From e6c82f69c5f9ff4d98e7a4f397d90d573b4f626d Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Fri, 3 Oct 2025 15:30:58 -0300 Subject: [PATCH 1/6] Remove OSquery occurrences --- .../deploying-with-ansible/reference.rst | 6 +- .../use-cases/threat-hunting.rst | 2 - source/release-notes/release-3-7-0.rst | 2 +- .../capabilities/system-inventory/index.rst | 1 - .../capabilities/system-inventory/osquery.rst | 267 ------------------ .../reference/centralized-configuration.rst | 1 - .../reference/daemons/wazuh-modulesd.rst | 4 - .../reference/ossec-conf/index.rst | 3 - .../reference/ossec-conf/wodle-osquery.rst | 159 ----------- .../ruleset/ruleset-xml-syntax/rules.rst | 14 - 10 files changed, 4 insertions(+), 455 deletions(-) delete mode 100644 source/user-manual/capabilities/system-inventory/osquery.rst delete mode 100644 source/user-manual/reference/ossec-conf/wodle-osquery.rst diff --git a/source/deployment-options/deploying-with-ansible/reference.rst b/source/deployment-options/deploying-with-ansible/reference.rst index 70d19ad8d2..948259d0a1 100644 --- a/source/deployment-options/deploying-with-ansible/reference.rst +++ b/source/deployment-options/deploying-with-ansible/reference.rst @@ -224,7 +224,7 @@ Wazuh Manager | | **Variable**: ``wazuh_manager_osquery`` -| **Description**: Configures the :doc:`wodle` item named ``osquery`` from ``ossec.conf``. +| **Description**: Configures the wodle item named ``osquery`` from ``ossec.conf``. | **Default values**: .. code-block:: yaml @@ -1039,7 +1039,7 @@ Wazuh Agent | | **Variable**: ``wazuh_agent_osquery`` -| **Description**: Configures the :doc:`wodle` item named ``osquery`` from ``ossec.conf``. +| **Description**: Configures the wodle item named ``osquery`` from ``ossec.conf``. | **Default values**: .. code-block:: yaml @@ -1056,7 +1056,7 @@ Wazuh Agent | | **Variable**: ``wazuh_agent_syscollector`` -| **Description**: Configures the :doc:`wodle ` item named ``syscollector`` from ``ossec.conf``. +| **Description**: Configures the wodle item named ``syscollector`` from ``ossec.conf``. | **Default values**: .. code-block:: yaml diff --git a/source/getting-started/use-cases/threat-hunting.rst b/source/getting-started/use-cases/threat-hunting.rst index f82de16704..20a59fa18b 100644 --- a/source/getting-started/use-cases/threat-hunting.rst +++ b/source/getting-started/use-cases/threat-hunting.rst @@ -90,8 +90,6 @@ Some third-party solutions that Wazuh integrates with to aid threat hunting are: - **URLHaus**: `Integrating URLHaus by abuse.ch `__ with Wazuh amplifies threat intelligence capabilities, empowering users to proactively detect and block malicious URLs in real-time. -- **osquery**: Wazuh provides a module for managing the osquery tool from the Wazuh agents. The osquery module allows security analysts to configure and collect information generated by the osquery. It provides an extra layer for threat hunting capabilities such as configuration management, data collection, custom alerts based on osquery query results, and SQL-like syntax queries. - - **MISP**: We can enrich Wazuh alerts by automating identifications of IOCs and integrating MISP with Wazuh. Wazuh integrates with other tools that aid threat hunting beyond the above-mentioned. It supports third-party integrations for threat intelligence platforms, SIEMs, and messaging platforms using APIs and other integration methods. diff --git a/source/release-notes/release-3-7-0.rst b/source/release-notes/release-3-7-0.rst index ea2151799a..abf33eec5d 100644 --- a/source/release-notes/release-3-7-0.rst +++ b/source/release-notes/release-3-7-0.rst @@ -156,7 +156,7 @@ The Wazuh app for Kibana includes new features and interface redesigns to make u - Get the current manager/agent configuration on the redesigned tabs. - Added support for multiple groups feature. - The :doc:`Amazon AWS ` tab has been redesigned to include better visualizations and the module configuration. - - The new :doc:`Osquery ` extension shows scans results from this Wazuh module. + - The new Osquery extension shows scans results from this Wazuh module. - Added a new selector to check the cluster nodes’ status and logs on the *Management > Status/Logs* tabs. - Several bugfixes, performance improvements, and compatibility with the latest Elastic Stack version. diff --git a/source/user-manual/capabilities/system-inventory/index.rst b/source/user-manual/capabilities/system-inventory/index.rst index 