Create Logs and Alerts when Wazuh Agent is stopped

We are monitoring nearly all of our services using wazuh-manager. What happens when the wazuh-agent is stopped? We have to be notified instantly and create alerts when wazuh agent. This is something a potential intruder would do quickly.

We cannot rely on wazuh to create alerts when wazuh agent is stopped. We must use a different means that does not rely on wazuh agent or siem ingestion through port 1514. Since shutting the agent down, would break any connection on that report. For this tutorial we rely on cron and email create alets. That does mean that some type of email relay is required for this to work. In this demo we will just use postfix which is already installed on our local box.

Creating a script to check for wazuh agent communication

Before we can send alerts when wazuh agent is stopped, we must constantly check the connection. In order to do this we will need to create a script that can be executed on a regular basis

We need our script to check for a connection to the wazuh manager over port 1514. In order to do that we can run a netstat -au command and verify that the connection exists. If it does not exist, we want to log and send alerts when wazuh agent is stopped.

Now add the following script

Replace /dir/monagent.sh with directory and name of your choice.

vi /dir/monagent.sh

Paste this into your script



Here is what you need to change:

172.x.x.x – wazuh manager IP address
/dir/alert – set it to where you want to store your log file
youremail@domain.com – set to your email address

netstat -au | 172.x.x.x:1514 ; if [ $? -eq 0 ]; then echo "Wazuh-agent healthy" ;
else  echo "`date` Wazuh-agent has been disabled on host! You will not see this message on a reboot or power off" >> /dir/alert| mail -s "Wazuh Agent Stopped" youremail@domain.com < /dir/alert; fi

Now to set the Cron job

Use crontab to create a new reoccurring task.

crontab -e

Now add this line to the bottom to run your script every 5 minutes


Note: Make sure to update with your file location

*/5 * * * * sh /dir/monagent.sh

Testing

Now you can test by using stopping the wazuh agent. You can wait 5 minutes to make sure everything is working properly.

Sample Email Alert

Troubleshooting

You can use this command to see cronjob is being executed on a schedule

 grep CRON /var/log/syslog

If your cron job is running but the script is not working, then try running script manually to give you more detailed error message. Even if the agent is up the sript should return Agent Healthy status

sh /dir/monagent.sh

Want more on wazuh?

Check out my many other wazuh articles!

Check out wazuh official docs

0 Points


Leave a Reply

Your email address will not be published. Required fields are marked *