Wazuh Agentless Monitoring - SSH-based Auditing
Agentless monitoring in Wazuh enables device and system oversight without installing an agent. Wazuh connects to the endpoint via SSH, performs checks, and sends the results to the server for analysis. This approach is used for monitoring network equipment (routers, switches, firewalls), legacy Unix/BSD systems, and other devices where software installation is impossible or impractical.
How It Works
Agentless monitoring operates as follows:
- The Wazuh server establishes an SSH connection to the target device
- Executes the specified check (file checksums, command output)
- Compares the result with the previous one (when using
periodic_diff) - Passes the data to the analysis engine for rule matching
- Generates an alert when changes or anomalies are detected
Agentless monitoring is configured exclusively on the Wazuh server - no additional software needs to be installed on the target devices beyond an SSH server.
Prerequisites
Setting Up SSH Authentication
Agentless monitoring requires SSH key-based authentication. Generate a key pair and distribute the public key:
# Generate key (on the Wazuh server)
sudo -u wazuh ssh-keygen -t ed25519 -f /var/ossec/.ssh/id_ed25519 -N ""
# Copy the public key to the target device
sudo -u wazuh ssh-copy-id -i /var/ossec/.ssh/id_ed25519.pub admin@192.168.1.1Registering the Host
Register the device for agentless monitoring:
/var/ossec/agentless/register_host.sh add admin@192.168.1.1 NOPASSThe NOPASS parameter indicates key-based authentication. When using a password, specify it instead of NOPASS.
Enabling Agentless Monitoring
Enable the module in ossec.conf on the Wazuh server:
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>3600</frequency>
<host>admin@192.168.1.1</host>
<state>periodic_diff</state>
<arguments>/etc /usr/bin /usr/sbin</arguments>
</agentless>Configuration
Agentless Block Structure
<agentless>
<type>check_type</type>
<frequency>seconds</frequency>
<host>user@hostname</host>
<state>periodic|periodic_diff</state>
<arguments>arguments</arguments>
</agentless>Configuration Parameters
| Parameter | Description |
|---|---|
type | Check type (see supported types below) |
frequency | Interval between checks in seconds |
host | Credentials and address: user@hostname |
state | Analysis mode: periodic or periodic_diff |
arguments | Check arguments (paths, commands) |
The state Parameter
periodic- check results are analyzed by rules on each executionperiodic_diff- the current result is compared with the previous one, and an alert is generated when differences are found
Supported Check Types
ssh_integrity_check_linux
File integrity checking on Linux systems. Computes MD5 checksums for specified files and directories.
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>3600</frequency>
<host>admin@10.0.0.10</host>
<state>periodic_diff</state>
<arguments>/etc /usr/bin /usr/sbin</arguments>
</agentless>In periodic_diff mode, Wazuh generates an alert when the checksum of any file in the specified directories changes.
ssh_integrity_check_bsd
An equivalent check for BSD systems (FreeBSD, OpenBSD, NetBSD). Uses commands compatible with BSD utilities.
<agentless>
<type>ssh_integrity_check_bsd</type>
<frequency>3600</frequency>
<host>admin@10.0.0.20</host>
<state>periodic_diff</state>
<arguments>/etc /usr/local/bin</arguments>
</agentless>ssh_generic_diff
Executes an arbitrary command on the remote device and tracks changes in the output. This is the most flexible check type.
<agentless>
<type>ssh_generic_diff</type>
<frequency>1800</frequency>
<host>admin@10.0.0.30</host>
<state>periodic_diff</state>
<arguments>netstat -tulnp</arguments>
</agentless>Additional examples:
<!-- Routing table monitoring -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>600</frequency>
<host>admin@router-core.local</host>
<state>periodic_diff</state>
<arguments>ip route show</arguments>
</agentless>
<!-- ARP table monitoring -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>300</frequency>
<host>admin@switch-access.local</host>
<state>periodic_diff</state>
<arguments>arp -a</arguments>
</agentless>
<!-- User monitoring -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>3600</frequency>
<host>admin@legacy-unix.local</host>
<state>periodic_diff</state>
<arguments>cat /etc/passwd</arguments>
</agentless>ssh_pixconfig_diff
A specialized check for Cisco PIX/ASA routers. Tracks changes in the device configuration.
<agentless>
<type>ssh_pixconfig_diff</type>
<frequency>3600</frequency>
<host>enable_password:admin@10.0.0.1</host>
<state>periodic_diff</state>
</agentless>For Cisco devices, the host format includes the enable password before the username: enable_password:user@host.