6678e46563..bc98f1ddbc 100644 --- a/source/user-manual/capabilities/system-inventory/index.rst +++ b/source/user-manual/capabilities/system-inventory/index.rst @@ -27,4 +27,3 @@ Users can generate system inventory reports from the Wazuh dashboard, which can available-inventory-fields compatibility-matrix using-syscollector-information-to-trigger-alerts - osquery \ No newline at end of file diff --git a/source/user-manual/capabilities/system-inventory/osquery.rst b/source/user-manual/capabilities/system-inventory/osquery.rst deleted file mode 100644 index b1d6bf069c..0000000000 --- a/source/user-manual/capabilities/system-inventory/osquery.rst +++ /dev/null @@ -1,267 +0,0 @@ -.. Copyright (C) 2015, Wazuh, Inc. - -.. meta:: - :description: Osquery exposes operating system data. Learn how to explore this data with Wazuh in this section of the Wazuh documentation. - -Osquery -======= - -Wazuh module that allows managing the Osquery tool from the Wazuh agents. It allows setting the Osquery configuration and collecting the information generated by Osquery to send it to the manager, generating the corresponding alerts if necessary. - -- `How it works`_ -- `Configuration`_ -- `Alert examples`_ - -How it works ------------- -Osquery can be used to expose an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. - -Below you can see some examples of the queries you can make: - -List all the local users of the machine. - -.. code-block:: sql - - SELECT * FROM users; - -Get the process name, port, and PID, for processes listening on all interfaces. - -.. code-block:: sql - - SELECT DISTINCT processes.name, listening_ports.port, processes.pid - FROM listening_ports JOIN processes USING (pid) - WHERE listening_ports.address = '0.0.0.0'; - -Check the processes that have a deleted executable. - -.. code-block:: sql - - SELECT * FROM processes WHERE on_disk = 0; - -A complete list of all the available tables can be found `here `_. - -Configuration -------------- - -You need a working Osquery installation in your system. See `downloads page `_ for details. - -Red Hat, CentOS and Fedora: - -- For some distributions, you might need to install ``yum-utils`` first. - -.. code-block:: console - - # curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery - # yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo - # yum-config-manager --enable osquery-s3-rpm-repo - # yum install osquery - -Debian and Ubuntu based Linux distributions: - -.. code-block:: console - - # export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B - # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY - # add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' - # apt-get update - # apt-get install osquery - - -Once installed, you will need a configuration file for Osquery. If you don't have any, you can use the following one provided by Osquery: - -.. code-block:: console - - # cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf - -Or you can copy our custom configuration in ``/etc/osquery/osquery.conf``: - -.. code-block:: json - - { - "options": { - "config_plugin": "filesystem", - "logger_plugin": "filesystem", - "utc": "true" - }, - - "schedule": { - "system_info": { - "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;", - "interval": 3600 - }, - "high_load_average": { - "query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';", - "interval": 900, - "description": "Report if load charge is over 70 percent." - }, - "low_free_memory": { - "query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;", - "interval": 1800, - "description": "Free RAM is under 10%." - } - }, - - "packs": { - "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf", - "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf", - "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf", - "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf", - "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf", - "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf" - } - } - -After this enable and start the osquery Daemon: - -.. code-block:: console - - systemctl enable osqueryd - systemctl start osqueryd - -And the osquery module must be enabled for the agents where the osquery is running by adding: - -.. code-block:: xml - - - -To their ``/var/ossec/etc/ossec.conf`` file or through :doc:`centralized configuration ` - -.. note:: - More options may be specified as shown in the :doc:`osquery configuration reference ` - -As