Deprecate osquery wodle

[mjcr99]

Related Issue
#30910

Description

Hi team,

This PR removes all related code to the osquery wodle. With this PR, if the wodle is tried to be used, a warning will be logged, letting the user know that the mentioned wodle is no longer available.

Tests

• Compilation without warnings on:
  • Linux (server)
  • Linux (agent)
  • Windows (winagent)

Additionally, a testing installation have been carried on:

Created a DEB server package with the following command:

sudo ./packages/generate_package.sh --verbose -a amd64 -t manager -j 20 --system deb

Created a RPM agent package with the following command:

sudo ./packages/generate_package.sh --verbose -a amd64 -t agent -j 20 --system rpm

Installed server:

root@agent1-ubu22:/home/vagrant# dpkg -i /vagrant/repos/wazuh/packages/output/wazuh-manager_5.0.0-0_amd64_0f51c23.deb 

Installed RPM agent:

[root@rocky-linux10 vagrant]# rpm -i /vagrant/repos/wazuh/packages/output/wazuh-agent_5.0.0-0_x86_64_0f51c23.rpm 

🟢 The agents are properly running and enrolled in the server.

root@agent1-ubu22:/home/vagrant# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: agent1-ubu22 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: rocky-linux10, IP: any, Active

List of agentless devices:

🟢 Server Warning Test

If the server does not have the osquery wodle enabled, no warning appears:

root@agent1-ubu22:/home/vagrant# /var/ossec/bin/wazuh-control start
2025/07/23 14:06:25 wazuh-modulesd:router: INFO: Loaded router module.
2025/07/23 14:06:25 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/07/23 14:06:25 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
Starting Wazuh v5.0.0...
Started wazuh-apid...
Started wazuh-csyslogd...
2025/07/23 14:06:27 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-engine...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2025/07/23 14:06:35 wazuh-modulesd:router: INFO: Loaded router module.
2025/07/23 14:06:35 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/07/23 14:06:35 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
Started wazuh-modulesd...
Completed.

If the following configuration block is added, when the server is started the following logs appear:

<wodle name="osquery">
    <disabled>no</disabled>
    <run_daemon>yes</run_daemon>
    <bin_path>/usr/bin</bin_path>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>no</add_labels>
    <pack name="custom_pack">/path/to/custom_pack.conf</pack>
</wodle>

Server start-up logs:

root@agent1-ubu22:/home/vagrant# /var/ossec/bin/wazuh-control start
2025/07/23 14:07:48 wazuh-modulesd: WARNING: Module name 'osquery' is deprecated.
2025/07/23 14:07:48 wazuh-modulesd:router: INFO: Loaded router module.
2025/07/23 14:07:48 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/07/23 14:07:48 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
Starting Wazuh v5.0.0...
Started wazuh-apid...
Started wazuh-csyslogd...
2025/07/23 14:07:49 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-engine...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2025/07/23 14:07:55 wazuh-modulesd: WARNING: Module name 'osquery' is deprecated.
2025/07/23 14:07:55 wazuh-modulesd:router: INFO: Loaded router module.
2025/07/23 14:07:55 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/07/23 14:07:55 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
Started wazuh-modulesd...
Completed.

🟢 Agent Warning Test

If the agent does not have the osquery wodle enabled, no warning appears:

[root@rocky-linux10 vagrant]# /var/ossec/bin/wazuh-control start
Starting Wazuh v5.0.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

If the following configuration block is added, when the agent is started the following logs appear:

<wodle name="osquery">
    <disabled>no</disabled>
    <run_daemon>yes</run_daemon>
    <bin_path>/usr/bin</bin_path>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>no</add_labels>
    <pack name="custom_pack">/path/to/custom_pack.conf</pack>
</wodle>

Agent start-up logs:

[root@rocky-linux10 vagrant]# /var/ossec/bin/wazuh-control start
2025/07/23 11:09:29 wazuh-modulesd: WARNING: Module name 'osquery' is deprecated.
Starting Wazuh v5.0.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
2025/07/23 11:09:31 wazuh-modulesd: WARNING: Module name 'osquery' is deprecated.
Started wazuh-modulesd...
Completed.

[lchico]

LGTM!

Although I attempted to test this with the .deb package, its changelog was found to be corrupted. This issue is not considered significant, as a fix will be implemented on the base branch. :

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up wazuh-agent-build-deps (1.0) ...
parsechangelog/debian: warning:     debian/changelog(l3): badly formatted heading line
LINE: * More info: https://documentation.wazuh.com/current/release-notes/release-5-0-0.html
parsechangelog/debian: warning:     debian/changelog(l5): badly formatted heading line
LINE: -- Wazuh, Inc <[email protected]>  Thu, 18 Dec 2025 00:00:00 +0000
parsechangelog/debian: warning:     debian/changelog(l7): found start of entry where expected start of change data
LINE: wazuh-agent (4.14.0-0) stable; urgency=low
parsechangelog/debian: warning:     debian/changelog(l7): found eof where expected start of change data
 dpkg-buildpackage -rsudo -D -us -uc -b -nc
dpkg-buildpackage: warning: using a gain-root-command while being root
parsechangelog/debian: warning:     debian/changelog(l3): badly formatted heading line
LINE: * More info: https://documentation.wazuh.com/current/release-notes/release-5-0-0.html
parsechangelog/debian: warning:     debian/changelog(l5): badly formatted heading line
LINE: -- Wazuh, Inc <[email protected]>  Thu, 18 Dec 2025 00:00:00 +0000
parsechangelog/debian: warning:     debian/changelog(l7): found start of entry where expected start of change data
LINE: wazuh-agent (4.14.0-0) stable; urgency=low
parsechangelog/debian: warning:     debian/changelog(l7): found eof where expected start of change data
dpkg-buildpackage: error: unable to determine source changed by
dpkg-buildpackage: source package wazuh-agent
dpkg-buildpackage: source version 5.0.0-0
debuild: fatal error at line 1357:
dpkg-buildpackage -rsudo -D -us -uc -b -nc failed

So, I ended up testing on:

[root@9e9c4c65a086 ~]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"

# When testing the `osquery` block (add/remove), I received:
[root@9e9c4c65a086 ~]# cat /var/ossec/logs/ossec.log |grep osquery
2025/07/23 22:19:33 wazuh-modulesd: WARNING: Module name 'osquery' is deprecated.

[jpcerrone]

LGTM!

[jotacarma90]

LGTM