Registering Wazuh agents

The security event data collection from the Wazuh agent requires enabling the communication with the Wazuh manager.

The Wazuh manager must know which Wazuh agent is sending the security events and if it is authorized. This step is called Wazuh agent registration and it can be done by using the registration service. Using the port 1515 and TCP protocol, the Wazuh manager will attend the registration request of the Wazuh agent using a TLS connection. The Wazuh agent will obtain an unique key, used to encrypt the traffic between them. Once the registration is done, this communication will no longer be used, unless the Wazuh agent needs to be registered into a new Wazuh manager.

After the registration, the Wazuh agent has to be configured to indicate the destination where the collected security events will be sent. By default, the Wazuh manager will use a communication channel over the port 1514 using UDP protocol, through which The Wazuh Agent will send the collected data.

Note

  • This documentation section can be skipped if the Wazuh agent was deployed using Deployment variables, Deployed with Ansible or Deployed with Puppet. In those cases, the registration process is different and described in their corresponding sections of the documentation.
  • If the Wazuh runs in the cluster mode, all the Wazuh agents must be registered in the Wazuh master node, even if the Wazuh agent is going to report to the worker node. After the registration process, the Wazuh agent communication with the Wazuh manager has to be configured as described in the agents connections section of the deploying the Wazuh cluster documentation.

Registering the Wazuh agent using simple registration service

To register the Wazuh agent, choose the tab corresponding to the Wazuh agent’s host operating system:

Open a terminal in the Linux/Unix Wazuh agent’s host as a root user.

  1. To register the Wazuh agent, run the agent-auth utility, using the Wazuh manager’s IP address:

    # /var/ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at /var/ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# systemctl restart wazuh-agent
# service wazuh-agent restart
# /var/ossec/bin/ossec-control restart

The Wazuh agent registration can be adjusted by using different agent-auth options.

Open a Powershell or CMD session in the Wazuh agent’s host as an Administrator.

The Wazuh agent’s installation directory depends on the architecture of the host:

  • C:\Program Files (x86)\ossec-agent for x86_64 hosts.
  • C:\Program Files\ossec-agent for x86 hosts.

Note

This guide supposes that the Wazuh agent is installed in a x86_64 host. The installation path will be: C:\Program Files (x86)\ossec-agent.

  1. To register the Wazuh agent, run the agent-auth.exe utility, using the Wazuh manager’s IP address:

    # C:\Program Files (x86)\ossec-agent\agent-auth.exe -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at C:\Program Files (x86)\ossec-agent\ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# Restart-Service -Name wazuh
# net stop wazuh
# net start wazuh

The Wazuh agent registration can be adjusted by using different agent-auth options.

Open a terminal in the MacOS X Wazuh agent’s host as a root user.

  1. To register the Wazuh agent, run the agent-auth utility, using the Wazuh manager’s IP address:

    # /Library/Ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at /Library/Ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

    # /Library/Ossec/bin/ossec-control restart
    

The Wazuh agent registration can be adjusted by using different agent-auth options.

There are also other easy registration methods. The choice depends on the particular use case and the user’s preferences:

Registration method Description
Using command line (CLI) Manual registeration using manage_agents utility. Requires extracting the registration key from the Wazuh manager and inserting it manually in the Wazuh agent.
Using Wazuh API Uses a simple Wazuh API request from any host. Requires adding returned registration key manually to the Wazuh agent using manage_agents utility.
Using registration service with password authorization Registration using agent-auth utility. Allows additional protection of the Wazuh manager from unauthorized registrations by using a password.
Using registration service with host verification Registration using agent-auth utility. Ensures that the connection between the right Wazuh agent and the right Wazuh manager is established.

To learn more about the Wazuh agent registration process, please read the registering Wazuh agents - additional information.

In case of having problems during the registration, several solutions can be found on registering Wazuh agents - troubleshooting.