localfile command vs wodle command

[Andréw Hüang]

Hello All,

Can someone explain the difference between specifying remote commands in localfile and using wodle? I see wodle has more options but having trouble understanding how one would use one vs the other. Thank you in advance.

[Leonardo Daniel Sancho]

Hello  Andréw Hüang, thanks for choosing Wazuh!

Regarding remote commands, the Wodle is the one that contains the configuration options, such as which command to execute, the frequency of execution, etc. You can read more about remote commands by visiting this link:

• https://wazuh.com/blog/scheduling-remote-commands-for-wazuh-agents/

The localfile section is used to configure the collection of log data from files, Windows events, and the output of commands. You can read more about it by visiting these links:

• https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
  
• https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/how-it-works.html

Once the output of the command is captured, then it can be used by leveraging custom rules and decoders to generate a security event.

Should you have further questions, let us know!

Have a great day!

[Andréw Hüang]

Thank you for your response. I see wodle command can also monitor and set up alert based on the output, is there any use case where using localfile command is more suitable?

[Leonardo Daniel Sancho]

Hello  Andréw Hüang, the Wodle provides you with more options than localfile, and localfile is more used in cases where you're interested in receiving information from a specific source, although both provide the same functionality, localfile is more simpler than the wodle, but the wodle provides more options to suit your needs.

Have a great day!