This is the documentation for Wazuh 3.2. Check out the docs for the latest version of Wazuh!

Register Agent

To register an agent, follow these steps:

  1. On the manager, run manage_agents:
# /var/ossec/bin/manage_agents

****************************************
* Wazuh v3.2.4 Agent manager.          *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q:
  1. Select A to add an agent. You’ll be asked for the agent’s name (use the agent hostname or another arbitrary name), its IP address and the agent ID (this field can be left blank to auto-assign an ID).

In this example, we’ll add an agent with name “Example”, dynamic IP (any) and automatic ID:

Choose your action: A,E,L,R or Q: A

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: Example
   * The IP Address of the new agent: any
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:Example
   IP Address:any

Confirm adding it?(y/n): y
Agent added with ID 001.
  1. Extract the new agent’s key. You will need it for the agent:

    Choose your action: A,E,L,R or Q: E
    
    Available agents:
       ID: 001, Name: Example, IP: any
    Provide the ID of the agent to extract the key (or '\q' to quit): 001
    
    Agent key information for '001' is:
    MDAxIDE4NWVlNjE1Y2YzYiBhbnkgMGNmMDFiYTM3NmMxY2JjNjU0NDAwYmFhZDY1ZWU1YjcyMGI2NDY3ODhkNGQzMjM5ZTdlNGVmNzQzMGFjMDA4Nw==
    
  2. Exit from manage_agents by selecting Q.

  3. Now on the agent run manage_agents:

# /var/ossec/bin/manage_agents

****************************************
* Wazuh v3.2.4 Agent manager.          *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q:
  1. Select I to import a key and paste in the key that you extracted on the manager:

    Choose your action: I or Q: I
    
    * Provide the Key generated by the server.
    * The best approach is to cut and paste it.
    *** OBS: Do not include spaces or new lines.
    
    Paste it here (or '\q' to quit): MDAxIDE4NWVlNjE1Y2YzYiBhbnkgMGNmMDFiYTM3NmMxY2JjNjU0NDAwYmFhZDY1ZWU1YjcyMGI2NDY3ODhkNGQzMjM5ZTdlNGVmNzQzMGFjMDA4Nw=
    
    Agent information:
       ID:013
       Name:Example
       IP Address:any
    
    Confirm adding it?(y/n): y
    Added.
    
  2. Select ‘Q’ to exit from manage_agents.

  3. Edit the Wazuh agent configuration in /var/ossec/etc/ossec.conf to add the Wazuh manager IP address. In the <client> section, change the MANAGE_IP value to the Wazuh manager address:

    <client>
          <server-ip>MANAGE_IP</server-ip>
    </client>
    
  4. Restart the agent:

# /var/ossec/bin/ossec-control restart

Forcing insertion

If you try to add an agent with an IP address that was already registered to another agent, the manage_agents command will return an error. You can still force the addition by using the -F option.

Example

The agent named Server1 at IP 10.0.0.10 was installed and given the ID 005. If we assume that we had to reinstall the server, we would have to reinstall a new agent and connect it to the manager. In this case, we can use the argument -F 0 meaning that the previous agent (005) will be removed (with a backup) and a new agent will be created re-using the IP. The new agent will have a new ID:

/var/ossec/bin/manage_agents -n Server1 -a 10.10.10.10 -F 0