Registration service with password authorization

This method is similar to the simple registration service, except that it provides additional protection of the Wazuh manager from unauthorized registrations by using a password.

Before the registration process, enabling the password authorization option and creating the registration password has to be done on the Wazuh manager. This password can be used for the subsequent agent registrations with the same Wazuh manager.

When those steps are completed, the Wazuh agent can be registered using the agent-auth utility and providing the password. After the registration, the Wazuh agent has to be configured to indicate the destination where the collected security events will be sent.

Enabling the password authorization option and creating a registration password on the Wazuh manager

  1. To enable password authorization amend the Wazuh manager’s /var/ossec/etc/ossec.conf configuration file as shown below:

    <auth>
      ...
      <use_password>yes</use_password>
      ...
    </auth>
    
  2. Choose custom password or let the registration service generate one:

    Create the /var/ossec/etc/authd.pass file and save the custom password in it.

    In the command below, replace <custom_pasword> with the chosen password:

    # echo "<custom_password>" > /var/ossec/etc/authd.pass
    

    If no password is specified in the /var/ossec/etc/authd.pass file, the registration service will create a random password. The password can be found in /var/ossec/logs/ossec.log by executing the following command:

    # grep "Random password" /var/ossec/logs/ossec.log
    
    2019/04/25 15:09:50 ossec-authd: INFO: Accepting connections on port 1515. Random password chosen for agent authentication: 3027022fa85bb4c697dc0ed8274a4554
    
  3. Restart the Wazuh manager:

# systemctl restart wazuh-manager
# service wazuh-manager restart

Registering the Wazuh agent and enabling the communication with the Wazuh manager

Choose the tab corresponding to the Wazuh agent host operating system:

Open a terminal in the Linux/Unix Wazuh agent’s host as a root user.

  1. Register the Wazuh agent using the password. It can be stored in a file or provided as a command-line argument:

    Write the password on /var/ossec/etc/authd.pass file and run the agent-auth utility using the Wazuh manager’s IP address:

    # echo "<custom_password>" > /var/ossec/etc/authd.pass
    # /var/ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

    Run the agent-auth utility providing the Wazuh manager’s IP address together with the password followed by the -P flag:

    # /var/ossec/bin/agent-auth -m <manager_IP> -P "<custom_password>"
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at /var/ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# systemctl restart wazuh-agent
# service wazuh-agent restart
# /var/ossec/bin/ossec-control restart

The Wazuh agent registration can be adjusted by using different agent-auth options.

Open a Powershell or CMD session in the Wazuh agent’s host as an Administrator.

The Wazuh agent’s installation directory depends on the architecture of the host:

  • C:\Program Files (x86)\ossec-agent for x86_64 hosts.
  • C:\Program Files\ossec-agent for x86 hosts.

Note

This guide supposes that the Wazuh agent is installed in a x86_64 host. The installation path will be: C:\Program Files (x86)\ossec-agent.

  1. Register the Wazuh agent using the password. It can be stored in a file or provided as a command-line argument:

    Write the password on C:\Program Files (x86)\ossec-agent\authd.pass file and run the agent-auth utility using the Wazuh manager’s IP address:

    # echo <custom_password> > "C:\Program Files (x86)\ossec-agent\authd.pass"
    # C:\Program Files (x86)\ossec-agent\agent-auth.exe -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

    The Wazuh agent assumes that the input file is in UTF-8 encoding, without byte-order mark (BOM). If the file is created in an incorrect encoding it can be changed by opening the authd.pass file in a Notepad and Save As ANSI encoding.

    Run the agent-auth utility, provide the Wazuh manager’s IP address together with the password following the -P flag:

    # C:\Program Files (x86)\ossec-agent\agent-auth.exe -m <manager_IP> -P "<custom_password>"
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at C:\Program Files (x86)\ossec-agent\ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# Restart-Service -Name wazuh
# net stop wazuh
# net start wazuh

The Wazuh agent registration can be adjusted by using different agent-auth options.

Open a terminal in the Linux/Unix Wazuh agent’s host as a root user.

  1. Register the Wazuh agent using the password. It can be stored in a file or provided as a command-line argument:

    Write the password on /Library/Ossec/etc/authd.pass file and run the agent-auth utility using the Wazuh manager’s IP address:

    # echo "<custom_password>" > /Library/Ossec/etc/authd.pass
    # /Library/Ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

    Run the agent-auth utility, provide the Wazuh manager’s IP address together with the password following the -P flag:

    # /Library/Ossec/bin/agent-auth -m <manager_IP> -P "<custom_password>"
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at /Library/Ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# /Library/Ossec/bin/ossec-control restart

The Wazuh agent registration can be adjusted by using different agent-auth options.