you can see in this sample configuration, ``system_info``, ``high_load_average`` and ``low_free_memory`` queries will be executed every hour. - -Furthermore, this configuration uses some default packs such as ``osquery-monitoring``, ``hardware-monitoring`` or ``ossec-rootkit`` among others. You can define your own packs and use them with this wodle. - -Alert examples --------------- -Sample alert in log format: - -.. code-block:: none - :class: output - - ** Alert 1532958886.437707: - osquery, - 2018 Jul 30 13:54:46 manager->osquery - Rule: 24010 (level 3) -> 'osquery data grouped' - {"name":"system_info","hostIdentifier":"manager","calendarTime":"Mon Jul 30 13:54:45 2018 UTC","unixTime":1532958885,"epoch":0,"counter":461,"columns":{"cgroup_namespace":"4026531835","cmdline":"","cwd":"/","disk_bytes_read":"0","disk_bytes_written":"0","egid":"0","euid":"0","gid":"0","ipc_namespace":"4026531839","mnt_namespace":"4026531840","name":"migration/0","net_namespace":"4026531957","nice":"0","on_disk":"-1","parent":"2","path":"","pgroup":"0","pid":"9","pid_namespace":"4026531836","resident_size":"","root":"/","sgid":"0","start_time":"0","state":"S","suid":"0","system_time":"2","threads":"1","total_size":"","uid":"0","user_namespace":"4026531837","user_time":"0","uts_namespace":"4026531838","wired_size":"0"},"action":"added"} - name: system_info - hostIdentifier: manager - calendarTime: Mon Jul 30 13:54:45 2018 UTC - unixTime: 1532958885 - epoch: 0 - counter: 461 - columns.cgroup_namespace: 4026531835 - columns.cmdline: - columns.cwd: / - columns.disk_bytes_read: 0 - columns.disk_bytes_written: 0 - columns.egid: 0 - columns.euid: 0 - columns.gid: 0 - columns.ipc_namespace: 4026531839 - columns.mnt_namespace: 4026531840 - columns.name: migration/0 - columns.net_namespace: 4026531957 - columns.nice: 0 - columns.on_disk: -1 - columns.parent: 2 - columns.path: - columns.pgroup: 0 - columns.pid: 9 - columns.pid_namespace: 4026531836 - columns.resident_size: - columns.root: / - columns.sgid: 0 - columns.start_time: 0 - columns.state: S - columns.suid: 0 - columns.system_time: 2 - columns.threads: 1 - columns.total_size: - columns.uid: 0 - columns.user_namespace: 4026531837 - columns.user_time: 0 - columns.uts_namespace: 4026531838 - columns.wired_size: 0 - -And the same alert in ``JSON`` format: - -.. code-block:: json - :class: output - - { - "timestamp": "2018-07-30T13:54:46.476+0000", - "rule": { - "level": 3, - "description": "osquery data grouped", - "id": "24010", - "firedtimes": 207, - "mail": false, - "groups": [ - "osquery" - ] - }, - "agent": { - "id": "000", - "name": "manager" - }, - "manager": { - "name": "manager" - }, - "id": "1532958886.437707", - "full_log": "{\"name\":\"system_info\",\"hostIdentifier\":\"manager\",\"calendarTime\":\"Mon Jul 30 13:54:45 2018 UTC\",\"unixTime\":1532958885,\"epoch\":0,\"counter\":461,\"columns\":{\"cgroup_namespace\":\"4026531835\",\"cmdline\":\"\",\"cwd\":\"/\",\"disk_bytes_read\":\"0\",\"disk_bytes_written\":\"0\",\"egid\":\"0\",\"euid\":\"0\",\"gid\":\"0\",\"ipc_namespace\":\"4026531839\",\"mnt_namespace\":\"4026531840\",\"name\":\"migration/0\",\"net_namespace\":\"4026531957\",\"nice\":\"0\",\"on_disk\":\"-1\",\"parent\":\"2\",\"path\":\"\",\"pgroup\":\"0\",\"pid\":\"9\",\"pid_namespace\":\"4026531836\",\"resident_size\":\"\",\"root\":\"/\",\"sgid\":\"0\",\"start_time\":\"0\",\"state\":\"S\",\"suid\":\"0\",\"system_time\":\"2\",\"threads\":\"1\",\"total_size\":\"\",\"uid\":\"0\",\"user_namespace\":\"4026531837\",\"user_time\":\"0\",\"uts_namespace\":\"4026531838\",\"wired_size\":\"0\"},\"action\":\"added\"}", - "decoder": { - "name": "json" - }, - "data": { - "action": "added", - "name": "system_info", - "hostIdentifier": "manager", - "calendarTime": "Mon Jul 30 13:54:45 2018 UTC", - "unixTime": "1532958885", - "epoch": "0", - "counter": "461", - "columns": { - "cgroup_namespace": "4026531835", - "cmdline": "", - "cwd": "/", - "disk_bytes_read": "0", - "disk_bytes_written": "0", - "egid": "0", - "euid": "0", - "gid": "0", - "ipc_namespace": "4026531839", - "mnt_namespace": "4026531840", - "name": "migration/0", - "net_namespace": "4026531957", - "nice": "0", - "on_disk": "-1", - "parent": "2", - "path": "", - "pgroup": "0", - "pid": "9", - "pid_namespace": "4026531836", - "resident_size": "", - "root": "/", - "sgid": "0", - "start_time": "0", - "state": "S", - "suid": "0", - "system_time": "2", - "threads": "1", - "total_size": "", - "uid": "0", - "user_namespace": "4026531837", - "user_time": "0", - "uts_namespace": "4026531838", - "wired_size": "0" - } - }, - "predecoder": { - "hostname": "manager" - }, - "location": "osquery" - } - -.. note:: - If