### Manually Install Docker and Start Service Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/TROUBLESHOOTING.md If Docker installation fails, these commands can be used for manual installation, enabling, and starting the Docker service. ```bash curl -fsSL https://get.docker.com | sh systemctl enable docker systemctl start docker ``` -------------------------------- ### Standard and Air-Gapped Installation Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SCENARIOS.md Use the standard installation script for a full setup including Tailscale. For air-gapped or bootstrap environments, use the `--skip-tailscale` flag or set the AUTOPILOT_MODE environment variable. ```bash sudo ./install/install.sh # Air-gapped / bootstrap (skip Tailscale) sudo ./install/install.sh --skip-tailscale # Or set the environment variable export AUTOPILOT_MODE=bootstrap sudo ./install/install.sh ``` -------------------------------- ### Install Project (Skip Tailscale) Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/CONTRIBUTING.md Install the project dependencies, skipping Tailscale setup for development or testing. ```bash sudo ./install/install.sh --skip-tailscale ``` -------------------------------- ### Install OpenClaw Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/openclaw/README.md Follow the official OpenClaw installation guide. This is a prerequisite for configuring the agents. ```bash # Follow OpenClaw installation guide # https://github.com/openclaw/openclaw ``` -------------------------------- ### Install and Configure Wazuh MCP Server Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/MCP_INTEGRATION.md Steps to clone, configure, and start the Wazuh MCP Server using Docker Compose. Ensure to copy the example environment file and modify it with your Wazuh API credentials and MCP server settings. ```bash git clone https://github.com/gensecaihq/Wazuh-MCP-Server cd Wazuh-MCP-Server cp .env.example .env nano .env docker compose up -d ``` -------------------------------- ### Install Wazuh Autopilot Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/CLI_REFERENCE.md Run the standard installation script for an interactive setup. Use `--mode bootstrap` or `--skip-tailscale` for air-gapped environments. Use `--mode mcp-only` to install only the MCP Server. ```bash sudo ./install/install.sh ``` ```bash sudo ./install/install.sh --mode bootstrap ``` ```bash sudo ./install/install.sh --skip-tailscale ``` ```bash sudo ./install/install.sh --mode mcp-only ``` ```bash sudo ./install/install.sh --help ``` ```bash sudo ./install/install.sh --version ``` -------------------------------- ### Install Tailscale Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/TAILSCALE_MANDATORY.md Install Tailscale on the Autopilot host using the official installation script. Authenticate with your Tailnet afterwards. ```bash # The installer does this automatically, or manually: curl -fsSL https://tailscale.com/install.sh | sh # Authenticate with your Tailnet sudo tailscale up ``` -------------------------------- ### Run Wazuh OpenClaw Autopilot Installer Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/QUICKSTART.md Execute the installation script for a standard setup. Use specific flags for air-gapped environments or to install only the MCP server. ```bash sudo ./install/install.sh ``` ```bash sudo ./install/install.sh --mode bootstrap # or equivalently: sudo ./install/install.sh --skip-tailscale ``` ```bash sudo ./install/install.sh --mode mcp-only ``` -------------------------------- ### Running a Compliance Check Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/MCP_INTEGRATION.md Example of how to run a compliance check against a specified framework. ```APIDOC ## Running a Compliance Check ### Description Run a compliance check against a specified framework. ### Tool `run_compliance_check` ### Arguments - **framework** (string) - Required - The compliance framework to check against (e.g., PCI-DSS, HIPAA, SOX, GDPR, NIST). ### Request Example ```json { "tool": "run_compliance_check", "arguments": { "framework": "PCI-DSS" } } ``` ``` -------------------------------- ### Start vLLM with Qwen3 32B Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/VLLM_DEPLOYMENT.md Use this command to start the vLLM server with the Qwen3 32B model, enabling tool calling. Ensure the API key and port match your configuration. ```bash vllm serve Qwen/Qwen3-32B \ --served-model-name qwen3-32b \ --api-key "your-secure-key" \ --port 8000 \ --enable-auto-tool-choice \ --tool-call-parser hermes \ --max-model-len 131072 \ --gpu-memory-utilization 0.95 ``` -------------------------------- ### Start and Authenticate Tailscale Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/TROUBLESHOOTING.md Use 'tailscale up' to start the Tailscale service. If not authenticated, this command will provide an authentication URL. ```bash sudo tailscale up ``` ```bash sudo tailscale up ``` -------------------------------- ### Start and Enable Wazuh Autopilot Service Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/QUICKSTART.md Start the Wazuh Autopilot runtime service using systemctl, enable it to start on boot, and check its status. ```bash # Start the runtime service sudo systemctl start wazuh-autopilot # Enable on boot sudo systemctl enable wazuh-autopilot # Check status sudo systemctl status wazuh-autopilot ``` -------------------------------- ### Air-gapped Bootstrap Installation Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/README.md Initiate the bootstrap process for an air-gapped installation of OpenClaw Autopilot. Refer to the guide for further steps in classified or offline environments. ```bash sudo ./install/install.sh --mode bootstrap ``` -------------------------------- ### Install Wazuh OpenClaw Autopilot Source: https://context7.com/gensecaihq/wazuh-openclaw-autopilot/llms.txt Use the hardened installer for Ubuntu/Debian/RHEL systems. Options include a full production install with Tailscale, a bootstrap mode for evaluation, or an MCP Server-only installation. ```bash git clone https://github.com/gensecaihq/Wazuh-Openclaw-Autopilot.git cd Wazuh-Openclaw-Autopilot # Full production install (Tailscale + systemd service) sudo ./install/install.sh # Bootstrap / air-gapped mode (no Tailscale, useful for evaluation) sudo ./install/install.sh --mode bootstrap # MCP Server only (skip OpenClaw and runtime) sudo ./install/install.sh --mode mcp-only ``` -------------------------------- ### Install and Test Autopilot Service Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/README.md Navigate to the autopilot service directory, install dependencies, and run tests. Ensure all tests pass before contributing. ```bash cd runtime/autopilot-service npm install npm test # 532 tests, all passing ``` -------------------------------- ### Agent Pack Installation and Restart Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SCENARIOS.md Install the agent pack on a server with an existing OpenClaw installation. After copying agent files and configurations, restart the OpenClaw service to load the new agents. ```bash sudo ./install/install.sh # Restart OpenClaw to load new agents sudo systemctl restart openclaw # or docker restart openclaw ``` -------------------------------- ### Non-Interactive Installation Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SCENARIOS.md Perform a non-interactive installation by setting required environment variables for production mode, MCP URL, and authentication token before running the install script. ```bash export AUTOPILOT_MODE=production export MCP_URL=https://mcp.your-tailnet.ts.net:3000 export AUTOPILOT_MCP_AUTH=your-token sudo ./install/install.sh ``` -------------------------------- ### Installer Commands Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/CLI_REFERENCE.md Commands for installing and managing Wazuh Autopilot, including options for different installation modes and environment variables. ```APIDOC ## Installer Commands ### Basic Usage ```bash # Standard installation (interactive) sudo ./install/install.sh # Air-gapped / bootstrap (skip Tailscale) sudo ./install/install.sh --mode bootstrap # or equivalently: sudo ./install/install.sh --skip-tailscale # MCP Server only (skip OpenClaw, Runtime, Agents) sudo ./install/install.sh --mode mcp-only # Show help sudo ./install/install.sh --help # Show version sudo ./install/install.sh --version ``` ### Command-Line Options | Option | Description | Example | |--------|-------------|---------| | `--mode ` | Installation mode: `full` (default), `bootstrap` (no Tailscale), `mcp-only` (MCP Server only) | `--mode bootstrap` | | `--skip-tailscale` | Skip Tailscale installation (equivalent to `--mode bootstrap`) | `--skip-tailscale` | | `--help` | Show help message | `--help` | | `--version` | Show version | `--version` | ### Installation Modes | Mode | Description | What Gets Installed | |------|-------------|---------------------| | `full` | Standard production install (default) | Tailscale + MCP Server + OpenClaw + Runtime + Agents | | `bootstrap` | Air-gapped or evaluation install | MCP Server + OpenClaw + Runtime + Agents (no Tailscale) | | `mcp-only` | Minimal install for existing OpenClaw setups | MCP Server only (no OpenClaw, Runtime, or Agents) | ### Environment Variables Set these before running the installer: ```bash # Deployment mode (also settable via --mode flag) export AUTOPILOT_MODE=bootstrap # Skips Tailscale automatically export AUTOPILOT_MODE=mcp-only # MCP Server only export AUTOPILOT_MODE=production # Full install with Tailscale (default) # Slack Configuration (prompted during install if not set) export SLACK_APP_TOKEN=xapp-1-... export SLACK_BOT_TOKEN=xoxb-... ``` ``` -------------------------------- ### Agent Runtime Configuration Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/AGENT_CONFIGURATION.md Shows an example of an agent's runtime configuration within `openclaw.json`, specifying its ID, name, model, and allowed/denied tools. ```json { "id": "wazuh-triage", "name": "Wazuh Triage Agent", "model": "anthropic/claude-sonnet-4-5", "tools": { "allow": ["read", "sessions_list", "sessions_history", "sessions_send"], "deny": ["write", "exec", "delete", "browser"] } } ``` -------------------------------- ### Install Tailscale on MCP Host Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/TAILSCALE_MANDATORY.md Install Tailscale on the machine running your Wazuh MCP Server. Follow the authentication prompts to join your Tailnet. ```bash curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up ``` -------------------------------- ### Distributed Installation (Server B Configuration) Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SCENARIOS.md When separating MCP and Runtime to different servers, install on Server B and configure the MCP_URL to point to Server A's MCP service, using either its domain name or Tailscale address. ```bash sudo ./install/install.sh # Then edit /etc/wazuh-autopilot/.env to set MCP_URL # Server B configuration MCP_URL=https://server-a.example.com:3000 # Or with Tailscale MCP_URL=https://server-a.tail12345.ts.net:3000 ``` -------------------------------- ### Runtime Only Installation Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SCENARIOS.md Install only the Autopilot Runtime on Server C if OpenClaw is managed separately. Ensure the MCP_URL is configured correctly in the .env file. ```bash sudo ./install/install.sh # Then edit /etc/wazuh-autopilot/.env to set MCP_URL ``` -------------------------------- ### Wazuh MCP Server Configuration Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/MCP_INTEGRATION.md Example `.env` file for configuring the Wazuh MCP Server. This includes settings for connecting to the Wazuh Manager, MCP server port, host, authentication mode, API key, and advanced parameters like timeouts and query limits. ```env # .env file for Wazuh MCP Server WAZUH_HOST=wazuh-manager WAZUH_PORT=55000 WAZUH_USER=wazuh WAZUH_PASS=your-password WAZUH_VERIFY_SSL=true WAZUH_ALLOW_SELF_SIGNED=true # MCP Server settings MCP_PORT=3000 MCP_HOST=0.0.0.0 AUTH_MODE=bearer MCP_API_KEY=your-api-key # Advanced REQUEST_TIMEOUT_SECONDS=30 MAX_ALERTS_PER_QUERY=1000 MAX_CONNECTIONS=10 ``` -------------------------------- ### Slack Interactive Buttons Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SLACK_SOCKET_MODE.md An example of how an approval request appears with interactive buttons for users to approve or reject. ```text ┌─────────────────────────────────────────┐ │ 🚨 Approval Request │ │ │ │ Case: CASE-20260217-abc12345 │ │ Severity: High │ │ Proposed Action: Block IP 192.168.1.100 │ │ │ │ [Approve (Tier 1)] [Reject] │ └─────────────────────────────────────────┘ ``` -------------------------------- ### Configure Autopilot Installation Mode via Environment Variables Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/CLI_REFERENCE.md Set environment variables before running the installer to define the deployment mode or configure Slack integration. These settings can also be specified using command-line flags. ```bash export AUTOPILOT_MODE=bootstrap export AUTOPILOT_MODE=mcp-only export AUTOPILOT_MODE=production export SLACK_APP_TOKEN=xapp-1-... export SLACK_BOT_TOKEN=xoxb-... ``` -------------------------------- ### Manual Development Service Start Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/README.md