Insert a Wazuh API entry automatically
If you want to add the Wazuh API credentials on one of our apps more quickly (for instance, for deployment purposes) you can execute one of the following commands, depending on the app you're using:
Kibana app
# curl -X POST "http://<ELASTICSEARCH_IP>:9200/.wazuh/_doc/1513629884013" -H 'Content-Type: application/json' -d'
{
"api_user": "<WAZUH_API_USERNAME>",
"api_password": "<WAZUH_API_PASSWORD>",
"url": "<WAZUH_API_URL>",
"api_port": "<WAZUH_API_PORT>",
"insecure": "true",
"component": "API",
"cluster_info" : {
"manager" : "<WAZUH_MANAGER_HOSTNAME>",
"cluster" : "<WAZUH_MANAGER_CLUSTER_NAME>",
"status" : "<WAZUH_MANAGER_CLUSTER_STATUS>"
},
"extensions" : {
"audit" : true,
"pci" : true,
"gdpr" : true,
"oscap" : true,
"ciscat" : false,
"aws" : false,
"virustotal" : false,
"osquery" : false
}
}'
Note the following:
<ELASTICSEARCH_IP>
is the URL to the Elasticsearch host.The number used on the cURL command (
1513629884013
) is a random number used to identify the Wazuh API entry as unique. If you want to add more APIs, you must use a different number.<WAZUH_API_USERNAME>
and<WAZUH_API_PASSWORD>
represent the Wazuh API credentials to be stored on the app.The API password must be stored in base64 format. Using
echo -n '<WAZUH_API_PASSWORD>' | base64
will return the password on the proper format to use.<WAZUH_API_URL>
and<WAZUH_API_PORT>
are the full IP address and the port to the Wazuh API. The URL must includehttp://
orhttps://
, depending on the current configuration.<WAZUH_MANAGER_HOSTNAME>
is the hostname of the instance where the Wazuh manager is installed. You can get this information just by running thehostname
command on the manager host.<WAZUH_MANAGER_CLUSTER_NAME>
is the name of the Wazuh cluster. It's configured on theossec.conf
file. If you're not using the Wazuh cluster, useDisabled
as the name.<WAZUH_MANAGER_CLUSTER_STATUS>
is the current status of the Wazuh cluster. Useenabled
ordisabled
depending on your configuration.
Splunk app
# curl -X POST "http://<SPLUNK_IP>:<SPLUNK_PORT>/en-US/custom/SplunkAppForWazuh/manager/add_api?url=<WAZUH_API_URL>&portapi=<WAZUH_API_PORT>&userapi=<WAZUH_API_USERNAME>&passapi=<WAZUH_API_PASSWORD>"
Note the following:
<SPLUNK_IP>
is the hostname or IP address of the Splunk instance where the app was installed.<SPLUNK_PORT>
is the port of the Splunk instance where the app was installed. By default, it's 8000.<WAZUH_API_URL>
,<WAZUH_API_PORT>
,<WAZUH_API_USERNAME>
and<WAZUH_API_PASSWORD>
represent the Wazuh API credentials to be stored on the app. Keep in mind that the Wazuh API URL must includehttp://
orhttps://
, depending on the current configuration.