more than one report with the same content is received, only one alert will be generated the first time. The rest will be discarded. diff --git a/source/user-manual/reference/centralized-configuration.rst b/source/user-manual/reference/centralized-configuration.rst index 88af67964e..bb1c2874f4 100644 --- a/source/user-manual/reference/centralized-configuration.rst +++ b/source/user-manual/reference/centralized-configuration.rst @@ -19,7 +19,6 @@ Agents can be configured remotely by using the ``agent.conf`` file. The followin - :doc:`Security Configuration Assessment <../capabilities/sec-config-assessment/index>` (**sca**) - :doc:`System inventory <../capabilities/system-inventory/index>` (**syscollector**) - :doc:`Avoid events flooding ` (**client_buffer**) -- :doc:`Configure osquery wodle ` (**wodle name="osquery"**) .. note:: When setting up remote commands in the shared agent configuration, **you must enable remote commands for Agent Modules**. This is enabled by adding the following line to the ``/var/ossec/etc/local_internal_options.conf`` file in the agent: diff --git a/source/user-manual/reference/daemons/wazuh-modulesd.rst b/source/user-manual/reference/daemons/wazuh-modulesd.rst index bde525e6e7..01fc7b0890 100644 --- a/source/user-manual/reference/daemons/wazuh-modulesd.rst +++ b/source/user-manual/reference/daemons/wazuh-modulesd.rst @@ -45,10 +45,6 @@ The wazuh-modulesd program manages the Wazuh modules described below. The Vulnerability Detector module detects applications that are known to be vulnerable (affected by a CVE). -.. topic:: Osquery wodle - - The Osquery wodle provides the user with an operating system instrumentation tool that makes low-level operating system analytics and monitoring both efficient and intuitive using SQL-based queries. For more information, read through the documentation for :doc:`osquery integration `. - .. topic:: SCA module The :ref:`SCA module ` allows users to check the system configuration against policy files to determine vulnerabilities and misconfigurations. diff --git a/source/user-manual/reference/ossec-conf/index.rst b/source/user-manual/reference/ossec-conf/index.rst index b14f1a02aa..596cf56be0 100644 --- a/source/user-manual/reference/ossec-conf/index.rst +++ b/source/user-manual/reference/ossec-conf/index.rst @@ -107,8 +107,6 @@ Wazuh can be installed in two ways: as a manager by using the "server/manager" i +---------------------------------------------------------------------+------------------------+ | :doc:`wodle name="docker-listener" ` | manager, agent | +---------------------------------------------------------------------+------------------------+ -| :doc:`wodle name="osquery" ` | manager, agent | -+---------------------------------------------------------------------+------------------------+ | :doc:`wodle name="syscollector" ` | manager, agent | +---------------------------------------------------------------------+------------------------+ | :doc:`gcp-pubsub ` | manager, agent | @@ -162,7 +160,6 @@ All of the above sections must be located within the top-level ``` wodle-s3 wodle-syscollector wazuh-db-config - wodle-osquery wodle-docker wodle-azure-logs wodle-agent-key-polling diff --git a/source/user-manual/reference/ossec-conf/wodle-osquery.rst b/source/user-manual/reference/ossec-conf/wodle-osquery.rst deleted file mode 100644 index e04c59d13d..0000000000 --- a/source/user-manual/reference/ossec-conf/wodle-osquery.rst +++ /dev/null @@ -1,159 +0,0 @@ -.. Copyright (C) 2015, Wazuh, Inc. - -.. meta:: - :description: Find out the configuration options of the osquery wodle. Learn more about it in this section of the Wazuh documentation. - -.. _wodle-osquery: - -wodle name="osquery" -========================== - -.. topic:: XML section name - - .. code-block:: xml - - - - -Configuration options of the osquery wodle. - -.. warning:: - Osquery is not installed by default. It is an open source software that you have to obtain for using this module. - - -Options -------- - -- `disabled`_ -- `run_daemon`_ -- `bin_path`_ -- `log_path`_ -- `config_path`_ -- `add_labels`_ -- `pack`_ - -+----------------------+-----------------------------+ -| Options | Allowed values | -+======================+=============================+ -| `disabled`_ | yes, no | -+----------------------+-----------------------------+ -| `run_daemon`_ | yes, no | -+----------------------+-----------------------------+ -| `bin_path`_ | Any valid path | -+----------------------+-----------------------------+ -| `log_path`_ | Any valid path | -+----------------------+-----------------------------+ -| `config_path`_ | Any valid path | -+----------------------+-----------------------------+ -| `add_labels`_ | yes, no | -+----------------------+-----------------------------+ -| `pack`_ | Any available pack | -+----------------------+-----------------------------+ - - -disabled -^^^^^^^^ - -Disable the osquery wodle. - -+--------------------+---------+ -| **Default value** | no | -+--------------------+---------+ -| **Allowed values** | yes, no | -+--------------------+---------+ - -run_daemon -^^^^^^^^^^ - -Makes the module run `osqueryd` as a subprocess or lets the module monitor the results log without running Osquery. - -+--------------------+---------+ -| **Default value** | yes | -+--------------------+---------+ -| **Allowed values** | yes, no | -+--------------------+---------+ - -bin_path -^^^^^^^^ - -Full path to the folder that contains the `osqueryd` executable. - -+-------------------------------+------------------------------------------------------+ -| **Default value on Linux** | Empty | -+-------------------------------+------------------------------------------------------+ -| **Default value on Windows** | C:\\Program Files\\osquery\\osqueryd | -+-------------------------------+------------------------------------------------------+ -| **Allowed values** | Any valid path | -+-------------------------------+------------------------------------------------------+ - -log_path -^^^^^^^^ - -Full path to the results log written by Osquery. - -+-------------------------------+-------------------------------------------------------+ -| **Default value on Linux** | /var/log/osquery/osqueryd.results.log | -+-------------------------------+-------------------------------------------------------+ -| **Default value on Windows** | C:\\Program Files\\osquery\\log\\osqueryd.results.log | -+-------------------------------+-------------------------------------------------------+ -| **Allowed values** | Any valid path | -+-------------------------------+-------------------------------------------------------+ - -config_path -^^^^^^^^^^^ - -Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running. - -+-------------------------------+------------------------------------------------------+ -| **Default value on Linux** | /etc/osquery/osquery.conf | -+-------------------------------+------------------------------------------------------+ -| **Default value on Windows** | C:\\Program Files\\osquery\\osquery.conf | -+-------------------------------+------------------------------------------------------+ -| **Allowed values** | Any valid path | -+-------------------------------+------------------------------------------------------+ - -add_labels -^^^^^^^^^^ - -Add the agent labels defined as decorators. - -+--------------------+---------+ -| **Default value** | yes | -+--------------------+---------+ -| **Allowed values** | yes, no | -+--------------------+---------+ - -pack -^^^^ - -Add a query pack to the configuration. This option can be defined multiple times. - -+--------------------+---------------------------------+ -| **Default value** | Empty | -+--------------------+---------------------------------+ -| **Allowed values** | Path to pack configuration file | -+--------------------+---------------------------------+ - -Attributes: - -+----------+----------------------+ -| **name** | Name for this pack | -| +----------------+-----+ -| | Allowed values | Any | -+----------+----------------+-----+ - - -Example of configuration ------------------------- - -.. code-block:: xml - - - no - yes - /usr/bin - /var/log/osquery/osqueryd.results.log - /etc/osquery/osquery.conf - no - /path/to/custom_pack.conf - diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index 94e46d3bcd..9263596dad 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -1128,23 +1128,9 @@ The following components use a static location: +----------------------+------------------------+ | Docker integration | Wazuh-Docker | +----------------------+------------------------+ -| Osquery integration | osquery | -+----------------------+------------------------+ | SCA module | sca | +----------------------+------------------------+ -Example: - -.. code-block:: xml - :emphasize-lines: 2 - - - osquery$ - osquery message - - -This rule groups logs that come from the ``osquery`` location. - The attributes below are optional. +-------------+-----------------------------------------+-------------+---------------+ From 3dcc558ee6d30bb268f37d99ef622af91b2d0cbb Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 13 Nov 2025 16:33:31 -0300 Subject: [PATCH 2/6] Remove OpenSCAP references --- source/development/message-format.rst | 10 +++++----- source/user-manual/reference/tools/agent-upgrade.rst | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/source/development/message-format.rst b/source/development/message-format.rst index 1d0ef7d9df..47b119642a 100644 --- a/source/development/message-format.rst +++ b/source/development/message-format.rst @@ -69,14 +69,14 @@ Queue The most common queue types are: - **1** Local file log, including Syslog messages, Windows event logs, outputs from commands, OpenSCAP results and custom logs. - + **1** Local file log, including Syslog messages, Windows event logs, outputs from commands, and custom logs. + **2** Remote Syslog messages, received by the Syslog server at *Remote daemon*. - + **4** Secure messages. They are events from *Remote daemon* to *Analysis daemon*, that contain a standard OSSEC message plus the source agent ID. - + **8** Syscheck event. *Analysis daemon* parses it using the Syscheck decoder. - + **9** Rootcheck event. *Analysis daemon* parses it using the Rootcheck decoder. **Location** diff --git a/source/user-manual/reference/tools/agent-upgrade.rst b/source/user-manual/reference/tools/agent-upgrade.rst index 221b84ffec..3e44d13530 100644 --- a/source/user-manual/reference/tools/agent-upgrade.rst +++ b/source/user-manual/reference/tools/agent-upgrade.rst @@ -108,7 +108,7 @@ Examples .. code-block:: console - # /var/ossec/bin/agent_upgrade -a 002 -d -f /root/upgrade_openscap_debian.wpk -x install.sh + # /var/ossec/bin/agent_upgrade -a 002 -d -f /root/wazuh-agent_v|WAZUH_CURRENT|_debian.wpk -x install.sh .. code-block:: none :class: output From 2636aa4a7739d84b1d52a7be42101591530bf9b0 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Wed, 19 Nov 2025 16:50:08 -0300 Subject: [PATCH 3/6] {WiP} Wazuh agent clean-up --- .../deploying-with-ansible/reference.rst | 39 ------------- .../wazuh-puppet-module/index.rst | 2 - .../wazuh-agent-class.rst | 58 +------------------ 3 files changed, 1 insertion(+), 98 deletions(-) diff --git a/source/deployment-options/deploying-with-ansible/reference.rst b/source/deployment-options/deploying-with-ansible/reference.rst index 948259d0a1..1116fb7f83 100644 --- a/source/deployment-options/deploying-with-ansible/reference.rst +++ b/source/deployment-options/deploying-with-ansible/reference.rst @@ -942,24 +942,6 @@ Wazuh Agent .. code-block:: yaml wazuh_profile: "ubuntu, ubuntu18" - -| -| **Variable**: ``wazuh_agent_authd`` -| **Description**: Set the agent-authd facility. This will enable or not the automatic agent registration, you could set various options in accordance with the authd service configured in the Wazuh Manager. This Ansible role will use the address defined on ``registration_address`` as the authd registration server. -| **Example**: - -.. code-block:: yaml - - wazuh_agent_authd: - registration_address: 10.1.1.12 - enable: false - port: 1515 - agent_name: null - groups: [] - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' | | **Variable**: ``wazuh_auto_restart`` @@ -988,8 +970,6 @@ Wazuh Agent download_dir: C:\ install_dir: C:\Program Files\ossec-agent\ install_dir_x86: C:\Program Files (x86)\ossec-agent\ - auth_path: C:\Program Files\ossec-agent\agent-auth.exe - auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_sha512: True | @@ -1037,23 +1017,6 @@ Wazuh Agent wazuh_agent_rootcheck: frequency: 43200 -| -| **Variable**: ``wazuh_agent_osquery`` -| **Description**: Configures the wodle item named ``osquery`` from ``ossec.conf``. -| **Default values**: - -.. code-block:: yaml - - wazuh_agent_osquery: - disable: 'yes' - run_daemon: 'yes' - bin_path_win: 'C:\Program Files\osquery\osqueryd' - log_path: '/var/log/osquery/osqueryd.results.log' - log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log' - config_path: '/etc/osquery/osquery.conf' - config_path_win: 'C:\Program