Registering the Wazuh agents using the Wazuh API
The Wazuh API allows the Wazuh agent registration by running a single request from any host. This request returns the Wazuh agent's registration key, which must be manually added to the Wazuh agent using manage_agents utility.
Note
Root user privileges are necessary to execute all the commands described below, and the Wazuh API must be accessible from the host on which the request is executed.
Choose the tab corresponding to the Wazuh agent host operating system:
Open a terminal in the Wazuh agent's host as a
rootuser. To add the Wazuh agent to the Wazuh manager and extract the registration key execute the following Wazuh API request POST /agents and replacing the values in the angle brackets:# curl -k -X POST -d '{"name":"<agent_name>","ip":"<agent_IP>"}' "https://localhost:55000/agents?pretty=true" -H "Content-Type:application/json" -H "Authorization: Bearer $TOKEN"
The output of the Wazuh API request returns the registration key:
{ "error": 0, "data": { "id": "001", "key": "MDAxIE5ld0FnZW50IDEwLjAuMC44IDM0MGQ1NjNkODQyNjcxMWIyYzUzZTE1MGIzYjEyYWVlMTU1ODgxMzVhNDE3MWQ1Y2IzZDY4M2Y0YjA0ZWVjYzM=", }, }More information about API credentials and HTTPS support can be found on Wazuh API configuration.
Import the registration key to the Wazuh agent using
manage_agentsutility. Replace the Wazuh agent's registration key:# /var/ossec/bin/manage_agents -i <key>An example output of the command looks as follows:
Agent information: ID:001 Name:agent_1 IP Address:any Confirm adding it?(y/n): y Added.
To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
/var/ossec/etc/ossec.conf.In the
<client><server>section,MANAGER_IPhas to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# systemctl restart wazuh-agent# service wazuh-agent restart# /var/ossec/bin/ossec-control restart
Open a Powershell session in the Wazuh agent's host as an Administrator.
The Wazuh agent's installation directory depends on the architecture of the host:
C:\Program Files (x86)\ossec-agentforx86_64hosts.
C:\Program Files\ossec-agentforx86hosts.Note
This guide supposes that the Wazuh agent is installed in a
x86_64host. The installation path will be:C:\Program Files (x86)\ossec-agent.
Add the Wazuh agent to the Wazuh manager.
If the Wazuh API is running over HTTPS and it is using a self-signed certificate, the function below has to be executed in Powershell:
> function Ignore-SelfSignedCerts { add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class PolicyCert : ICertificatePolicy { public PolicyCert() {} public bool CheckValidationResult( ServicePoint sPoint, X509Certificate cert, WebRequest wRequest, int certProb) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = new-object PolicyCert [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; } > Ignore-SelfSignedCerts
Use
Invoke-WebRequestto execute the Wazuh API request to register the Wazuh agent. Values in the angle brackets have to be replaced:# $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f <API_username>, <API_password>))) # Invoke-WebRequest -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method POST -Uri https://<manager_IP>:55000/agents -Body @{name=<agent_name>} | ConvertFrom-Json
The command above returns the Wazuh agent's
ID.Extract the Wazuh agent's key using the Wazuh agent's ID. Values in the angle brackets have to be replaced:
# Invoke-WebRequest -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method GET -Uri https://<manager_IP>:55000/agents/<agent_ID>/key | ConvertFrom-Json
The output of the request returns the registration key:
{ "error": 0, "data": { "id": "001", "key": "MDAxIE5ld0FnZW50IDEwLjAuMC44IDM0MGQ1NjNkODQyNjcxMWIyYzUzZTE1MGIzYjEyYWVlMTU1ODgxMzVhNDE3MWQ1Y2IzZDY4M2Y0YjA0ZWVjYzM=" } }Import the registration key to the Wazuh agent using
manage_agentsutility:# 'C:\Program Files (x86)\ossec-agent\manage_agents' -i <key>
An example output of the command looks as follows:
Agent information: ID:001 Name:agent_1 IP Address:any Confirm adding it?(y/n): y Added.
To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
C:\Program Files (x86)\ossec-agent\ossec.conf.In the
<client><server>section,MANAGER_IPhas to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# Restart-Service -Name wazuh# net stop wazuh # net start wazuh
Open a terminal in the Wazuh agent's host as a
rootuser. To add the Wazuh agent to the Wazuh manager and extract the registration key execute the following Wazuh API request POST /agents and replacing the values in the angle brackets:# curl -k -X POST -d '{"name":"<agent_name>","ip":"<agent_IP>"}' "https://localhost:55000/agents?pretty=true" -H "Content-Type:application/json" -H "Authorization: Bearer $TOKEN"
The output of the Wazuh API request returns the registration key:
{ "error": 0, "data": { "id": "001", "key": "MDAxIE5ld0FnZW50IDEwLjAuMC44IDM0MGQ1NjNkODQyNjcxMWIyYzUzZTE1MGIzYjEyYWVlMTU1ODgxMzVhNDE3MWQ1Y2IzZDY4M2Y0YjA0ZWVjYzM=", }, }More information about API credentials and HTTPS support can be found on Wazuh API configuration.
Import the registration key to the Wazuh agent using
manage_agentsutility. Replace the Wazuh agent's registration key:# /Library/Ossec/bin/manage_agents -i <key>An example output of the command looks as follows:
Agent information: ID:001 Name:agent_1 IP Address:any Confirm adding it?(y/n): y Added.To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at
/Library/Ossec/etc/ossec.conf.In the
<client><server>section,MANAGER_IPhas to be replaced with the Wazuh server's IP address or the DNS name:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the Wazuh agent:
# /Library/Ossec/bin/ossec-control restart