|
6 | 6 | Wazuh agent |
7 | 7 | =========== |
8 | 8 |
|
9 | | -The Wazuh agent runs on Linux, Windows, macOS, Solaris, AIX, and other operating systems. It can be deployed to laptops, desktops, servers, cloud instances, containers, or virtual machines. The agent helps to protect your system by providing threat prevention, detection, and response capabilities. It is also used to collect different types of system and application data that it forwards to the :doc:`Wazuh server <wazuh-server>` through an encrypted and authenticated channel. |
| 9 | +The Wazuh agent runs on Linux, Windows, macOS, Solaris, AIX, and other operating systems. It can be deployed to laptops, desktops, servers, cloud instances, containers, or virtual machines. The Wazuh agent helps to protect your system by providing threat prevention, detection, and response capabilities. It is also used to collect different types of system and application data that it forwards to the :doc:`Wazuh server <wazuh-server>` through an encrypted and authenticated channel. |
10 | 10 |
|
11 | 11 | Agent architecture |
12 | 12 | ------------------ |
13 | 13 |
|
14 | | -The Wazuh agent has a modular architecture. Each component is in charge of its own tasks, including monitoring the file system, reading log messages, collecting inventory data, scanning the system configuration, and looking for malware. Users can manage agent modules via configuration settings, adapting the solution to their particular use cases. |
| 14 | +The Wazuh agent has a modular architecture. Each module is in charge of its own tasks, including monitoring the file system, reading log files, collecting inventory data, scanning the system configuration, and looking for malware. Users can manage agent modules through configuration settings, adapting the solution to their specific use cases. |
15 | 15 |
|
16 | | -The diagram below represents the agent architecture and components: |
| 16 | +The diagram below shows the agent architecture and modules. |
17 | 17 |
|
18 | | -.. thumbnail:: /images/getting-started/agent-architecture.png |
| 18 | +.. thumbnail:: /images/getting-started/agent-architecture.png |
19 | 19 | :title: Agent architecture |
20 | 20 | :alt: Agent architecture |
21 | 21 | :align: center |
22 | | - :width: 80% |
| 22 | + :width: 80% |
23 | 23 |
|
24 | | -.. _agents_modules: |
| 24 | +.. _agents_modules: |
25 | 25 |
|
26 | | -Agent modules |
27 | | -------------- |
| 26 | +Wazuh agent modules |
| 27 | +------------------- |
28 | 28 |
|
29 | | -All agent modules are configurable and perform different security tasks. This modular architecture allows you to enable or disable each component according to your security needs. Below you can learn about the different purposes of all the agent modules. |
| 29 | +All agent modules are configurable and perform different security tasks. This modular architecture allows you to configure each module according to your security needs. The following list summarizes the purposes of the Wazuh agent modules. |
30 | 30 |
|
31 | | -- **Log collector:** This agent component can read flat log files and Windows events, collecting operating system and application log messages. It supports XPath filters for Windows events and recognizes multi-line formats like Linux Audit logs. It can also enrich JSON events with additional metadata. |
| 31 | +- **Log collector:** Reads flat log files and Windows events, collecting operating system and application log messages. It supports XPath filters for Windows events and recognizes multi-line formats like Linux Audit logs. It can also enrich JSON events with additional metadata. |
32 | 32 |
|
33 | | -- **Command execution:** Agents run authorized commands periodically, collecting their output and reporting it back to the Wazuh server for further analysis. You can use this module for different purposes, such as monitoring hard disk space left or getting a list of the last logged-in users. |
| 33 | +- **Command execution:** Runs authorized commands periodically, collecting their output and reporting it back to the Wazuh server for further analysis. You can use this module for different purposes, such as monitoring available disk space or getting a list of recently logged-in users. |
34 | 34 |
|
35 | | -- **File integrity monitoring (FIM):** This module monitors the file system, reporting when files are created, deleted, or modified. It keeps track of changes in file attributes, permissions, ownership, and content. When an event occurs, it captures who, what, and when details in real time. Additionally, the FIM module builds and maintains a database with the state of the monitored files, allowing queries to be run remotely. |
| 35 | +- **File integrity monitoring (FIM):** Monitors the file system, reporting when files are created, deleted, or modified. It keeps track of changes in file attributes, permissions, ownership, and content. When an event occurs, it captures who, what, and when details in real time. |
36 | 36 |
|
37 | | -- **Security configuration assessment (SCA):** This component provides continuous configuration assessment, utilizing out-of-the-box checks based on the Center of Internet Security (CIS) benchmarks. Users can also create their own SCA checks to monitor and enforce their security policies. |
| 37 | +- **Security configuration assessment (SCA):** Provides continuous configuration assessment, utilizing out-of-the-box checks based on the Center of Internet Security (CIS) benchmarks. Users can also create their own SCA checks to monitor and enforce their security policies. |
