- How can I collect logs via syslog using agentless?
- If I add an agentless device will it show as an agent?
- Is it possible to monitor the output of a command on a remote device?
- Can I monitor directories on a remote system?
- How can I remove the Agentless monitoring configuration?
The agentless capability allows you to monitor devices or systems with no agent via SSH, by providing the capability to run commands on the device. Wazuh includes several built-in commands that allow you to detect any output, difference between outputs, and verify the integrity of files in the agentless device.
To collect logs you can configure your device to forward logs using syslog and configure Wazuh to receive them using :ref:`remote syslog <remote_syslog>`.
Agentless devices do not appear as individual agents themselves, their logs are registered with the manager agent name and ID 000
. Agentless devices don't affect the total agent count.
You may filter agentless logs by searching for location:agentless
and each specific host can be identified by the agentless.host
field.
Yes, using the ssh_generic_diff
option: :ref:`example <agentless-examples>`.
Yes, using either the ssh_integrity_check_bsd
or ssh_integrity_check_linux
options.
To remove your agentless configuration and passwords you have to perform the following steps:
- Remove the agentless configuration from your
ossec.conf
file. - Remove the file
.passlist
located at/var/ossec/agentless/.passlist
. - Restart your Wazuh manager to apply the changes.