Start the OpenClaw Autopilot service manually for development purposes. Ensure you are in the correct directory. ```bash cd runtime/autopilot-service && npm start ``` -------------------------------- ### Install vLLM for NVIDIA (CUDA) Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/VLLM_DEPLOYMENT.md Install the vLLM library for systems with NVIDIA GPUs using pip. ```bash pip install vllm ``` -------------------------------- ### Start OpenClaw Gateway Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/openclaw/README.md Command to initiate the OpenClaw gateway service. ```bash openclaw gateway start ``` -------------------------------- ### Run Service Locally Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/CONTRIBUTING.md Start the Wazuh OpenClaw Autopilot service locally using Node.js. ```bash node index.js ``` -------------------------------- ### Transition to Production Mode Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SCENARIOS.md Steps to transition from bootstrap to production mode, including installing Tailscale, updating MCP_URL, setting the mode, and restarting services. ```bash # 1. Install and authenticate Tailscale sudo tailscale up # 2. Update MCP_URL in /etc/wazuh-autopilot/.env to use Tailnet address # 3. Set AUTOPILOT_MODE=production # 4. Restart services sudo systemctl restart wazuh-mcp-server wazuh-autopilot ``` -------------------------------- ### Serve Ollama with Custom Context Window Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/AIR_GAPPED_DEPLOYMENT.md Manually start the Ollama server with a specified context window size using an environment variable. ```bash OLLAMA_NUM_CTX=32768 ollama serve ``` -------------------------------- ### Patch Management - Deployment Phases Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/playbooks/vuln-spike.md Outlines the different phases of patch deployment: canary, pilot, and production. Includes scope, duration, validation steps, and go/no-go criteria for each phase. ```yaml deployment_phases: canary_deployment: scope: 1-2 non-critical hosts with same config duration: 4_hours validation: - Service availability check - Application functionality test - Performance baseline comparison - Log review for errors go_no_go: If validation passes -> proceed to pilot pilot_deployment: scope: 10% of affected hosts (diverse sample) duration: 24_hours validation: - User acceptance testing - Integration testing - Performance monitoring - Security scan (verify vuln remediated) go_no_go: If validation passes -> proceed to production production_deployment: scope: remaining 90% of hosts method: rolling_deployment (batches of 20%) duration: 48_hours rollback_triggers: - Service outage detected - Critical functionality broken - Performance degradation > 20% - New vulnerabilities introduced ``` -------------------------------- ### Wazuh OpenClaw Autopilot Installation Script Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/README.md Shell script for installing Wazuh OpenClaw Autopilot, including MCP Server setup, OpenClaw configuration, agent deployment, and optional Slack integration. Use `--mode bootstrap` for air-gapped environments. ```bash git clone https://github.com/gensecaihq/Wazuh-Openclaw-Autopilot.git cd Wazuh-Openclaw-Autopilot sudo ./install/install.sh ``` -------------------------------- ### Restrictive Policy Configuration Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/POLICY_AND_APPROVALS.md Example YAML configuration for starting with conservative policy settings. This ensures actions require individual enablement and human approval by default. ```yaml # In policy.yaml — actions require individual enablement and human approval actions: enabled: true # Each action in the allowlist must have enabled: true to be available # All actions require human approval regardless of this flag autonomy: default_level: approval ``` -------------------------------- ### Runtime API Access Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/openclaw/agents/investigation/TOOLS.md Demonstrates how to access the Investigation Agent's runtime REST API using the `web_fetch` tool. All endpoints use GET requests with query parameters, including the authentication token. ```python web_fetch("http://localhost:9090", params={'token': AUTOPILOT_MCP_AUTH}) ``` -------------------------------- ### Multi-Stage Decision Tree for Lateral Movement Analysis Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/playbooks/lateral-movement.md