38 | 38 |
|
39 | | -- **System inventory:** This agent module periodically runs scans, collecting inventory data such as operating system version, network interfaces, running processes, installed applications, and a list of open ports. Scan results are stored in local SQLite databases that can be queried remotely. |
| 39 | +- **System inventory:** Periodically runs scans to collect inventory data such as operating system version, network interfaces, running processes, installed applications, and a list of open ports. Scan results are stored in local SQLite databases that can be queried remotely. |
40 | 40 |
|
41 | | -- **Malware detection:** Using a non-signature-based approach, this component is capable of detecting anomalies and the possible presence of rootkits. Also, it looks for hidden processes, hidden files, and hidden ports while monitoring system calls. |
| 41 | +- **Malware detection:** Uses a non-signature-based approach to detect anomalies and the possible presence of rootkits. It also looks for hidden processes, hidden files, and hidden ports while monitoring system calls. |
42 | 42 |
|
43 | | -- **Active Response:** This module runs automatic actions when threats are detected, triggering responses to block a network connection, stop a running process, or delete a malicious file. Users can also create custom responses when necessary and customize, for example, responses for running a binary in a sandbox, capturing network traffic, and scanning a file with an antivirus. |
| 43 | +- **Active Response:** Runs automatic actions when threats are detected, triggering responses to block a network connection, stop a running process, or delete a malicious file. Users can also create custom responses when required, for example, responses for running a binary in a sandbox, capturing network traffic, and scanning a file with an antivirus. |
44 | 44 |
|
45 | | -- **Container security monitoring:** This agent module is integrated with the Docker Engine API to monitor changes in a containerized environment. For example, it detects changes to container images, network configuration, or data volumes. Besides, it alerts about containers running in privileged mode and about users executing commands in a running container. |
| 45 | +- **Container security monitoring:** Integrates with the Docker Engine API to monitor changes in a containerized environment. For example, it detects changes to container images, network configuration, or data volumes. It alerts about containers running in privileged mode and about users executing commands in a running container. |
46 | 46 |
|
47 | | -- **Cloud security monitoring:** This component monitors cloud providers such as Amazon Web Services, Microsoft Azure, or Google GCP. It natively communicates with their APIs. It is capable of detecting changes to the cloud infrastructure (e.g., a new user is created, a security group is modified, a cloud instance is stopped, etc.) and collecting cloud services log data (e.g., AWS Cloudtrail, AWS Macie, AWS GuardDuty, Azure Active Directory, etc.) |
| 47 | +- **Cloud security monitoring:** Monitors cloud providers such as Amazon Web Services, Microsoft Azure, or Google GCP, communicating natively with their APIs. It detects changes to the cloud infrastructure, for example, when a new user is created, a security group is modified, or a cloud instance is stopped. Additionally, it collects cloud services log data such as AWS CloudTrail, GCP Pub/Sub, and Azure Active Directory. |
48 | 48 |
|
49 | 49 | Communication with Wazuh server |
50 | 50 | ------------------------------- |
51 | 51 |
|
52 | | -The Wazuh agent communicates with the :doc:`Wazuh server <wazuh-server>` to ship collected data and security-related events. Besides, the agent sends operational data, reporting its configuration and status. Once connected, the agent can be upgraded, monitored, and configured remotely from the Wazuh server. |
| 52 | +The Wazuh agent communicates with the :doc:`Wazuh server <wazuh-server>` to ship collected data and security-related events. The Wazuh agent also sends operational data, reporting its configuration and status. Once connected, the agent can be upgraded, monitored, and configured remotely from the Wazuh server. |
53 | 53 |
|
54 | | -The communication of the agent with the server takes place through a secure channel (TCP or UDP), providing data encryption and compression in real time. Additionally, it includes flow control mechanisms to avoid flooding, queueing events when necessary, and protecting the network bandwidth. |
| 54 | +The communication between the Wazuh agent and the Wazuh server takes place through a secure channel (TCP or UDP), providing data encryption and compression in real time. Additionally, it includes flow control mechanisms to avoid flooding, queueing events when necessary, and protecting the network bandwidth. |
55 | 55 |
|
56 | | -You need to enroll the agent before connecting it to the server for the first time. This process provides the agent with a unique key used for authentication and data encryption. |
| 56 | +You need to enroll the Wazuh agent before connecting it to the Wazuh server for the first time. This process provides the agent with a unique key used for authentication and data encryption. |
0 commit comments