Registration service with password authorization

This method is similar to the simple registration service, except that it provides additional protection of the Wazuh manager from unauthorized registrations by using a password.

Before the registration process, enabling the password authorization option and creating the registration password has to be done on the Wazuh manager. This password can be used for the subsequent agent registrations with the same Wazuh manager.

When those steps are completed, the Wazuh agent can be registered using the agent-auth utility and providing the password. After the registration, the Wazuh agent has to be configured to indicate the destination where the collected security events will be sent.

Enabling the password authorization option and creating a registration password on the Wazuh manager

  1. To enable password authorization amend the Wazuh manager's /var/ossec/etc/ossec.conf configuration file as shown below:

    <auth>
      ...
      <use_password>yes</use_password>
      ...
    </auth>
    
  2. Choose custom password or let the registration service generate one:

    Create the /var/ossec/etc/authd.pass file and save the custom password in it.

    In the command below, replace <custom_pasword> with the chosen password:

    # echo "<custom_password>" > /var/ossec/etc/authd.pass
    
  3. Restart the Wazuh manager:

# systemctl restart wazuh-manager

Registering the Wazuh agent and enabling the communication with the Wazuh manager

Choose the tab corresponding to the Wazuh agent host operating system:

Open a terminal in the Linux/Unix Wazuh agent's host as a root user.

  1. Register the Wazuh agent using the password. It can be stored in a file or provided as a command-line argument:

    Write the password on /var/ossec/etc/authd.pass file and run the agent-auth utility using the Wazuh manager’s IP address:

    # echo "<custom_password>" > /var/ossec/etc/authd.pass
    # /var/ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at /var/ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server's IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# systemctl restart wazuh-agent

The Wazuh agent registration can be adjusted by using different agent-auth options.