Registering Wazuh agents
Note
Since Wazuh 4.0, by default, the agent registers automatically with the manager through enrollment. Configuration details can be found on the Enrollment section.
The security event data collection from the Wazuh agent requires enabling the communication with the Wazuh manager.
The Wazuh manager needs to know which Wazuh agent is sending the security events and if they are authorized. This step is called Wazuh agent registration and can be performed using the registration service
. Using the port 1515 and TCP protocol, the Wazuh manager will attend the registration request of the Wazuh agent using a TLS connection. The Wazuh agent will obtain an unique
key used to encrypt the traffic between them. Once the registration is done, this communication will no longer be used, unless the Wazuh agent needs to be registered into a new Wazuh manager.
After the registration, the Wazuh agent has to be configured to indicate the destination where the collected security events will be sent. By default, the Wazuh manager will use a communication channel over the port 1514 using TCP protocol, through which The Wazuh Agent will send the collected data.
Note
This documentation section can be skipped if the Wazuh agent was deployed using Deployment variables, Deployed with Ansible or Deployed with Puppet. In these cases, the registration process is different and described in their corresponding sections of the documentation.
Registering the Wazuh agent using simple registration service
To register the Wazuh agent, choose the tab corresponding to the Wazuh agent's host operating system:
Open a terminal in the Linux/Unix Wazuh agent's host as a root
user.
To register the Wazuh agent, run the
agent-auth
utility, using the Wazuh manager’s IP address:# /var/ossec/bin/agent-auth -m <manager_IP>
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at
/var/ossec/etc/ossec.conf
.In the
<client><server>
section,MANAGER_IP
has to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# systemctl restart wazuh-agent# service wazuh-agent restart# /var/ossec/bin/ossec-control restart
The Wazuh agent registration can be adjusted by using different agent-auth options.
Open a Powershell or CMD session in the Wazuh agent's host as an Administrator
.
The Wazuh agent's installation directory depends on the architecture of the host:
C:\Program Files (x86)\ossec-agent
forx86_64
hosts.
C:\Program Files\ossec-agent
forx86
hosts.Note
This guide supposes that the Wazuh agent is installed in a
x86_64
host. The installation path will be:C:\Program Files (x86)\ossec-agent
.
To register the Wazuh agent, run the
agent-auth.exe
utility, using the Wazuh manager's IP address:
# &'C:\Program Files (x86)\ossec-agent\agent-auth.exe' -m <manager_IP># "C:\Program Files (x86)\ossec-agent\agent-auth.exe" -m <manager_IP>If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.
To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
C:\Program Files (x86)\ossec-agent\ossec.conf
.In the
<client><server>
section,MANAGER_IP
has to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# Restart-Service -Name wazuh# net stop wazuh # net start wazuh
The Wazuh agent registration can be adjusted by using different agent-auth options.
Open a terminal in the MacOS X Wazuh agent's host as a root
user.
To register the Wazuh agent, run the
agent-auth
utility, using the Wazuh manager’s IP address:# /Library/Ossec/bin/agent-auth -m <manager_IP>
If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add
-A <agent_name>
to the command above.To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
/Library/Ossec/etc/ossec.conf
.In the
<client><server>
section,MANAGER_IP
has to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# /Library/Ossec/bin/ossec-control restart
The Wazuh agent registration can be adjusted by using different agent-auth options.
There are also other easy registration methods. The choice depends on the particular use case and the preferences of the user:
Registration method |
Description |
---|---|
Manual registeration using |
|
Uses a simple Wazuh API request from any host. Requires adding returned registration key manually to the Wazuh agent using |
|
Registration using |
|
Registration using |
To learn more about the Wazuh agent registration process, please read the registering Wazuh agents - additional information.
In case of problems during registration, visit the registering Wazuh agents - troubleshooting page to find a solution.