Using the CLI in Windows hosts
To register an agent using the command line, first follow the steps from the Manager section and then, from the Agent section.
Manager
In the CLI of the Wazuh manager host, we will run
manage_agents
to add the agent. In this example, we are going to add a new agent. Its name will bewindows-server
and its address or IP isany
.# /var/ossec/bin/manage_agents -a any -n windows-server
Now, list the agents to get the ID of the
windows-server
agent:# /var/ossec/bin/manage_agents -l Available agents: ID: 001, Name: windows-server, IP: any
Using the ID from the previous command, extract the new agent’s key using. Copy this key because you will need it for the agent:
# /var/ossec/bin/manage_agents -e 001 Agent key information for '001' is: MDAxIG1hY29zLW1vamF2ZSBhbnkgZjcwMTI0MjQ5NDMwNzA3N2IyN2NlZjRmZDQ1NzlmYzkwYzcyMzcyZDMxMTM5ZTBkZjZiYzdmODMyODBjZjA4YQ==
Agent
Once you have added the agent in the Wazuh manager host, open a session in your Windows agent host and then, start a CMD or a Powershell as Administrator. The installation directory of the Wazuh agent in Windows host depends on the architecture of the host.
C:\Program Files (x86)\ossec-agent
forx86_64
hosts.
C:\Program Files\ossec-agent
forx64
hosts.
This guide suppose that the Wazuh agent is installed in a x86_64 host, so the installation path will be: C:\Program Files (x86)\ossec-agent
. After that, let's import the key and connect the agent to the manager.
First, import the key using
manage_agents
:# 'C:\Program Files (x86)\ossec-agent\manage_agents' -i MDAxIG1hY29zLW1vamF2ZSBhbnkgZjcwMTI0MjQ5NDMwNzA3N2IyN2NlZjRmZDQ1NzlmYzkwYzcyMzcyZDMxMTM5ZTBkZjZiYzdmODMyODBjZjA4YQ Agent information: ID:001 Name:windows-server IP Address:any Confirm adding it?(y/n): y Added.
Edit the Wazuh agent configuration in
C:\Program Files (x86)\ossec-agent\ossec.conf
to add the Wazuh server IP address. In the<client><server>
section, change theMANAGER_IP
value to the Wazuh server address. The address of the Wazuh server can be an IP address or a DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Once you have complete the step 1 and 2, start the agent:
Using Powershell with administrator access:
# Restart-Service -Name wazuh
Using Windows cmd with administrator access:
# net stop wazuh # net start wazuh