Files\osquery\osquery.conf' - add_labels: 'yes' - | | **Variable**: ``wazuh_agent_syscollector`` | **Description**: Configures the wodle item named ``syscollector`` from ``ossec.conf``. @@ -1299,10 +1262,8 @@ Wazuh Agent rootcheck: '{{ wazuh_agent_rootcheck }}' - osquery: '{{ wazuh_agent_osquery }}' syscollector: '{{ wazuh_agent_syscollector }}' sca: '{{ wazuh_agent_sca }}' - cis_cat: '{{ wazuh_agent_cis_cat }}' localfiles: '{{ wazuh_agent_localfiles }}' labels: '{{ wazuh_agent_labels }}' diff --git a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst index ba685ce47a..91f6f9bb13 100644 --- a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst +++ b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst @@ -422,8 +422,6 @@ Reference Wazuh puppet | | | | | | :ref:`Syscheck ` | | | | | | -| | :ref:`Wodle osquery ` | | -| | | | | | :ref:`Wodle Syscollector ` | | | | | | | | :ref:`Misc ` | | diff --git a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-agent-class.rst b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-agent-class.rst index 8e89d98ae0..54c432c44b 100644 --- a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-agent-class.rst +++ b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-agent-class.rst @@ -196,7 +196,7 @@ $wazuh_reporting_endpoint `Type String` $wazuh_register_endpoint - Specifies the IP address or the hostname of the Wazuh manager to register against. It is used to run the **agent-auth** tool. + Specifies the IP address or the hostname of the Wazuh manager to register against. `Type String` @@ -742,53 +742,6 @@ $ossec_syscheck_skip_nfs `Type String` -.. _ref_agent_vars_wodle_osquery: - -Wodle osquery variables ------------------------ - -$configure_wodle_osquery - Enables the Wodle osquery section rendering on this host. If this variable is not set to ‘true’, the complete *osquery wodle tag* will not be added to *ossec.conf*. - - `Default true` - - `Type String` - -$wodle_osquery_disabled - Disable the osquery wodle. - - `Default yes` - - `Type String` - -$wodle_osquery_run_daemon - Make the module run osqueryd as a subprocess or let the module monitor the results log without running Osquery. - - `Default yes` - - `Type String` - -$wodle_osquery_log_path - Full path to the results log written by Osquery. - - `Default '/var/log/osquery/osqueryd.results.log'` - - `Type String` - -$wodle_osquery_config_path - Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running. - - `Default '/etc/osquery/osquery.conf'` - - `Type String` - -$wodle_osquery_add_labels - Add the agent labels defined as decorators. - - `Default yes` - - `Type String` - .. _ref_agent_vars_wodle_syscollector: Wodle Syscollector @@ -945,12 +898,3 @@ $manage_client_keys `Default yes` `Type String` - -$agent_auth_password - Define password for agent-auth - - `Default undef` - - `Type String` - -.. _ref_agent_addlog: From c9a22dbca2a3a0f9632533797151381bed362fb7 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 18 Dec 2025 15:42:36 -0300 Subject: [PATCH 4/6] Remove Osquery references from Wazuh Puppet documentation --- .../deploying-with-ansible/reference.rst | 14 -------- .../wazuh-puppet-module/index.rst | 2 -- .../wazuh-manager-class.rst | 34 ------------------- 3 files changed, 50 deletions(-) diff --git a/source/deployment-options/deploying-with-ansible/reference.rst b/source/deployment-options/deploying-with-ansible/reference.rst index c5bc2eda95..c5e54e886e 100644 --- a/source/deployment-options/deploying-with-ansible/reference.rst +++ b/source/deployment-options/deploying-with-ansible/reference.rst @@ -222,20 +222,6 @@ Wazuh Manager wazuh_manager_rootcheck: frequency: 43200 -| -| **Variable**: ``wazuh_manager_osquery`` -| **Description**: Configures the wodle item named ``osquery`` from ``ossec.conf``. -| **Default values**: - -.. code-block:: yaml - - wazuh_manager_osquery: - disable: 'yes' - run_daemon: 'yes' - log_path: '/var/log/osquery/osqueryd.results.log' - config_path: '/etc/osquery/osquery.conf' - ad_labels: 'yes' - | | **Variable**: ``wazuh_manager_syscollector`` | **Description**: Configures the :doc:`wodle ` item named ``syscollector`` from ``ossec.conf``. diff --git a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst index fd4d01b156..44eb450940 100644 --- a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst +++ b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.rst @@ -485,8 +485,6 @@ Wazuh Puppet module reference | | | | | | :ref:`Wazuh API ` | | | | | | -| | :ref:`Wodle osquery ` | | -| | | | | | :ref:`Wodle Syscollector ` | | | | | | | | :ref:`Misc ` | | diff --git a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst index 2dab21658a..85ae049fb4 100644 --- a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst +++ b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst @@ -401,40 +401,6 @@ Wazuh API variables +----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+-------------------------------------------+-----------------+ -.. _ref_server_vars_wodle_osquery: - -Wodle osquery variables ------------------------ - -+----------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------+ -| **Parameter** | **Description** | **Default value** | **Data type** | -+==================================+===========================================================================================================================+===============================================+=================+ -| ``$configure_wodle_osquery`` | Enables the Wodle osquery section rendering on this host. If this variable is not set to ``true``, the complete osquery | ``true`` | Boolean | -| | wodle tag will not be added to ``/var/ossec/etc/ossec.conf``. | | | -+----------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------+ -| ``$wodle_osquery_disabled`` | Disable the osquery wodle. | ``yes`` | String | -| | | | | -| | Depends on ``configure_wodle_osquery`` | | | -+----------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------+ -| ``$wodle_osquery_run_daemon`` | Makes the module run osqueryd as a subprocess or lets the module monitor the results log without running Osquery. | ``yes`` | String | -| | | | | -| | Depends on ``configure_wodle_osquery`` | | | -+----------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------+ -| ``$wodle_osquery_log_path`` | Full path to the results log written by Osquery. | ``'/var/log/osquery/osqueryd.results.log'`` | String | -| | | | | -| | Depends on ``configure_wodle_osquery`` | | | -+----------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------+ -| ``$wodle_osquery_config_path`` | Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running. | ``'/etc/osquery/osquery.conf'`` | String | -| | | | | -| | Depends on ``configure_wodle_osquery`` | | | -+----------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------+ -| ``$wodle_osquery_add_labels`` | Add the agent labels defined as decorators. | ``yes`` | String | -| | | | | -| | Depends on ``configure_wodle_osquery`` | | | -+----------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------+ - - - .. _ref_server_vars_wodle_syscollector: Wodle Syscollector variables From e04be9d3883abd6ef42124de0a618d0b810e789a Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 18 Dec 2025 15:46:39 -0300 Subject: [PATCH 5/6] Update 5.0.0 documentation changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ba60a4717..148acd8e48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ All notable changes to this project will be documented in this file. - Removed documentation and references to deprecated CLI tools: `clear_stats`, `update_ruleset`, and `wazuh-regex`. ([#8778](https://github.com/wazuh/wazuh-documentation/pull/8778)) - Removed documentation to deprecated `fluent-forward` tool. ([#8778](https://github.com/wazuh/wazuh-documentation/pull/8778)) - Removed support for legacy operating systems, including Red Hat 5, CentOS 5, Oracle Linux 5, SUSE Linux Enterprise Server 11, AIX, HP-UX, Solaris, Windows XP, Windows Vista, and Windows Server 2003. ([#8894](https://github.com/wazuh/wazuh-documentation/pull/8894)) +- Removed Osquery references as this capability is now deprecated. ([#]()) ## [v4.14.3] From e8f7db8d520daf03bb1f2f3c9dc414dc26f335e9 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 18 Dec 2025 15:49:01 -0300 Subject: [PATCH 6/6] Update redirects.js --- source/_static/js/redirects.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js index 260e003a82..d985289350 100644 --- a/source/_static/js/redirects.js +++ b/source/_static/js/redirects.js @@ -81,6 +81,8 @@ newUrls['5.0'] = [ /* Pages no longer available in 5.0 */ removedUrls['5.0'] = [ + '/user-manual/capabilities/system-inventory/osquery.html', + '/user-manual/reference/ossec-conf/wodle-osquery.html', '/user-manual/reference/daemons/wazuh-agentlessd.html', '/user-manual/reference/daemons/wazuh-csyslogd.html', '/user-manual/reference/daemons/wazuh-dbd.html',