A multi-stage decision tree to guide the analysis of potential lateral movement, starting from initial authentication triage to blast radius assessment and final response classification. ```text Internal Authentication Detected (Event 4624 Type 3/10) │ ├─→ Source/Destination Analysis │ ├─→ Both internal IPs? → PROCEED │ ├─→ External source? → FALSE POSITIVE (handled by boundary playbook) │ └─→ Known admin host? → CHECK PATTERN │ └─→ Pattern Recognition ├─→ Known admin pattern? (source in admin_workstations, time = business hours) │ └─→ BASELINE (log for trending, no alert) │ └─→ Unusual pattern? → PROCEED TO STAGE 2 ``` ```text Unusual Authentication Pattern Confirmed │ ├─→ Source Host Analysis (lookback 24h) │ ├─→ Prior credential access alerts? (Mimikatz, LSASS dump) → SOURCE COMPROMISED │ ├─→ Prior malware/C2 alerts? → SOURCE COMPROMISED │ ├─→ User account abnormal for source host? → SOURCE LIKELY COMPROMISED │ └─→ No prior indicators → PROCEED TO STAGE 3 │ └─→ Severity Escalation └─→ If SOURCE COMPROMISED → Escalate to CRITICAL ``` ```text Lateral Movement Confirmed │ ├─→ Tool Detection │ ├─→ Admin Tools (PsExec, WMI, PowerShell Remoting)? │ │ ├─→ Legitimate admin activity? (authorized user, business hours, documented change) │ │ │ └─→ MEDIUM severity, monitor │ │ └─→ Unusual admin tool usage? │ │ └─→ HIGH severity, investigate │ │ │ └─→ Exploitation Tools? (MS17-010, EternalBlue, exploit frameworks) │ └─→ CRITICAL severity, immediate containment │ └─→ Credential Type Analysis ├─→ Password authentication → Standard compromise ├─→ Pass-the-Hash (NTLM without Kerberos) → Advanced attacker, credential dumping occurred └─→ Pass-the-Ticket (Kerberos anomaly) → Sophisticated attacker, domain compromise risk ``` ```text Technique Identified │ ├─→ Single Hop Analysis │ └─→ One source → One target? │ ├─→ Target critical asset? → HIGH/CRITICAL severity │ └─→ Target standard workstation? → MEDIUM severity │ └─→ Multi-Hop Chain Detection ├─→ Source accessed multiple targets? (query: same source, multiple destinations, time window 4h) │ └─→ 2-5 hosts → HIGH severity, orchestrated campaign │ └─→ 6+ hosts → CRITICAL severity, active breach │ ├─→ Pivoting detected? (Target becomes new source) │ └─→ Host A → Host B → Host C chain? │ └─→ CRITICAL severity, advanced persistent threat │ └─→ Blast radius calculation ├─→ Query: All hosts accessed by user in 24h ├─→ Query: All accounts used from source host └─→ Output: Network graph of compromised relationships ``` ```text Blast Radius Mapped │ ├─→ CRITICAL - Immediate Containment Required │ ├─→ Domain admin account used │ ├─→ 6+ hosts accessed │ ├─→ Pivoting/chain detected │ ├─→ Critical asset accessed (DC, file server, database) │ └─→ Pass-the-Ticket/Golden Ticket indicators │ ├─→ HIGH - Urgent Investigation and Likely Containment │ ├─→ Privileged account used │ ├─→ 2-5 hosts accessed │ ├─→ Pass-the-Hash detected │ └─→ Exploitation tools used │ └─→ MEDIUM - Standard Investigation ├─→ Single hop, standard account ├─→ Admin tools with partial legitimacy └─→ Requires validation of authorization ``` -------------------------------- ### Manually Install OpenClaw Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/TROUBLESHOOTING.md If the installer fails to install OpenClaw automatically, use this curl command to install it manually. Ensure OpenClaw is installed before running the Autopilot installer. ```bash curl -fsSL https://openclaw.ai/install.sh | sh ``` -------------------------------- ### Pre-download Models for Air-Gapped Deployment Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/VLLM_DEPLOYMENT.md Download models using huggingface-cli on a machine with internet access before running in an air-gapped environment. ```bash pip install huggingface-hub huggingface-cli download Qwen/Qwen3-32B --local-dir /models/qwen3-32b ``` -------------------------------- ### Patch Management - Pre-Deployment Automation Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/playbooks/vuln-spike.md Shows automation tasks for the pre-deployment phase of patch management, including Ansible playbooks, Terraform for snapshots, and CMDB updates. ```yaml patch_deployment_process: pre_deployment: tasks: - [ ] Patch validated in lab/test environment - [ ] Rollback plan documented and tested - [ ] Change ticket created with all details - [ ] Downtime notification sent to stakeholders - [ ] Backup of affected systems completed - [ ] Patch