Registration service with password authorization
This method is similar to the simple registration service, except that it provides additional protection of the Wazuh manager from unauthorized registrations by using a password.
Before the registration process, enabling the password authorization option and creating the registration password has to be done on the Wazuh manager. This password can be used for the subsequent agent registrations with the same Wazuh manager.
When those steps are completed, the Wazuh agent can be registered using the agent-auth
utility and providing the password. After the registration, the Wazuh agent has to be configured to indicate the destination where the collected security events will be sent.
Enabling the password authorization option and creating a registration password on the Wazuh manager
To enable password authorization amend the Wazuh manager's
/var/ossec/etc/ossec.conf
configuration file as shown below:<auth> ... <use_password>yes</use_password> ... </auth>
Choose custom password or let the registration service generate one:
Create the
/var/ossec/etc/authd.pass
file and save the custom password in it.In the command below, replace
<custom_pasword>
with the chosen password:# echo "<custom_password>" > /var/ossec/etc/authd.pass
If no password is specified in the
/var/ossec/etc/authd.pass
file, the registration service will create a random password. The password can be found in/var/ossec/logs/ossec.log
by executing the following command:# grep "Random password" /var/ossec/logs/ossec.log
2019/04/25 15:09:50 ossec-authd: INFO: Accepting connections on port 1515. Random password chosen for agent authentication: 3027022fa85bb4c697dc0ed8274a4554
Restart the Wazuh manager:
# systemctl restart wazuh-manager# service wazuh-manager restart
Registering the Wazuh agent and enabling the communication with the Wazuh manager
Choose the tab corresponding to the Wazuh agent host operating system:
Open a terminal in the Linux/Unix Wazuh agent's host as a root
user.
Register the Wazuh agent using the password. It can be stored in a file or provided as a command-line argument:
Write the password on
/var/ossec/etc/authd.pass
file and run theagent-auth
utility using the Wazuh manager’s IP address:# echo "<custom_password>" > /var/ossec/etc/authd.pass # /var/ossec/bin/agent-auth -m <manager_IP>
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.Run the
agent-auth
utility providing the Wazuh manager’s IP address together with the password followed by the-P
flag:# /var/ossec/bin/agent-auth -m <manager_IP> -P "<custom_password>"
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
/var/ossec/etc/ossec.conf
.In the
<client><server>
section,MANAGER_IP
has to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# systemctl restart wazuh-agent# service wazuh-agent restart# /var/ossec/bin/ossec-control restart
The Wazuh agent registration can be adjusted by using different agent-auth options.
Open a Powershell or CMD session in the Wazuh agent's host as an Administrator
.
The Wazuh agent's installation directory depends on the architecture of the host:
C:\Program Files (x86)\ossec-agent
forx86_64
hosts.
C:\Program Files\ossec-agent
forx86
hosts.Note
This guide supposes that the Wazuh agent is installed in a
x86_64
host. The installation path will be:C:\Program Files (x86)\ossec-agent
.
Register the Wazuh agent using the password. It can be stored in a file or provided as a command-line argument:
Write the password on
C:\Program Files (x86)\ossec-agent\authd.pass
file and run theagent-auth
utility using the Wazuh manager’s IP address:# echo <custom_password> > "C:\Program Files (x86)\ossec-agent\authd.pass" # C:\Program Files (x86)\ossec-agent\agent-auth.exe -m <manager_IP>
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.The Wazuh agent assumes that the input file is in
UTF-8
encoding, withoutbyte-order mark (BOM)
. If the file is created in an incorrect encoding it can be changed by opening theauthd.pass
file in a Notepad and Save AsANSI
encoding.Run the
agent-auth
utility, provide the Wazuh manager’s IP address together with the password following the-P
flag:# C:\Program Files (x86)\ossec-agent\agent-auth.exe -m <manager_IP> -P "<custom_password>"
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
C:\Program Files (x86)\ossec-agent\ossec.conf
.In the
<client><server>
section,MANAGER_IP
has to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# Restart-Service -Name wazuh# net stop wazuh # net start wazuh
The Wazuh agent registration can be adjusted by using different agent-auth options.
Open a terminal in the Linux/Unix Wazuh agent's host as a root
user.
Register the Wazuh agent using the password. It can be stored in a file or provided as a command-line argument:
Write the password on
/Library/Ossec/etc/authd.pass
file and run theagent-auth
utility using the Wazuh manager’s IP address:# echo "<custom_password>" > /Library/Ossec/etc/authd.pass # /Library/Ossec/bin/agent-auth -m <manager_IP>
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.Run the
agent-auth
utility, provide the Wazuh manager’s IP address together with the password following the-P
flag:# /Library/Ossec/bin/agent-auth -m <manager_IP> -P "<custom_password>"
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
/Library/Ossec/etc/ossec.conf
.In the
<client><server>
section,MANAGER_IP
has to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# /Library/Ossec/bin/ossec-control restart
The Wazuh agent registration can be adjusted by using different agent-auth options.