Registering Wazuh agents

The security event data collection from the Wazuh agent requires enabling the communication with the Wazuh manager.

The Wazuh manager must know which Wazuh agent is sending the security events and if it is authorized. This step is called Wazuh agent registration and it can be done by using the registration service. Using the port 1515 and TCP protocol, the Wazuh manager will attend the registration request of the Wazuh agent using a TLS connection. The Wazuh agent will obtain an unique key, used to encrypt the traffic between them. Once the registration is done, this communication will no longer be used, unless the Wazuh agent needs to be registered into a new Wazuh manager.

After the registration, the Wazuh agent has to be configured to indicate the destination where the collected security events will be sent. By default, the Wazuh manager will use a communication channel over the port 1514 using UDP protocol, through which The Wazuh Agent will send the collected data.

Note

  • This documentation section can be skipped if the Wazuh agent was deployed using Deployment variables, Deployed with Ansible or Deployed with Puppet. In those cases, the registration process is different and described in their corresponding sections of the documentation.

  • If the Wazuh runs in the cluster mode, all the Wazuh agents must be registered in the Wazuh master node, even if the Wazuh agent is going to report to the worker node. After the registration process, the Wazuh agent communication with the Wazuh manager has to be configured as described in the agents connections section of the deploying the Wazuh cluster documentation.

Registering the Wazuh agent using simple registration service

To register the Wazuh agent, choose the tab corresponding to the Wazuh agent's host operating system:

Open a terminal in the Linux/Unix Wazuh agent's host as a root user.

  1. To register the Wazuh agent, run the agent-auth utility, using the Wazuh manager’s IP address:

    # /var/ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at /var/ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server's IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# systemctl restart wazuh-agent

The Wazuh agent registration can be adjusted by using different agent-auth options.

There are also other easy registration methods. The choice depends on the particular use case and the user's preferences:

Registration method

Description

Using command line (CLI)

Manual registeration using manage_agents utility. Requires extracting the registration key from the Wazuh manager and inserting it manually in the Wazuh agent.

Using Wazuh API

Uses a simple Wazuh API request from any host. Requires adding returned registration key manually to the Wazuh agent using manage_agents utility.

Using registration service with password authorization

Registration using agent-auth utility. Allows additional protection of the Wazuh manager from unauthorized registrations by using a password.

Using registration service with host verification

Registration using agent-auth utility. Ensures that the connection between the right Wazuh agent and the right Wazuh manager is established.

To learn more about the Wazuh agent registration process, please read the registering Wazuh agents - additional information.

In case of having problems during the registration, several solutions can be found on registering Wazuh agents - troubleshooting.