Wazuh Versions Save

Manager

Added

• Introduced native Maltiverse integration. Thanks to David Gil (@dgilm). (#18026)
• Added a file detailing the dependencies for the Wazuh RESTful API and wodles tests. (#16513)
• Added unit tests for the Syscollector legacy decoder. (#15985)
• Added unit tests for the manage_agents tool. (#15999)
• Added an option to customize the Slack integration. (#16090)
• Added support for Amazon Linux 2023 in Vulnerability Detector. (#17617)

Changed

• An unnecessary sanity check related to Syscollector has been removed from wazuh-db. (#16008)

Fixed

• Fixed an unexpected error by the Cluster when a worker gets restarted. (#16683)
• Fixed an issue that let the manager validate wrong XML configurations. (#16681)
• Fixed syscollector packages multiarch values (#19722)
• Fieed wazuh-agent crash randomly when RPCRT4.dll is loaded (#18591)

Deleted

• Delete unused framework RBAC migration folder. (#17225)

Agent

Added

• Added support for Custom Logs in Buckets via AWS SQS. (#17951)
• Added geolocation for aws.data.client_ip field. Thanks to @rh0dy. (#16198)
• Added package inventory support for Alpine Linux in Syscollector. (#15699)
• Added package inventory support for MacPorts in Syscollector. (#15877)
• Added package inventory support for PYPI and node in Syscollector. (#17982)
• Added related process information to the open ports inventory in Syscollector. (#15000)

Changed

• The shared modules' code has been sanitized according to the convention. (#17966)
• The package inventory internal messages have been modified to honor the schema compliance. (#18006)

Fixed

• Fixed detection of osquery 5.4.0+ running outside the integration. (#17006)
• Fixed vendor data in package inventory for Brew packages on macOS. (#16089)
• Fixed WPK rollback restarting host in Windows agent (#20081)

RESTful API

Added

• Added new status_code field to GET /agents response. (#19726)

Fixed

• Addressed error handling for non-utf-8 encoded file readings. (#16489)
• Resolved an issue in the WazuhException class that disrupted the API executor subprocess. (#16914)
• Corrected an empty value problem in the API specification key. (#16918)

Deleted

• Deprecated PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints. In future versions, the Wazuh indexer REST API can be used instead. (#20126)

Other

Fixed

• Fixed the signature of the internal function OSHash_GetIndex(). (#17040)

Manager

Added

• wazuh-authd can now generate X509 certificates. (#13559)
• Introduced a new CLI to manage features related to the Wazuh API RBAC resources. (#13797)
• Added support for Amazon Linux 2022 in Vulnerability Detector. (#13034)
• Added support for Alma Linux in Vulnerability Detector. (#16343)
• Added support for Debian 12 in Vulnerability Detector. (#18542)
• Added mechanism in wazuh-db to identify fragmentation and perform vacuum. (#14953)
• Added an option to set whether the manager should ban newer agents. (#18333)
• Added mechanism to prevent wazuh agents connections to lower manager versions. (#15661)

Changed

• wazuh-remoted now checks the size of the files to avoid malformed merged.mg. (#14659)
• Added a limit option for the Rsync dispatch queue size. (#14024)
• Added a limit option for the Rsync thread pool. (#14026)
• wazuh-authd now shows a warning when deprecated forcing options are present in the configuration. (#14549)
• The agent now notifies the manager when Active Reponse fails to run netsh. (#14804)
• Use new broadcast system to send agent groups information from the master node of a cluster. (#13906)
• Changed cluster send_request method so that timeouts are treated as exceptions and not as responses. (#15220)
• Refactored methods responsible for file synchronization within the cluster. (#13065)
• Changed schema constraints for sys_hwinfo table. (#16065)
• Auth process not start when registration password is empty. (#15709)
• Changed error messages about corrupt GetSecurityInfo messages from FIM to debug logs. (#19400)
• Changed the default settings for wazuh-db to perform database auto-vacuum more often. (#19956)

