client

This section explains how to configure the connection to the manager.

Subsections

server

New in version 3.0.0.

Configures the connection parameters for each server an agent connects to.

Server subsection options

address

Specifies the IP address or the hostname of the Wazuh manager.

Default value

n/a

Allowed values

Any valid IP address or any resolvable hostname is allowed.

port

Specifies the port to send events to on the manager. This must match the associated listening port configured on the Wazuh manager.

Default value

1514

Allowed values

Any port number from 1 to 65535 is allowed.

protocol

Specifies the protocol to use when connecting to the manager.

Default value

udp

Allowed values

udp, tcp

Options

server-ip

Deprecated since version 3.0.0.

Specifies the IP address of the Wazuh manager.

Default value

n/a

Allowed values

Any valid IP address is allowed.

server-hostname

Deprecated since version 3.0.0.

Specifies the hostname of the Wazuh manager.

Default value

n/a

Allowed values

Any resolvable hostname is allowed.

Warning

This parameter is incompatible with server-ip. Since version 3.0, these fields have been merged into a single field called address that accepts both formats.

port

Deprecated since version 3.0.0.

Specifies the port on the manager to send events to. This must match the associated listening port configured on the Wazuh manager.

Default value

1514

Allowed values

Any port number from 1 to 65535 is allowed.

protocol

Deprecated since version 3.0.0.

Specifies the protocol to use when connecting to manager.

Default value

udp

Allowed values

udp, tcp

config-profile

Specifies the agent.conf profile(s) to be used by the agent.

Default value

n/a

Allowed values

Multiple profiles can be included, separated by a comma and a space.

notify_time

Specifies the time in seconds between agent checkins to the manager. More frequent checkins speed up dissemination of an updated agent.conf file to the agents, but may also put an undo load on the manager if there are a large number of agents.

Default value

60

Allowed values

A positive number (seconds)

time-reconnect

Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.

For example, a notify_time setting of 60 combined with a time-reconnect of 300 would mean that agents will attempt to check in once per minute, but if a checkin attempt fails to get a response from the manager, the agent will wait five minutes before trying again. Checkins will resume their normal one-minute interval following a successful connection attempt.

Default value

300

Allowed values

A positive number (seconds)

Warning

Notice that the notify_time value uses an underscore while the time-reconnect value uses a dash. This is an unfortunate legacy naming inconsistency that is easy to mix up.

local_ip

Specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces.

Default value

n/a

Allowed values

Any valid IP address is allowed.

disable-active-response

Deprecated:

Warning

This is an obsolete method to disable active response. The recommended way is by configuring as shown in the active-response section.

Default value

no

Allowed values

yes, no

auto_restart

Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.

Default value

yes

Allowed values

yes, no

crypto_method

New in version 3.5.0.

Choose the encryption of the messages that the agent sends to the manager.

Default value

aes

Allowed values

blowfish, aes

Sample configuration

<client>
  <server>
    <address>192.168.1.100</address>
    <port>1514</port>
    <protocol>tcp</protocol>
  </server>
  <server>
    <address>example.hostname</address>
    <protocol>udp</protocol>
  </server>
  <config-profile>webserver, debian8</config-profile>
  <notify_time>30</notify_time>
  <time-reconnect>120</time-reconnect>
  <auto_restart>yes</auto_restart>
</client>