Metadata-Version: 2.1
Name: datadog-wazuh
Version: 1.2.0
Summary: The wazuh check
Project-URL: Source, https://github.com/DataDog/integrations-core
Author-email: Datadog <packages@datadoghq.com>
Keywords: datadog,datadog agent,datadog check,wazuh
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: BSD License
Classifier: Private :: Do Not Upload
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: System :: Monitoring
Requires-Dist: datadog-checks-base>=37.21.0
Provides-Extra: deps
Description-Content-Type: text/markdown

# Agent Integration: wazuh

## Overview

[Wazuh][3] provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection.

This integration parses the following types of logs:
- **vulnerability-detector** : Vulnerability events generated by Wazuh.
- **malware-detector** : Rootcheck events generated by Wazuh for detecting any malware in the system.
- **file-integrity-monitoring** : Events related to file changes like permission, content, ownership and attributes.
- **docker** : Activity Events of docker container. 
- **github** : Events from audit logs from github organizations.
- **google-cloud** : Security events related to google cloud platform services.
- **amazon** : Security events from amazon AWS services.
- **office365** : Security events related to office365.
- **system** : Events from services like FTPD, PAM, SSHD, syslog, Windows, dpkg, yum, sudo, su, wazuh and ossec along with internal events.

Visualize detailed insights into these logs through the out-of-the-box dashboards.

**Minimum Agent version:** 7.61.0

## Setup

### Installation

To install the Wazuh integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management][4] documentation.

**Note**: This step is not necessary for Agent version >= 7.58.0.

Linux command
  ```shell
  sudo -u dd-agent -- datadog-agent integration install datadog-wazuh==1.0.0
  ```

### Configuration

#### Logs collection

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`:

    ```yaml
    logs_enabled: true
    ```
2. Add this configuration block to your `wazuh.d/conf.yaml` file to start collecting your logs.

    Use the UDP method to collect the Wazuh alerts data.
    See the sample [wazuh.d/conf.yaml][6] for available configuration options.

    ```yaml
      logs:
      - type: udp
        port: <PORT>
        source: wazuh
        service: wazuh
    ```
    **Note**: It is recommended not to change the service and source values, as these parameters are integral to the pipeline's operation.

3. [Restart the Agent][2].

#### Configure syslog message forwarding from Wazuh

  1. Log in to the Wazuh UI. Navigate to the left side Menu.
  2. Go to **Server management** > **Settings**.
  3. Click on **Edit configuration**.
  4. Add the following configuration block:

      In this example, all alerts are sent to 1.1.1.1 on port 8080 in JSON format.
      ```xml
        <syslog_output>
          <server>1.1.1.1</server>
          <port>8080</port>
          <format>json</format>
        </syslog_output>
      ```

      * The `server` tag should contain the IP address where your Datadog Agent is running.

      * The `port` tag should contain the port where your Datadog Agent is listening.

      Note: Using JSON format is required, since Wazuh pipeline parses JSON formatted logs only.
  5. Click the **Save** button.
  6. After saving, click on the **Restart Manager** button.


### Validation

[Run the Agent's status subcommand][5] and look for `wazuh` under the Checks section.

## Data Collected

### Log 

| Format     | Event Types    |
| ---------  | -------------- |
| JSON | vulnerability-detector, file-integrity-monitoring, malware-detector, github, docker, amazon, office365, google-cloud, system and other |

### Metrics

The Wazuh integration does not include any metrics.

### Events

The Wazuh integration does not include any events.

### Service Checks

The Wazuh integration does not include any service checks.

## Troubleshooting

**Permission denied while port binding:**

If you see a **Permission denied** error while port binding in the Agent logs:

1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command:
    ```shell
    sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
    ```

2. Verify the setup is correct by running the `getcap` command:

    ```shell
    sudo getcap /opt/datadog-agent/bin/agent/agent
    ```

    With the expected output:

    ```shell
    /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
    ```

    **Note**: Re-run this `setcap` command every time you upgrade the Agent.

3. [Restart the Agent][2].

Here is how to troubleshoot some possible issues.

**Data is not being collected:**

Ensure traffic is bypassed from the configured port if the firewall is enabled.

**Port already in use:**

If you see the **Port <PORT_NUMBER> Already in Use** error, see the following instructions. The example below is for port 514:

- On systems using Syslog, if the Agent listens for Wazuh logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: 
    - Disable Syslog.
    - Configure the Agent to listen on a different, available port.


For further assistance, contact [Datadog support][1].

[1]: https://docs.datadoghq.com/help/
[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent
[3]: https://wazuh.com/
[4]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install
[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information
[6]: https://github.com/DataDog/integrations-core/blob/master/wazuh/datadog_checks/wazuh/data/conf.yaml.example