Fixed

• Fixed wazuh-remoted not updating total bytes sent in UDP. (#13979)
• Fixed translation of packages with a missing version in CPE Helper for Vulnerability Detector. (#14356)
• Fixed undefined behavior issues in Vulnerability Detector unit tests. (#14174)
• Fixed permission error when producing FIM alerts. (#14019)
• Fixed memory leaks wazuh-authd. (#15164)
• Fixed Audit policy change detection in FIM for Windows. (#14763)
• Fixed origin_module variable value when sending API or framework messages to core sockets. (#14408)
• Fixed an issue where an erroneous tag appeared in the cluster logs. (#15715)
• Fixed log error displayed when there's a duplicate worker node name within a cluster. (#15250)
• Resolved an issue in the agent_upgrade CLI when used from worker nodes. (#15487)
• Fixed error in the agent_upgrade CLI when displaying upgrade result. (#18047)
• Fixed error in which the connection with the cluster was broken in local clients for not sending keepalives messages. (#15277)
• Fixed error in which exceptions were not correctly handled when dapi_err command could not be sent to peers. (#15298)
• Fixed error in worker's Integrity sync task when a group folder was deleted in master. (#16257)
• Fixed error when trying tu update an agent through the API or the CLI while pointing to a WPK file. (#16506)
• Fixed wazuh-remoted high CPU usage in master node without agents. (#15074)
• Fixed race condition in wazuh-analysisd handling rule ignore option. (#16101)
• Fixed missing rules and decoders in Analysisd JSON report. (#16000)
• Fixed translation of packages with missing version in CPE Helper. (#14356)
• Fixed log date parsing at predecoding stage. (#15826)
• Fixed permission error in JSON alert. (#14019)

Agent

Added

• Added GuardDuty Native support to the AWS integration. (#15226)
• Added --prefix parameter to Azure Storage integration. (#14768)
• Added validations for empty and invalid values in AWS integration. (#16493)
• Added new unit tests for GCloud integration and increased coverage to 99%. (#13573)
• Added new unit tests for Azure Storage integration and increased coverage to 99%. (#14104)
• Added new unit tests for Docker Listener integration. (#14177)
• Added support for Microsoft Graph security API. Thanks to Bryce Shurts (@S-Bryce). (#18116)
• Added wildcard support in FIM Windows registers. (#15852)
• Added wildcards support for folders in the localfile configuration on Windows. (#15973)
• Added new settings ignore and restrict to logcollector. (#14782)
• Added RSync and DBSync to FIM. (#12745)
• Added PCRE2 regex for SCA policies. (#17124)
• Added mechanism to detect policy changes. (#14763)
• Added support for Office365 MS/Azure Government Community Cloud (GCC) and Government Community Cloud High (GCCH) API. Thanks to Bryce Shurts (@S-Bryce). (#16547)

Changed

• FIM option fim_check_ignore now applies to files and directories. (#13264)
• Changed AWS integration to take into account user config found in the .aws/config file. (#16531)
• Changed the calculation of timestamps in AWS and Azure modules by using UTC timezone. (#14537)
• Changed the AWS integration to only show the Skipping file with another prefix message in debug mode. (#15009)
• Changed debug level required to display CloudWatch Logs event messages. (#14999)
• Changed syscollector database default permissions. (#17447)
• Changed agent IP lookup algorithm. (#17161)
• Changed InstallDate origin in windows installed programs. (#14499)
• Enhanced clarity of certain error messages in the AWS integration for better exception tracing. (#14524)
• Improved external integrations SQLite queries. (#13420)
• Improved items iteration for Config and VPCFlow AWS integrations. (#16325)
• Unit tests have been added to the shared JSON handling library. (#14784)
• Unit tests have been added to the shared SQLite handling library. (#14476)
• Improved command to change user and group from version 4.2.x to 4.x.x. (#15032)
• Changed the internal value of the open_attemps configuration. (#15647)
• Reduced the default FIM event throughput to 50 EPS. (#19758)

