Wazuh Rootcheck is one of Wazuh’s built-in host-based security modules designed to identify evidence of rootkits, hidden files, suspicious processes, unauthorized system modifications, and other indicators of compromise.
Scheduled Rootcheck scans are particularly important because they continuously verify endpoint integrity without requiring administrator intervention.
If scheduled scans stop running, systems may go days or weeks without being inspected, allowing malware or unauthorized changes to remain undetected.
Unlike a one-time manual scan, automated scheduling ensures every monitored endpoint is checked consistently according to your organization’s security policy.
One of the most frustrating aspects of Rootcheck scheduling problems is that they often fail silently.
The Wazuh agent may remain connected, log collection continues normally, and dashboards appear healthy, yet Rootcheck never executes according to its configured schedule.
Administrators may only discover the issue after noticing stale scan results or missing security alerts.
In this guide, you’ll learn how Wazuh Rootcheck scheduling works, how to recognize when scheduled scans are being ignored, the most common configuration mistakes, and the step-by-step troubleshooting process to restore automatic Rootcheck execution.
You’ll also learn best practices to prevent future scheduling failures and verify that Rootcheck continues operating as expected across your environment.
Understanding Wazuh Rootcheck
What Is Wazuh Rootcheck?
Rootcheck is a host-based security assessment module that runs on Wazuh agents to search for indicators of compromise directly on monitored endpoints.
Instead of relying solely on logs generated by the operating system, Rootcheck actively inspects the system itself for signs that attackers have modified files, hidden processes, installed rootkits, or weakened security configurations.
The module compares system characteristics against a large collection of predefined security checks and known indicators of suspicious activity.
These checks are performed locally on each monitored endpoint before the results are sent to the Wazuh manager for analysis and visualization.
Unlike antivirus software, Rootcheck is designed to identify behavioral indicators and system anomalies rather than relying exclusively on malware signatures.
Purpose of Rootcheck
Rootcheck helps security teams identify threats that may otherwise remain invisible through traditional log monitoring.
Its primary objectives include:
- Detecting known rootkit behaviors
- Identifying hidden files and directories
- Finding hidden processes
- Detecting suspicious open ports
- Identifying unauthorized system binaries
- Discovering insecure configurations
- Monitoring unauthorized changes to critical system components
- Supporting compliance and security auditing
By performing recurring integrity assessments, Rootcheck provides additional visibility into endpoint health beyond standard event logs.
How It Detects Rootkits, Hidden Processes, and Suspicious System Modifications
Rootcheck performs numerous security validation checks during every scan.
These include:
- Looking for known rootkit signatures
- Detecting hidden processes by comparing multiple system information sources
- Searching for hidden network ports
- Inspecting suspicious files and directories
- Verifying permissions on sensitive system files
- Checking for unauthorized kernel modules (platform dependent)
- Detecting anomalies in common system binaries
- Looking for evidence of tampering within critical operating system components
Many of these techniques follow long-established host-based intrusion detection principles recommended by organizations such as MITRE and National Institute of Standards and Technology, which emphasize continuous endpoint monitoring as part of a defense-in-depth strategy.
Relationship Between Rootcheck and the Wazuh Agent
Rootcheck does not run on the Wazuh manager itself.
Instead, every Wazuh agent performs Rootcheck scans locally on the endpoint where it is installed.
After completing a scan, the agent sends the findings back to the Wazuh manager, where alerts are generated, indexed, and displayed in the dashboard.
This architecture provides several benefits:
- Reduces centralized processing
- Allows each endpoint to inspect its own filesystem
- Improves scalability across large deployments
- Enables offline detection if temporary connectivity issues occur
If the Wazuh agent stops functioning correctly, Rootcheck scheduling also stops because the agent is responsible for launching the scans.
Related Guide: How to Upgrade a Wazuh Agent
How Scheduled Rootcheck Scans Work
Rootcheck is designed to execute automatically according to the schedule defined within the agent configuration.
Administrators typically enable the module once and allow it to perform recurring scans without manual intervention.
Scan Scheduling Mechanism
The scheduling engine is configured through the <rootcheck> section of the agent’s ossec.conf file.
Common scheduling parameters include:
- Scan frequency
- Scan start time
- Scan interval
- Enable/disable status
- Scan on startup
- Skip network filesystems
- Scan specific directories
The agent continuously monitors these settings and launches Rootcheck whenever the configured schedule is reached.
Default Scan Intervals
Although administrators can customize scheduling, Wazuh commonly performs Rootcheck at regular intervals suitable for ongoing endpoint monitoring.
Many organizations choose intervals such as:
- Every 12 hours
- Every 24 hours
- Daily during off-peak hours
- Weekly for low-risk systems
The appropriate interval depends on:
- Number of endpoints
- System performance
- Compliance requirements
- Risk tolerance
- Available maintenance windows
Security guidance from NIST recommends continuous or regularly scheduled security monitoring rather than relying solely on manual inspections.
Difference Between Scheduled Scans and Manual Scans
Manual scans are started by an administrator when immediate verification is needed.
