messages