Fixed

• Fixed the architecture of the dependency URL for macOS. (#13534)
• Fixed a path length limitation that prevented FIM from reporting changes on Windows. (#13588)
• Updated the AWS integration to use the regions specified in the AWS config file when no regions are provided in ossec.conf. (#14993)
• Corrected the error code #2 for the SIGINT signal within the AWS integration. (#14850)
• Fixed the discard_regex functionality for the AWS GuardDuty integration. (#14740)
• Fixed error messages in the AWS integration when there is a ClientError. (#14500)
• Fixed error that could lead to duplicate logs when using the same dates in the AWS integration. (#14493)
• Fixed check_bucket method in AWS integration to be able to find logs without a folder in root. (#16116)
• Added field validation for last_date.json in Azure Storage integration. (#16360)
• Improved handling of invalid regions given to the VPCFlow AWS integration, enhancing exception clarity. (#15763)
• Fixed error in the GCloud Subscriber unit tests. (#16070)
• Fixed the marker that AWS custom integrations uses. (#16410)
• Fixed error messages when there are no logs to process in the WAF and Server Access AWS integrations. (#16365)
• Added region validation before instantiating AWS service class in the AWS integration. (#16463)
• Fixed InstallDate format in windows installed programs. (#14161)
• Fixed syscollector default interval time when the configuration is empty. (#15428)
• Fixed agent starts with an invalid fim configuration. (#16268)
• Fixed rootcheck scan trying to read deleted files. (#15719)
• Fixed compilation and build in Gentoo. (#15739)
• Fixed a crash when FIM scan windows longs paths. (#19375)
• Fixed FIM who-data support for aarch64 platforms. (#19378)

Removed

• Unused option local_ip for agent configuration has been deleted. (#13878)
• Removed unused migration functionality from the AWS integration. (#14684)
• Deleted definitions of repeated classes in the AWS integration. (#17655)
• Removed duplicate methods in AWSBucket and reuse inherited ones from WazuhIntegration. (#15031)

RESTful API

Added

• Added POST /events API endpoint to ingest logs through the API. (#17670)
• Added query, select and distinct parameters to multiple endpoints. (#17865)
• Added a new upgrade and migration mechanism for the RBAC database. (#13919)
• Added new API configuration option to rotate log files based on a given size. (#13654)
• Added relative_dirname parameter to GET, PUT and DELETE methods of the /decoder/files/{filename} and /rule/files/{filename} endpoints. (#15994)
• Added new config option to disable uploading configurations containing the new allow_higher_version setting. (#18212)
• Added API integration tests documentation. (#13615)

Changed

• Changed the API's response status code for Wazuh cluster errors from 400 to 500. (#13646)
• Changed Operational API error messages to include additional information. (#19001)

Fixed

• Fixed an unexpected behavior when using the q and select parameters in some endpoints. (#13421)
• Resolved an issue in the GET /manager/configuration API endpoint when retrieving the vulnerability detector configuration section. (#15203)
• Fixed GET /agents/upgrade_result endpoint internal error with code 1814 in large environments. (#15152)
• Enhanced the alphanumeric_symbols regex to better accommodate specific SCA remediation fields. (#16756)
• Fixed bug that would not allow retrieving the Wazuh logs if only the JSON format was configured. (#15967)
• Fixed error in GET /rules when variables are used inside id or level ruleset fields. (#16310)
• Fixed PUT /syscheck and PUT /rootcheck endpoints to exclude exception codes properly. (#16248)
• Adjusted test_agent_PUT_endpoints.tavern.yaml to resolve a race condition error. (#16347)
• Fixed some errors in API integration tests for RBAC white agents. (#16844)

Removed

• Removed legacy code related to agent databases in /var/agents/db. (#15934)

Ruleset

Changed

• The SSHD decoder has been improved to catch disconnection events. (#14138)

