registration service requires an SSL certificate on the Wazuh manager in order to work. This certificate will be automatically generated by the package during the installation if the
openssl package is installed. The package will create the certificate and the key needed to run the authentication process called
ossec-authd. This certificate and the key can be found on the Wazuh manager in the
/var/ossec/etc/sslmanager.cert and the
ossec-authd service is used to obtain an unique key, one per each Wazuh agent, which allows to authenticate with the Wazuh communication service and to encrypt traffic. The communication is done over TLS protocol.
agent-auth program is the client application used along with the
ossec-authd to automatically add the Wazuh agent to the Wazuh manager.
The Wazuh manager uses the
/var/ossec/etc/client.keys file to store the registration record of each Wazuh agent, which includes ID, name, IP, and key.
001 Server1 any e20e0394dca71bacdea57d4ca25d203f836eca12eeca1ec150c2e5f4309a653a 002 ServerProd 184.108.40.206 b0c5548beda537daddb4da698424d0856c3d4e760eaced803d58c07ad1a95f4c 003 DBServer 192.168.0.1/24 8ec4843da9e61647d1ec3facab542acc26bd0e08ffc010086bb3a6fc22f6f65b
The Wazuh agents also have the
/var/ossec/etc/client.keys file, containing only their own registration record.
Server1 Wazuh agent:
001 Server1 any e20e0394dca71bacdea57d4ca25d203f836eca12eeca1ec150c2e5f4309a653a
In order to register Wazuh agent, it is necessary to provide the name and the IP address of the Wazuh agent.
There are several ways to set the Wazuh agent’s IP:
Any IP: Allows the Wazuh agent to connect with any IP address. Example:
Fixed IP: Allows the Wazuh agent to connect only with the specified IP. Example:
ServerProdhas the IP
Range IP: Allows the Wazuh agent to connect with the IP within the specified range. Example:
DBServerhas the IP range
Registration methods using
agent-auth utility can automatically detect the IP of the Wazuh agent during the registration process.