Scheduled scans occur automatically without user interaction.
| Scheduled Scan | Manual Scan |
|---|---|
| Runs automatically | Started manually |
| Uses configured schedule | Runs immediately |
| Supports continuous monitoring | Used mainly for troubleshooting |
| Ideal for production environments | Useful after configuration changes |
| Detects ongoing changes over time | Provides point-in-time verification |
If manual scans work correctly but scheduled scans do not, the problem usually lies with scheduling configuration rather than the Rootcheck engine itself.
Where Scan Results Are Stored
After Rootcheck finishes scanning:
- Results are generated on the local agent.
- Findings are forwarded to the Wazuh manager.
- Alerts are indexed.
- Data becomes searchable in the Wazuh dashboard.
- Historical scan information remains available for investigations.
Administrators can also review local agent logs and manager logs when troubleshooting scheduling problems.
Related Guides:
- How to Monitor Linux Event Logs Using Wazuh
- Wazuh Dashboard Not Loading? Complete Troubleshooting Guide
Symptoms That Rootcheck Scheduled Scans Are Being Ignored
Recognizing the symptoms early can significantly reduce the amount of time systems remain unmonitored.
In many environments, scheduled Rootcheck failures do not generate obvious error messages, making it important to recognize indirect indicators.
Rootcheck Never Runs Automatically
One of the clearest warning signs is that Rootcheck never executes unless an administrator starts it manually.
You may observe:
- No recurring Rootcheck activity in logs
- No scheduled execution after system startup
- Long gaps between scans
- Endpoints remaining unchanged for days or weeks
- Rootcheck reports only after manual execution
This usually indicates a scheduling configuration problem rather than a detection engine failure.
No New Rootcheck Alerts
Another common symptom is that previously active Rootcheck alerts suddenly stop appearing.
Examples include:
- No rootkit detection events
- No hidden file checks
- No system audit findings
- No integrity warnings
While a clean system can naturally produce few alerts, a complete absence of Rootcheck activity across many endpoints often suggests scheduled scans are no longer running.
Scan Timestamps Never Change
Administrators should periodically review the last successful scan time.
Potential warning signs include:
- Identical timestamps every day
- Scan dates several weeks old
- No recent inventory updates
- Historical results without new entries
Static timestamps almost always indicate that scheduled execution has stalled.
Manual Scans Work but Scheduled Ones Do Not
This is one of the most useful troubleshooting clues.
If launching Rootcheck manually produces results immediately, the detection engine is functioning correctly.
The problem is usually isolated to:
- Scheduling parameters
- Disabled Rootcheck module
- Configuration syntax errors
- Agent configuration distribution
- Timing configuration conflicts
Because manual execution succeeds, administrators can generally rule out corrupted Rootcheck binaries or detection logic.
Why This Narrows Down the Problem
Manual success confirms several critical components are operating normally:
- Rootcheck binaries
- Agent permissions
- Communication with the manager
- Alert generation
- Dashboard indexing
The remaining investigation should focus primarily on why automatic scheduling is not triggering.
Typical Configuration Issues
Some of the most common scheduling problems include:
<disabled>accidentally set toyes- Invalid scheduling parameters
- Incorrect XML formatting
- Configuration overwritten by centralized management
- Agent never reloaded after configuration changes
- Unsupported parameter combinations
Even a small XML syntax mistake can prevent the scheduling engine from loading correctly.
Related Guide: How to Fix ossec.conf Syntax Errors in Wazuh Agents
Missing Rootcheck Alerts in the Dashboard
Sometimes Rootcheck executes successfully, but administrators never see the results in the dashboard.
This creates the impression that scheduled scans are being ignored when the issue actually lies elsewhere.
Dashboard Indicators
Possible dashboard symptoms include:
- Empty Rootcheck sections
- No recent Rootcheck alerts
- Missing inventory updates
- No searchable Rootcheck events
- Dashboards showing outdated information
If multiple agents exhibit the same behavior simultaneously, the issue may involve indexing or dashboard components rather than Rootcheck itself.
Manager Logs vs. Agent Logs
Comparing logs helps determine where the breakdown occurs.
Review:
Agent logs
- Was Rootcheck started?
- Did the scan complete?
- Were results transmitted?
Manager logs
- Were events received?
- Were alerts generated?
- Were indexing errors reported?
Tracing the data flow between the agent and manager helps isolate whether the failure occurs during execution, transmission, or visualization.
Related Guide: Troubleshooting “No Matching Indices Found” Error in Wazuh Dashboard
Stale Rootcheck Inventory
One of the easiest indicators to overlook is stale inventory information.
Even if dashboards remain operational, the underlying Rootcheck data may never refresh.
Outdated Scan Results
Signs include:
- Inventory dates that never update
- Repeated identical findings
- Missing newly created files
- No recent security assessments
- Old endpoint metadata remaining unchanged
Administrators often discover this issue during audits or compliance reviews rather than through routine monitoring.
Compliance and Security Risks
Ignoring scheduled Rootcheck failures can have significant operational consequences.
Potential risks include:
- Longer attacker dwell time
- Missed rootkit infections
- Undetected privilege escalation
- Incomplete security audits
- Reduced compliance evidence
- Lower confidence in endpoint monitoring
Security experts, including guidance from NIST’s continuous monitoring framework, emphasize that security assessments must occur on a recurring basis to maintain an accurate understanding of system risk rather than relying on occasional manual checks.

Be First to Comment