Manager

Added

• Introduced native Maltiverse integration. Thanks to David Gil (@dgilm). (#18026)
• Added a file detailing the dependencies for the Wazuh RESTful API and wodles tests. (#16513)
• Added unit tests for the Syscollector legacy decoder. (#15985)
• Added unit tests for the manage_agents tool. (#15999)
• Added an option to customize the Slack integration. (#16090)
• Added support for Amazon Linux 2023 in Vulnerability Detector. (#17617)

Changed

• An unnecessary sanity check related to Syscollector has been removed from wazuh-db. (#16008)

Fixed

• Fixed an unexpected error by the Cluster when a worker gets restarted. (#16683)
• Fixed an issue that let the manager validate wrong XML configurations. (#16681)
• Fixed syscollector packages multiarch values (#19722)
• Fieed wazuh-agent crash randomly when RPCRT4.dll is loaded (#18591)

Deleted

• Delete unused framework RBAC migration folder. (#17225)

Agent

Added

• Added support for Custom Logs in Buckets via AWS SQS. (#17951)
• Added geolocation for aws.data.client_ip field. Thanks to @rh0dy. (#16198)
• Added package inventory support for Alpine Linux in Syscollector. (#15699)
• Added package inventory support for MacPorts in Syscollector. (#15877)
• Added package inventory support for PYPI and node in Syscollector. (#17982)
• Added related process information to the open ports inventory in Syscollector. (#15000)
• Fixed vendor data in package inventory for Brew packages on macOS. (#16089)

Changed

• The shared modules' code has been sanitized according to the convention. (#17966)
• The package inventory internal messages have been modified to honor the schema compliance. (#18006)
• The agent's leaky bucket throughput limit has been extended to 100.000 EPS. (#16346)

Fixed

• Fixed detection of osquery 5.4.0+ running outside the integration. (#17006)

RESTful API

Added

• Added new status_code field to GET /agents response. (#19726)

Fixed

• Addressed error handling for non-utf-8 encoded file readings. (#16489)
• Resolved an issue in the WazuhException class that disrupted the API executor subprocess. (#16914)
• Corrected an empty value problem in the API specification key. (#16918)

Other

Fixed

• Fixed the signature of the internal function OSHash_GetIndex(). (#17040)

Manager

Changed

• Set a timeout on requests between components through the cluster. (#19729)

Fixed

• Fixed a bug that might leave some worker's services hanging if the connection to the master was broken. (#19702)
• Fixed vulnerability scan on Windows agent when the OS version has no release data. (#19706)

Manager

Added

• Introduced native Maltiverse integration. (#18026)
• Added a file detailing the dependencies for the Wazuh RESTful API and wodles tests. (#16513)
• Added unit tests for the Syscollector legacy decoder. (#15985)
• Added unit tests for the manage_agents tool. (#15999)
• Added an option to customize the Slack integration. (#16090)
• Added support for Amazon Linux 2023 in Vulnerability Detector. (#17617)

Changed

• An unnecessary sanity check related to Syscollector has been removed from wazuh-db. (#16008)

Fixed

• Fixed an unexpected error by the Cluster when a worker gets restarted. (#16683)
• Fixed an issue that let the manager validate wrong XML configurations. (#16681)

Deleted

• Delete unused framework RBAC migration folder. (#17225)

Agent

Added

• Added support for Custom Logs in Buckets via AWS SQS. (#17951)
• Added geolocation for aws.data.client_ip field. Thanks to @rh0dy. (16198)
• Added package inventory support for Alpine Linux in Syscollector. (#15699)
• Added package inventory support for MacPorts in Syscollector. (#15877)
• Added package inventory support for PYPI and node in Syscollector. (#17982)
• Added related process information to the open ports inventory in Syscollector. (#15000)
• Fixed vendor data in package inventory for Brew packages on macOS. (#16089)

Changed

• The shared modules' code has been sanitized according to the convention. (#17966)
• The package inventory internal messages have been modified to honor the schema compliance. (#18006)
• The agent's leaky bucket throughput limit has been extended to 100.000 EPS. (#16346)

Fixed

• Fixed detection of osquery 5.4.0+ running outside the integration. (#17006)

