Windows Winget Execution & Logs
536 views
Skip to first unread message
Leon Scott
Mar 7, 2023, 10:39:34 AM3/7/23
to Wazuh mailing list
Hello,
Can somebody confirm that this command wodle is correct please?
<wodle name="command">
<disabled>no</disabled>
<tag>winget</tag>
<command>winget -command "upgrade --all --verbose --disable-interactivity --silent --accept-package-agreements --accept-source-agreements"</command>
<interval>48h</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
<disabled>no</disabled>
<tag>winget</tag>
<command>winget -command "upgrade --all --verbose --disable-interactivity --silent --accept-package-agreements --accept-source-agreements"</command>
<interval>48h</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
I have not entered the logs into Wazuh directory yet, but they should be as follows.
<localfile>
<location>> Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir</location>
<log_format>log</log_format>
</localfile>
<location>> Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir</location>
<log_format>log</log_format>
</localfile>
Please confirm.
Sincerely
Leon
Federico Damian Lo Iacono
Mar 7, 2023, 11:49:28 AM3/7/23
to Wazuh mailing list
Hello Leon, thank you for choosing Wazuh.
The wodle looks correct, but to make sure, you can verify its configuration with /var/ossec/bin/wazuh-modulesd -t. Don't forget that, since remote command execution is disabled by default on agents, you have to change the value of wazuh_command.remote_commands to 1 in every target agent's /var/ossec/etc/local_internal_options.conf file.
Read more about it here: wodle-command: Centralized configuration.
Best regards.
Reply all
Reply to author
Forward
0 new messages