We are monitoring nearly all of our services using wazuh-manager. What happens when the wazuh-agent is stopped? We have to be notified instantly and create alerts when wazuh agent. This is something a potential intruder would do quickly.
We cannot rely on wazuh to create alerts when wazuh agent is stopped. We must use a different means that does not rely on wazuh agent or siem ingestion through port 1514. Since shutting the agent down, would break any connection on that report. For this tutorial we rely on cron and email create alets. That does mean that some type of email relay is required for this to work. In this demo we will just use postfix which is already installed on our local box.
Creating a script to check for wazuh agent communication
Before we can send alerts when wazuh agent is stopped, we must constantly check the connection. In order to do this we will need to create a script that can be executed on a regular basis
We need our script to check for a connection to the wazuh manager over port 1514. In order to do that we can run a netstat -au command and verify that the connection exists. If it does not exist, we want to log and send alerts when wazuh agent is stopped.
Now add the following script
/dir/monagent.sh with directory and name of your choice.
Paste this into your script
Here is what you need to change:
172.x.x.x – wazuh manager IP address
/dir/alert – set it to where you want to store your log file
email@example.com – set to your email address
netstat -au | 172.x.x.x:1514 ; if [ $? -eq 0 ]; then echo "Wazuh-agent healthy" ; else echo "`date` Wazuh-agent has been disabled on host! You will not see this message on a reboot or power off" >> /dir/alert| mail -s "Wazuh Agent Stopped" firstname.lastname@example.org < /dir/alert; fi
Now to set the Cron job
crontab to create a new reoccurring task.
Now add this line to the bottom to run your script every 5 minutes
Note: Make sure to update with your file location
*/5 * * * * sh /dir/monagent.sh
Now you can test by using stopping the wazuh agent. You can wait 5 minutes to make sure everything is working properly.
Sample Email Alert
You can use this command to see cronjob is being executed on a schedule
grep CRON /var/log/syslog
If your cron job is running but the script is not working, then try running script manually to give you more detailed error message. Even if the agent is up the sript should return Agent Healthy status