RESTful API

Fixed

• Addressed error handling for non-utf-8 encoded file readings. (#16489)
• Resolved an issue in the WazuhException class that disrupted the API executor subprocess. (#16914)
• Corrected an empty value problem in the API specification key. (#16918)

Other

Fixed

• Fixed the signature of the internal function OSHash_GetIndex(). (#17040)

Manager

Changed

• Vulnerability Detector now fetches the SUSE feeds in Gzip compressed format. (#18783)

Fixed

• Fixed a bug that might cause wazuh-analysisd to crash if it receives a status API query during startup. (#18737)
• Fixed a bug that might cause wazuh-maild to crash when handling large alerts. (#18976)
• Fixed an issue in Vulnerability Detector fetching the SLES 15 feed. (#19217)

Agent

Changed

• Updated the agent to report the name of macOS 14 (Sonoma). (#19041)

Fixed

• Fixed a bug in the memory handle at the agent's data provider helper. (#18773)
• Fixed a data mismatch in the OS name between the global and agents' databases. (#18903)
• Fixed an array limit check in wazuh-logcollector. (#19069)
• Fixed wrong Windows agent binaries metadata. (#19286)
• Fixed error during the windows agent upgrade. (#19397)

RESTful API

Added

• Added support for the $ symbol in query values. (#18509)
• Added support for the @ symbol in query values. (#18346)
• Added support for nested queries in the q API parameter. (#18493)

Changed

• Updated force flag message in the agent_upgrade CLI. (#18432)

Fixed

• Removed undesired characters when listing rule group names in GET /rules/groups. (#18362)
• Fixed an error when using the query condition=all in GET /sca/{agent_id}/checks/{policy_id}. (#18434)
• Fixed an error in the API log mechanism where sometimes the requests would not be printed in the log file. (#18733)

Manager

Changed

• wazuh-remoted now allows connection overtaking if the older agent did not respond for a while. (#18085)
• The manager stops restricting the possible package formats in the inventory, to increase compatibility. (#18437)
• wazuh-remoted now prints the connection family when an unknown client gets connected. (#18468)
• The manager stops blocking updates by WPK to macOS agents on ARM64, allowing custom updates. (#18545)
• Vulnerability Detector now fetches the Debian feeds in BZ2 compressed format. (#18770)

Fixed

• Fixed a bug in wazuh-csyslogd that causes it to consume 100% of CPU while expecting new alerts. (#18472)

Manager

Changed

• wazuh-remoted now allows connection overtaking if the older agent did not respond for a while. (#18085)
• The manager stops restricting the possible package formats in the inventory, to increase compatibility. (#18437)
• wazuh-remoted now prints the connection family when an unknown client gets connected. (#18468)
• The manager stops blocking updates by WPK to macOS agents on ARM64, allowing custom updates. (#18545)

Fixed

• Fixed a bug in wazuh-csyslogd that causes it to consume 100% of CPU while expecting new alerts. (#18472)

Manager

Changed

• Vulnerability Detector now fetches the RHEL 5 feed URL from feed.wazuh.com by default. (#18142)
• The Vulnerability Detector CPE helper has been updated. (#16846)

Fixed

• Fixed a race condition in some RBAC unit tests by clearing the SQLAlchemy mappers. (#17866)
• Fixed a bug in wazuh-analysisd that could exceed the maximum number of fields when loading a rule. (#17490)
• Fixed a race condition in wazuh-analysisd FTS list. (#17126)
• Fixed a crash in Analysisd when parsing an invalid decoder. (#17143)
• Fixed a segmentation fault in wazuh-modulesd due to duplicate Vulnerability Detector configuration. (#17701)
• Fixed Vulnerability Detector configuration for unsupported SUSE systems. (#16978)

Agent

Added

• Added the discard_regex functionality to Inspector and CloudWatchLogs AWS integrations. (#17748)
• Added new validations for the AWS integration arguments. (#17673)
• Added native agent support for Apple silicon. (#2224)

Changed

• The agent for Windows now loads its shared libraries after running the verification. (#16607)

