client
This section explains how to configure the connection to the manager.
Subsections
server
New in version 3.0.0.
Configures the connection parameters for each server an agent connects to.
Server subsection options
address
Specifies the IP address or the hostname of the Wazuh manager.
Default value |
n/a |
Allowed values |
Any valid IP address or any resolvable hostname is allowed. |
port
Specifies the port to send events to on the manager. This must match the associated listening port configured on the Wazuh manager.
Default value |
1514 |
Allowed values |
Any port number from 1 to 65535 is allowed. |
protocol
Specifies the protocol to use when connecting to the manager.
Default value |
tcp |
Allowed values |
udp, tcp |
max_retries
New in version 3.13.1.
Number of connection retries.
Default value |
5 |
Allowed values |
1 to 1.000.000.000 |
retry_interval
New in version 3.13.1.
Time interval between connection attempts (seconds).
Default value |
10 |
Allowed values |
1 to 1.000.000.000 |
Options
server-ip
Deprecated since version 3.0.0.
Specifies the IP address of the Wazuh manager.
Default value |
n/a |
Allowed values |
Any valid IP address is allowed. |
server-hostname
Deprecated since version 3.0.0.
Specifies the hostname of the Wazuh manager.
Default value |
n/a |
Allowed values |
Any resolvable hostname is allowed. |
Warning
This parameter is incompatible with server-ip. Since version 3.0, these fields have been merged into a single field called address that accepts both formats.
port
Deprecated since version 3.0.0.
Specifies the port on the manager to send events to. This must match the associated listening port configured on the Wazuh manager.
Default value |
1514 |
Allowed values |
Any port number from 1 to 65535 is allowed. |
protocol
Deprecated since version 3.0.0.
Specifies the protocol to use when connecting to manager.
Default value |
tcp |
Allowed values |
udp, tcp |
config-profile
Specifies the agent.conf
profile(s) to be used by the agent.
Default value |
n/a |
Allowed values |
Multiple profiles can be included, separated by a comma and a space. |
notify_time
Specifies the time in seconds between agent checkins to the manager. More frequent checkins speed up dissemination of an updated agent.conf
file to the agents, but may also put an undo load on the manager if there are a large number of agents.
Default value |
10 |
Allowed values |
A positive number (seconds) |
time-reconnect
Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time
parameter.
For example, a notify_time
setting of 60 combined with a time-reconnect of 300 would mean that agents will attempt to check in once per minute, but if a checkin attempt fails to get a response from the manager, the agent will wait five minutes before trying again. Checkins will resume their normal one-minute interval following a successful connection attempt.
Default value |
60 |
Allowed values |
A positive number (seconds) |
Warning
Notice that the notify_time
value uses an underscore while the time-reconnect
value uses a dash. This is an unfortunate legacy naming inconsistency that is easy to mix up.
local_ip
Specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces.
Default value |
n/a |
Allowed values |
Any valid IP address is allowed. |
disable-active-response
Deprecated:
Warning
This is an obsolete method to disable active response. The recommended way is by configuring as shown in the active-response section.
Default value |
no |
Allowed values |
yes, no |
auto_restart
Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.
Default value |
yes |
Allowed values |
yes, no |
crypto_method
New in version 3.5.0.
Choose the encryption of the messages that the agent sends to the manager.
Default value |
aes |
Allowed values |
blowfish, aes |
Sample configuration
<client>
<server>
<address>192.168.1.100</address>
<port>1514</port>
<protocol>tcp</protocol>
<max_retries>5</max_retries>
<retry_interval>5</retry_interval>
</server>
<server>
<address>example.hostname</address>
<protocol>udp</protocol>
</server>
<config-profile>webserver, debian8</config-profile>
<notify_time>30</notify_time>
<time-reconnect>120</time-reconnect>
<auto_restart>yes</auto_restart>
</client>
enrollment
New in version 4.0.
Configures the connection parameters for the agent enrollment.
Options
enabled
Enables/disables agent enrollment.
Default value |
yes |
Allowed values |
yes or no |
manager_address
Hostname or IP of the manager where the agent will be enrolled. If no value is set, the agent will try enrolling to the same manager that was specified for connection.
Default value |
n/a |
Allowed values |
string - Should be valid IP/Hostname |
port
Specifies the port on the manager to send enrollment request. This must match the associated listening port configured on the Wazuh manager.
Default value |
1515 |
Allowed values |
Any port number from 0 to 65535 is allowed. |
agent_name
Agent name that will be used for enrollment. Only alphanumeric characters, "-", "_" or "." are allowed, and the minimum length is two characters.
Default value |
Hostname of the machine. |
Allowed values |
string - Registration name for the agent. |
groups
Groups name to which the agent belongs.
Default value |
NULL |
Allowed values |
string - Name of one or many valid groups. |
agent_address
Force IP address from the agent. If this is not set manager will extract source IP from enrollment message.
Default value |
src |
Allowed values |
string - Valid IP. |
ssl_cipher
Override SSL used ciphers.
Default value |
HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH |
Allowed values |
valid ssl ciphers. |
server_ca_path
Used for manager verification. If no CA certificate is set server will not be verified.
Default value |
NULL |
Allowed values |
Path to a valid CA certificate. |
agent_certificate_path
Required when agent verification is enabled in the manager.
Default value |
NULL |
Allowed values |
Path to a valid agent certificate file. |
agent_key_path
Required when agent verification is enabled in the manager.
Default value |
NULL |
Allowed values |
Path to a valid agent key file. |
auto_method
Auto negotiates the most secure common SSL/TLS method with the manager, use "yes" for auto negotiate or "no" for TLS v1.2 only.
Default value |
no |
Allowed values |
yes or no |
delay_after_enrollment
Time that agentd should wait after a successful registration.
Default value |
20 |
Allowed values |
number of seconds |
use_source_ip
Force manager to compute IP from agent message.
Default value |
no |
Allowed values |
yes or no |
Sample configuration
<client>
<enrollment>
<enabled>yes</enabled>
<manager_address>192.168.1.100</manager_address>
<port>1515</port>
<agent_name>agent</agent_name>
<groups>Group1</groups>
<agent_address>192.168.0.110</agent_address>
<ssl_cipher>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ssl_cipher>
<server_ca_path>/path/to/server_ca</server_ca_path>
<agent_certificate_path>/path/to/agent.cert</agent_certificate_path>
<agent_key_path>/path/to/agent.key</agent_key_path>
<authorization_pass_path>/path/to/agent.pass</authorization_pass_path>
<auto_method>no</auto_method>
<delay_after_enrollment>20</delay_after_enrollment>
<use_source_ip>no</use_source_ip>
</enrollment>
</client>