Practical Use Cases
Monitoring Routers
Tracking configuration changes and routing tables on network routers:
<!-- Router configuration -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>1800</frequency>
<host>admin@router-01.local</host>
<state>periodic_diff</state>
<arguments>show running-config</arguments>
</agentless>
<!-- Routing table -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>600</frequency>
<host>admin@router-01.local</host>
<state>periodic_diff</state>
<arguments>show ip route</arguments>
</agentless>Monitoring Switches
<!-- Port status -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>900</frequency>
<host>admin@switch-01.local</host>
<state>periodic_diff</state>
<arguments>show interfaces status</arguments>
</agentless>
<!-- MAC address table -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>300</frequency>
<host>admin@switch-01.local</host>
<state>periodic_diff</state>
<arguments>show mac address-table</arguments>
</agentless>Monitoring Legacy Unix Systems
For systems where agent installation is not feasible (outdated OS versions, limited resources):
<!-- System file integrity check -->
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>7200</frequency>
<host>root@legacy-solaris.local</host>
<state>periodic_diff</state>
<arguments>/etc /usr/local/etc</arguments>
</agentless>
<!-- Running process monitoring -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>600</frequency>
<host>root@legacy-solaris.local</host>
<state>periodic_diff</state>
<arguments>ps -ef</arguments>
</agentless>
<!-- Crontab monitoring -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>3600</frequency>
<host>root@legacy-solaris.local</host>
<state>periodic_diff</state>
<arguments>crontab -l 2>/dev/null; cat /etc/crontab</arguments>
</agentless>Monitoring Firewalls
<agentless>
<type>ssh_generic_diff</type>
<frequency>1800</frequency>
<host>admin@firewall.local</host>
<state>periodic_diff</state>
<arguments>iptables -L -n</arguments>
</agentless>Monitoring Multiple Devices
A separate <agentless> block is created for each device. Multiple checks for a single device are also supported:
<!-- Device 1: router -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>1800</frequency>
<host>admin@10.0.0.1</host>
<state>periodic_diff</state>
<arguments>show running-config</arguments>
</agentless>
<!-- Device 2: switch -->
<agentless>
<type>ssh_generic_diff</type>
<frequency>900</frequency>
<host>admin@10.0.0.2</host>
<state>periodic_diff</state>
<arguments>show interfaces status</arguments>
</agentless>
<!-- Device 3: Linux server -->
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>3600</frequency>
<host>root@10.0.0.3</host>
<state>periodic_diff</state>
<arguments>/etc /usr/bin</arguments>
</agentless>Limitations
Agentless monitoring has several limitations compared to the agent-based approach:
| Limitation | Description |
|---|---|
| No real-time monitoring | Checks run periodically; the minimum interval is bounded |
| No Active Response | Automated response actions cannot be executed |
| No FIM | Integrity monitoring is limited to checksum comparison |
| No Syscollector | System inventory is not available |
| No SCA | Security Configuration Assessment is not available |
| SSH dependency | SSH access and pre-configured keys are required |
| Server load | All SSH connections originate from the Wazuh server |
| Limited scalability | A large number of devices increases server load |
Recommendation: use agent-based monitoring for all systems where it is feasible. Agentless monitoring serves as a fallback for devices that do not support agent installation.
More about agent capabilities: Installing the Wazuh Agent
Troubleshooting
SSH Connection Cannot Be Established
- Verify network reachability of the device:
pingandsshfrom the Wazuh server - Confirm the SSH key has been copied to the target device
- Check that the
wazuhuser can connect:sudo -u wazuh ssh admin@device - Verify the host is registered: check
/var/ossec/agentless/.passlist - Review
/var/ossec/logs/ossec.logfor agentless module errors
Changes Are Not Detected
- Confirm
<state>is set toperiodic_diff - Wait for at least two check cycles to establish a baseline
- Verify the command in
<arguments>returns the expected output - For integrity checks, confirm the specified paths exist on the target device
Cisco Authentication Error
- Check the
<host>format:enable_password:user@host - Verify the enable password is correct
- Confirm SSH is enabled on the Cisco device
- Verify the user has privilege level 15
High Load on the Wazuh Server
- Increase
<frequency>to reduce check frequency - Stagger checks over time to avoid simultaneous connections
- Reduce the number of paths in
<arguments>for integrity checks - Consider installing agents on devices where possible
More about architecture: Wazuh Architecture
More about log collection: Wazuh Log Data Collection