files downloaded and integrity-checked automation: - Ansible playbook: pre-patch-validation.yml - Terraform: snapshot-creation.tf (cloud instances) - CMDB update: maintenance_mode = TRUE ``` -------------------------------- ### Retrieving Alerts Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/MCP_INTEGRATION.md Example of how to retrieve Wazuh alerts with specific filters. ```APIDOC ## Retrieving Alerts ### Description Retrieve alerts with filtering (limit, rule_id, level, agent_id, timestamp range). ### Tool `get_wazuh_alerts` ### Arguments - **level** (integer) - Optional - The alert level to filter by. - **agent_id** (string) - Optional - The agent ID to filter alerts from. - **limit** (integer) - Optional - The maximum number of alerts to retrieve. ### Request Example ```json { "tool": "get_wazuh_alerts", "arguments": { "level": 12, "agent_id": "001", "limit": 50 } } ``` ### Response Example (Success Response) ```json { "alerts": [ { "rule": { "level": 12, "description": "SSH brute force attack", "mitre": { "id": ["T1110"], "tactic": ["Credential Access"] } }, "agent": { "id": "001", "name": "server-prod-01", "ip": "10.0.1.100" }, "data": { "srcip": "192.168.1.50", "srcuser": "root" } } ] } ``` ``` -------------------------------- ### Checking Agent Health Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/MCP_INTEGRATION.md Example of how to check the health status of a specific agent. ```APIDOC ## Checking Agent Health ### Description Check the health status of a specific agent. ### Tool `check_agent_health` ### Arguments - **agent_id** (string) - Required - The ID of the agent to check. ### Request Example ```json { "tool": "check_agent_health", "arguments": { "agent_id": "001" } } ``` ``` -------------------------------- ### Conventional Commit Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/CONTRIBUTING.md Example of a conventional commit message for adding Teams integration support. ```text feat: Add Teams integration support - Add teams agent workspace (AGENTS.md, IDENTITY.md, TOOLS.md, MEMORY.md) - Update policy.yaml with Teams channel allowlists - Add documentation for Teams setup ``` -------------------------------- ### Configure LLM API Keys Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/QUICKSTART.md Set up your LLM provider API keys in the .env configuration file. OpenRouter is recommended for a unified and safer experience. ```bash # Option 1: OpenRouter (recommended — single key, no ban risk) OPENROUTER_API_KEY=sk-or-... # https://openrouter.ai/ # Option 2: Direct provider API keys (pay-per-token only!) ANTHROPIC_API_KEY=sk-ant-... # https://console.anthropic.com/ OPENAI_API_KEY=sk-... # https://platform.openai.com/ GROQ_API_KEY=gsk-... # https://console.groq.com/ ``` -------------------------------- ### Patch Management - Post-Deployment Automation Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/playbooks/vuln-spike.md Details automation tasks for the post-deployment phase, including vulnerability re-scans, CMDB updates, and metrics dashboard updates. ```yaml post_deployment: tasks: - [ ] Vulnerability scan confirms remediation - [ ] Service monitoring shows normal operation - [ ] User feedback collected (no major issues) - [ ] Change ticket closed with evidence - [ ] Metrics updated (MTTD, MTTR, patch coverage) - [ ] Lessons learned documented automation: - Wazuh vulnerability re-scan - Nessus/Qualys validation scan - CMDB update: patch_level, last_patched_date - Metrics dashboard update ``` -------------------------------- ### Start vLLM with Llama 3.3 70B Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/VLLM_DEPLOYMENT.md This command initiates the vLLM server with the Llama 3.3 70B model, suitable for complex reasoning tasks. Configure the API key, port, and tensor parallel size as needed. ```bash vllm serve meta-llama/Llama-3.3-70B-Instruct \ --served-model-name llama3.3-70b \ --api-key "your-secure-key" \ --port 8000 \ --enable-auto-tool-choice \ --tool-call-parser llama3_json \ --tensor-parallel-size 2 \ --max-model-len 131072 \ --gpu-memory-utilization 0.95 ``` -------------------------------- ### Configure Optional Slack Integration Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/QUICKSTART.md Set up Slack API tokens in the .env file for notifications and interactive approvals. Refer to the Slack documentation for details. ```bash # Slack tokens for notifications and approvals # Get these from your Slack app