Fixed

• Fixed InvalidRange error in Azure Storage integration when trying to get data from an empty blob. (#17524)
• Fixed a memory corruption hazard in the FIM Windows Registry scan. (#17586)
• Fixed an error in Syscollector reading the CPU frequency on Apple M1. (#17179)
• Fixed agent WPK upgrade for Windows that might leave the previous version in the Registry. (#16659)
• Fixed agent WPK upgrade for Windows to get the correct path of the Windows folder. (#17176)

RESTful API

Fixed

• Fixed PUT /agents/upgrade_custom endpoint to validate that the file extension is .wpk. (#17632)
• Fixed errors in API endpoints to get labels and reports active configuration from managers. (#17660)

Ruleset

Changed

• The SCA SCA policy for Ubuntu Linux 20.04 (CIS v2.0.0) has been remade. (#17794)

Fixed

• Fixed CredSSP encryption enforcement at Windows Benchmarks for SCA. (#17941)
• Fixed an inverse logic in MS Windows Server 2022 Benchmark for SCA. (#17940)
• Fixed a false positive in Windows Eventchannel rule due to substring false positive. (#17779)
• Fixed missing whitespaces in SCA policies for Windows. (#17813)
• Fixed the description of a Fortigate rule. (#17798)

Removed

• Removed check 1.1.5 from Windows 10 SCA policy. (#17812)

Other

Changed

• The CURL library has been updated to v7.88.1. (#16990)

Manager

Changed

• Vulnerability Detector now fetches the RHEL 5 feed URL from feed.wazuh.com by default. (#18142)
• The Vulnerability Detector CPE helper has been updated. (#16846)

Fixed

• Fixed a race condition in some RBAC unit tests by clearing the SQLAlchemy mappers. (#17866)
• Fixed a bug in wazuh-analysisd that could exceed the maximum number of fields when loading a rule. (#17490)
• Fixed a race condition in wazuh-analysisd FTS list. (#17126)
• Fixed a crash in Analysisd when parsing an invalid decoder. (#17143)
• Fixed a segmentation fault in wazuh-modulesd due to duplicate Vulnerability Detector configuration. (#17701)
• Fixed Vulnerability Detector configuration for unsupported SUSE systems. (#16978)

Agent

Added

• Added the discard_regex functionality to Inspector and CloudWatchLogs AWS integrations. (#17748)
• Added new validations for the AWS integration arguments. (#17673)
• Added native agent support for Apple silicon. (#2224)

Changed

• The agent for Windows now loads its shared libraries after running the verification. (#16607)

Fixed

• Fixed InvalidRange error in Azure Storage integration when trying to get data from an empty blob. (#17524)
• Fixed a memory corruption hazard in the FIM Windows Registry scan. (#17586)
• Fixed an error in Syscollector reading the CPU frequency on Apple M1. (#17179)
• Fixed agent WPK upgrade for Windows that might leave the previous version in the Registry. (#16659)
• Fixed agent WPK upgrade for Windows to get the correct path of the Windows folder. (#17176)

RESTful API

Fixed

• Fixed PUT /agents/upgrade_custom endpoint to validate that the file extension is .wpk. (#17632)
• Fixed errors in API endpoints to get labels and reports active configuration from managers. (#17660)

Ruleset

Changed

• The SCA SCA policy for Ubuntu Linux 20.04 (CIS v2.0.0) has been remade. (#17794)

Fixed

• Fixed CredSSP encryption enforcement at Windows Benchmarks for SCA. (#17941)
• Fixed an inverse logic in MS Windows Server 2022 Benchmark for SCA. (#17940)
• Fixed a false positive in Windows Eventchannel rule due to substring false positive. (#17779)
• Fixed missing whitespaces in SCA policies for Windows. (#17813)
• Fixed the description of a Fortigate rule. (#17798)

Removed

• Removed check 1.1.5 from Windows 10 SCA policy. (#17812)

Other

Changed

• The CURL library has been updated to v7.88.1. (#16990)