Registering Wazuh agents - additional information

OpenSSL package requirement

The registration service requires an SSL certificate on the Wazuh manager in order to work. This certificate will be automatically generated by the package during the installation if the openssl package is installed. The package will create the certificate and the key needed to run the authentication process called ossec-authd. This certificate and the key can be found on the Wazuh manager in the /var/ossec/etc/sslmanager.cert and the /var/ossec/etc/sslmanager.key files.

The ossec-authd service is used to obtain an unique key, one per each Wazuh agent, which allows to authenticate with the Wazuh communication service and to encrypt traffic. The communication is done over TLS protocol. The agent-auth program is the client application used along with the ossec-authd to automatically add the Wazuh agent to the Wazuh manager.

Wazuh agents' keys

The Wazuh manager uses the /var/ossec/etc/client.keys file to store the registration record of each Wazuh agent, which includes ID, name, IP, and key.

Example:

001 Server1 any e20e0394dca71bacdea57d4ca25d203f836eca12eeca1ec150c2e5f4309a653a
002 ServerProd 192.246.247.247 b0c5548beda537daddb4da698424d0856c3d4e760eaced803d58c07ad1a95f4c
003 DBServer 192.168.0.1/24 8ec4843da9e61647d1ec3facab542acc26bd0e08ffc010086bb3a6fc22f6f65b

The Wazuh agents also have the /var/ossec/etc/client.keys file, containing only their own registration record.

Example for Server1 Wazuh agent:

001 Server1 any e20e0394dca71bacdea57d4ca25d203f836eca12eeca1ec150c2e5f4309a653a

Basic data for registering the Wazuh agent

In order to register Wazuh agent, it is necessary to provide the name and the IP address of the Wazuh agent.

There are several ways to set the Wazuh agent's IP:

  • Any IP: Allows the Wazuh agent to connect with any IP address. Example: Server1 has any IP.

  • Fixed IP: Allows the Wazuh agent to connect only with the specified IP. Example: ServerProd has the IP 192.246.247.247.

  • Range IP: Allows the Wazuh agent to connect with the IP within the specified range. Example: DBServer has the IP range 192.168.0.1/24.

Registration methods using agent-auth utility can automatically detect the IP of the Wazuh agent during the registration process.