configuration # See: docs/SLACK_SOCKET_MODE.md SLACK_APP_TOKEN=xapp-1-your-app-token SLACK_BOT_TOKEN=xoxb-your-bot-token ``` -------------------------------- ### MITRE ATT&CK Chain Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/playbooks/lateral-movement.md An example of a MITRE ATT&CK chain representing the techniques used in an attack. ```json ["T1078", "T1003.001", "T1021.002", "T1550.002"] ``` -------------------------------- ### MCP Log Entry Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/MCP_INTEGRATION.md Example of a log entry generated by MCP calls, including a correlation ID for tracing. ```json { "ts": "2026-02-17T10:30:00Z", "level": "info", "component": "mcp", "msg": "Tool call completed", "tool": "get_wazuh_alerts", "status": "success", "latency_ms": 45, "correlation_id": "abc-123-def" } ``` -------------------------------- ### Install Undici for HTTP Timeout Fix Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/AIR_GAPPED_DEPLOYMENT.md Installs the undici package globally, which is required to fix the HTTP timeout issue in OpenClaw. ```bash npm install -g undici ``` -------------------------------- ### Install vLLM for AMD (ROCm) Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/VLLM_DEPLOYMENT.md Install the vLLM library for systems with AMD GPUs using pip, specifying the ROCm version. ```bash pip install vllm==0.15.0+rocm700 --extra-index-url https://wheels.vllm.ai/rocm/0.15.0/rocm700 ``` -------------------------------- ### Slack Case Card Example Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/SLACK_SOCKET_MODE.md An example of a case card posted to Slack when an alert is triaged, including details and action buttons. ```text ┌─────────────────────────────────────────┐ │ 📋 Case Created: CASE-20260217-abc12345 │ │ │ │ Severity: High | Confidence: 85% │ │ Title: Brute force attack detected │ │ │ │ Entities: │ • IP: 192.168.1.100 │ │ • User: admin │ │ • Host: web-server-01 │ │ │ │ [View Details] [Investigate] [Plan] │ └─────────────────────────────────────────┘ ``` -------------------------------- ### Serve Local LLM with vLLM Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/README.md This command starts a vLLM server for a specified model, enabling auto-tool choice and using the 'hermes' tool-call parser. This is suitable for self-hosted GPU deployments. ```bash vllm serve Qwen/Qwen3-32B --enable-auto-tool-choice --tool-call-parser hermes ``` -------------------------------- ### Run vLLM Offline (Air-Gapped) Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/VLLM_DEPLOYMENT.md Start the vLLM server in an air-gapped environment after pre-downloading models. Sets environment variables for offline use. ```bash export HF_HUB_OFFLINE=1 export TRANSFORMERS_OFFLINE=1 vllm serve /models/qwen3-32b \ --served-model-name qwen3-32b \ --api-key "${VLLM_API_KEY}" \ --port 8000 \ --enable-auto-tool-choice \ --tool-call-parser hermes \ --max-model-len 131072 \ --gpu-memory-utilization 0.95 ``` -------------------------------- ### Troubleshoot Wazuh Autopilot Service Startup Issues Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/docs/CLI_REFERENCE.md If the Wazuh Autopilot service fails to start, check the system journal for recent errors and verify the contents of the `.env` configuration file. ```bash sudo journalctl -u wazuh-autopilot -n 50 ``` ```bash cat /etc/wazuh-autopilot/.env ``` -------------------------------- ### Wazuh Indexer Aggregation Examples Source: https://github.com/gensecaihq/wazuh-openclaw-autopilot/blob/main/openclaw/agents/investigation/TOOLS.md Examples of common aggregations for analyzing Wazuh alert data, including terms, date histogram, and stats. ```json "aggs": { "by_rule": { "terms": { "field": "rule.id", "size": 50 } } } ``` ```json "aggs": { "over_time": { "date_histogram": { "field": "@timestamp", "fixed_interval": "5m" } } } ``` ```json "aggs": { "level_stats": { "stats": { "field": "rule.level" } } } ``` -------------------------------- ### Self-hosted vLLM GPU Inference Source: https://context7.com/gensecaihq/wazuh-openclaw-autopilot/llms.txt Example command for serving a model with vLLM, enabling auto tool choice and specifying a tool call parser. Note the VRAM requirements for large models. ```bash # vLLM self-hosted GPU inference (openclaw/openclaw-vllm.json) # vllm serve Qwen/Qwen3-32B --enable-auto-tool-choice --tool-call-parser hermes # Model requirements: Qwen3-32B ~64GB VRAM, Llama3.3-70B ~140GB VRAM ```