Create custom commands for Wazuh Agents

[Ale De Nocciola]

Hello everybody,

I'm currently using Wazuh 4.4.5 and I'd like to add a custom command on the vuln check, for example.
The think that I've learned is that Wazuh is based from OSSEC, but I couldn't find how to add something new on the agent, like new scripts, new wodles and so on.

Does somebody help me including scripts in Wazuh agents, please? I couldn't find anything on internet and on forums.

Thank you.
Regards

[Francisco Tuduri]

Hello Ale!

In order to run scripts on Wazuh agents you can use the Active Response module, this allows you to define a script or command that will be executed on the agent when certain rule-based conditions are met.

You can check more information about Active Response in this document: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

To run custom scripts on your agents you can check these guides:
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html

Basically, you need to copy your script to each desired agent and then make some changes to the ossec.conf of the manager to configure how and when you want your script to execute.

For example, with this configuration:
<ossec_config>
  <command>
    <name>linux-custom-ar</name>
    <executable>custom-ar.py</executable>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>linux-custom-ar</command>
    <location>local</location>
    <rules_id>503</rules_id>
  </active-response>
</ossec_config>

Whenever rule 503 is tripped, the script custom-ar.py will be executed on the agent that triggered that alert. (The script must be located on the agent)

You can see the full documentation for these configurations here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/active-response.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/commands.html

Let me know if you need any more help with this.
Regards!

[Ale De Nocciola]

Hi Francisco,

Thank you for your reply.

I've considered using the active-response method, but is triggered only when something happens.

Instead, I've thought about a custom command that is executed in loop.

For example, I've enabled the wodle for the vuln check, with the configuration that every 1h it runs the script for the vulnerability check. I'd like, if possible, to modify the script for the vulnerability check, adding some custom commands, or create a personal wodle.

Do you think is possible to do or the only way is through the active-response?

Thank you.

Regards!

[Francisco Tuduri]

Hi,

It is possible to execute an active response on demand by using the API (through the dashboard, command line, or scripts):

- Basic API usage: https://documentation.wazuh.com/current/user-manual/api/index.html
- Active response method: https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response

However, for your use case, it seems like the "command" wodle would be a good fit. Have you considered it? https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-command.html

You can execute a command or script regularly with several scheduling options.

In contrast, to modify the existing wodles you will need to modify the source code.

Do you think the command wodle would be a good option for your use case?

Regards!

[Lenin Castillo]

Hello, can i send or share custom bash script to agents form manager?  As https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html