Monitor AI agent activity and trigger alerts when Rampart blocks dangerous operations.
Rampart logs every tool call decision to JSON files in ~/.rampart/audit/. Wazuh can monitor these files, decode the events, and generate alerts based on deny/log actions — giving your SOC visibility into AI agent behavior alongside your existing security monitoring.
AI Agent → Rampart (policy evaluation) → Audit Log (JSONL)
↓
Wazuh Agent (localfile)
↓
Wazuh Manager (rules)
↓
Wazuh Dashboard (alerts)
Add to your Wazuh agent’s ossec.conf (typically /var/ossec/etc/ossec.conf):
<localfile>
<log_format>json</log_format>
<location>/home/YOUR_USER/.rampart/audit/*.jsonl</location>
<label key="source">rampart</label>
</localfile>
Restart the Wazuh agent:
sudo systemctl restart wazuh-agent
Create /var/ossec/etc/decoders/rampart_decoder.xml on the Wazuh manager:
<decoder name="rampart">
<prematch>^{"id":</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Create /var/ossec/etc/rules/rampart_rules.xml on the Wazuh manager:
<group name="rampart,ai_agent_security">
<!-- Base rule: any Rampart event -->
<rule id="100300" level="0">
<decoded_as>json</decoded_as>
<field name="source">rampart</field>
<description>Rampart audit event</description>
</rule>
<!-- Allow actions (informational) -->
<rule id="100301" level="3">
<if_sid>100300</if_sid>
<field name="action">allow</field>
<description>Rampart: AI agent tool call allowed - $(tool) - $(command)</description>
<group>rampart_allow</group>
</rule>
<!-- Watch actions (notable) -->
<rule id="100302" level="5">
<if_sid>100300</if_sid>
<field name="action">watch</field>
<description>Rampart: AI agent tool call watched - $(tool) - $(command)</description>
<group>rampart_watch</group>
</rule>
<!-- Deny actions (security event) -->
<rule id="100303" level="10">
<if_sid>100300</if_sid>
<field name="action">deny</field>
<description>Rampart: AI agent tool call BLOCKED - $(tool) - $(command)</description>
<group>rampart_deny</group>
</rule>
<!-- Approval required -->
<rule id="100304" level="8">
<if_sid>100300</if_sid>
<field name="action">ask</field>
<description>Rampart: AI agent tool call requires approval - $(tool) - $(command)</description>
<group>rampart_approval</group>
</rule>
<!-- High-frequency denials (possible attack or prompt injection) -->
<rule id="100305" level="12" frequency="5" timeframe="60">
<if_matched_sid>100303</if_matched_sid>
<description>Rampart: Multiple AI agent tool calls blocked in 60 seconds — possible prompt injection or malicious behavior</description>
<group>rampart_attack</group>
</rule>
<!-- Credential access attempt -->
<rule id="100306" level="12">
<if_sid>100303</if_sid>
<field name="policy_name">protect-credentials|block-credential-exfil|encoding-sensitive-files</field>
<description>Rampart: AI agent attempted credential access - $(command)</description>
<group>rampart_credential_access</group>
</rule>
<!-- Exfiltration attempt -->
<rule id="100307" level="13">
<if_sid>100303</if_sid>
<field name="policy_name">block-exfil-domains|encoded-data-exfil|block-encoding-exfil</field>
<description>Rampart: AI agent attempted data exfiltration - $(command)</description>
<group>rampart_exfiltration</group>
</rule>
</group>
Restart the Wazuh manager:
sudo systemctl restart wazuh-manager
Trigger a test deny event:
# With rampart serve running
curl -s http://localhost:9090/v1/tool/exec \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"tool":"exec","params":{"command":"cat ~/.ssh/id_rsa"}}'
Check the Wazuh dashboard for a level 10+ alert from rule 100303 or 100306.
For direct syslog integration without file monitoring:
# Send audit events to syslog (JSON format)
rampart serve --syslog localhost:514
# Send in CEF format (Common Event Format) for Splunk/QRadar/ArcSight
rampart serve --syslog localhost:514 --cef
CEF output format:
CEF:0|Rampart|PolicyEngine|0.1.7|deny|Destructive command blocked|8|src=claude-code cmd=rm -rf / policy=exec-safety
| Rampart Action | Wazuh Level | Description |
|---|---|---|
| allow | 3 | Informational — normal operation |
| watch | 5 | Notable — flagged for review |
| ask | 8 | Security event — tool call queued for human approval |
| deny | 10 | Alert — blocked by policy |
| deny (credentials) | 12 | High alert — credential access attempt |
| deny (exfiltration) | 13 | Critical — data exfiltration attempt |
| 5+ denials in 60s | 12 | Correlation — possible prompt injection |
In Wazuh Dashboard, create a custom visualization:
wazuh-alerts-*rule.groups: rampartdata.tool, data.action, data.command, data.policy_name, data.agentIf the Wazuh agent runs on the same machine as your AI agent, the agent’s workspace can generate thousands of files (Go caches, node_modules, git objects, audit logs). This can exhaust Wazuh’s default 100,000 file FIM limit.
Recommended syscheck configuration for AI agent hosts:
<syscheck>
<!-- Bump file limit for dev-heavy machines -->
<file_limit>
<enabled>yes</enabled>
<entries>500000</entries>
</file_limit>
<!-- Realtime on security-critical paths only -->
<directories check_all="yes" realtime="yes">/home/*/.ssh</directories>
<directories check_all="yes" realtime="yes">/home/*/.rampart/policies</directories>
<!-- Scheduled scan on broader paths -->
<directories check_all="yes">/home</directories>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<!-- Skip build/cache noise -->
<ignore type="sregex">node_modules|\.cache|\.npm|__pycache__|\.git/objects</ignore>
</syscheck>
This gives you instant alerts on SSH key or Rampart policy tampering, scheduled coverage on everything else, and enough headroom to not hit limits.