client

This section explains how to configure the connection to the manager.

Subsections

server

Configures the connection parameters for each server an agent connects to.

Server subsection options

address

Specifies the IP address or the hostname of the Wazuh manager.

Default value

n/a

Allowed values

Any valid IP address or any resolvable hostname is allowed.

port

Specifies the port to send events to on the manager. This must match the associated listening port configured on the Wazuh manager.

Default value

1514

Allowed values

Any port number from 1 to 65535 is allowed.

protocol

Specifies the protocol to use when connecting to the manager.

Default value

tcp

Allowed values

udp, tcp

max_retries

Number of connection retries.

Default value

5

Allowed values

1 to 1.000.000.000

retry_interval

Time interval between connection attempts (seconds).

Default value

10

Allowed values

1 to 1.000.000.000

Options

config-profile

Specifies the agent.conf profile(s) to be used by the agent.

Default value

n/a

Allowed values

Multiple profiles can be included, separated by a comma and a space.

notify_time

Specifies the time in seconds between agent checkins to the manager. More frequent checkins speed up dissemination of an updated agent.conf file to the agents, but may also put an undo load on the manager if there are a large number of agents.

Default value

10

Allowed values

A positive number (seconds)

Warning

This setting should always be lower than disconnection time configured for the agents in the manager. This allows them to always notify the manager before it would consider them disconnected.

time-reconnect

Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.

For example, a notify_time setting of 60 combined with a time-reconnect of 300 would mean that agents will attempt to check in once per minute, but if a checkin attempt fails to get a response from the manager, the agent will wait five minutes before trying again. Checkins will resume their normal one-minute interval following a successful connection attempt.

Default value

60

Allowed values

A positive number (seconds)

Warning

Notice that the notify_time value uses an underscore while the time-reconnect value uses a dash. This is an unfortunate legacy naming inconsistency that is easy to mix up.

ip_update_interval

New in version 4.2.0.

Specifies how often an agent will query the control module for its main IP address.

Any value equal to or lower than the configured notify_time will cause the IP address to be queried on each keep-alive message.

Default value

0

Allowed values

A positive number (seconds)

Note

Most systems won't need to modify this value, but on systems with large routing tables this configuration can help lower CPU usage from wazuh-modulesd.

local_ip

Specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces.

Default value

n/a

Allowed values

Any valid IP address is allowed.

auto_restart

Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.

Default value

yes

Allowed values

yes, no

crypto_method

Choose the encryption of the messages that the agent sends to the manager.

Default value

aes

Allowed values

blowfish, aes

Sample configuration

<client>
  <server>
    <address>192.168.1.100</address>
    <port>1514</port>
    <protocol>tcp</protocol>
    <max_retries>5</max_retries>
    <retry_interval>5</retry_interval>
  </server>
  <server>
    <address>example.hostname</address>
    <protocol>udp</protocol>
  </server>
  <config-profile>webserver, debian8</config-profile>
  <notify_time>30</notify_time>
  <time-reconnect>120</time-reconnect>
  <auto_restart>yes</auto_restart>
</client>

enrollment

New in version 4.0.

Configures the connection parameters for the agent enrollment.

Options

enabled

Enables/disables agent enrollment.

Default value

yes

Allowed values

yes or no

manager_address

Hostname or IP address of the manager where the agent will be enrolled. If no value is set, the agent will try enrolling to the same manager that was specified for connection.

Default value

n/a

Allowed values

string - Should be valid IP/Hostname

port

Specifies the port on the manager to send enrollment request. This must match the associated listening port configured on the Wazuh manager.

Default value

1515

Allowed values

Any port number from 0 to 65535 is allowed.

agent_name

Agent name that will be used for enrollment. Only alphanumeric characters, "-", "_" or "." are allowed, and the minimum length is two characters.

Default value

Hostname of the machine.

Allowed values

string - Registration name for the agent.

groups

Groups name to which the agent belongs.

Default value

NULL

Allowed values

string - Name of one or many valid groups.

agent_address

Force IP address from the agent. If this is not set manager will extract source IP address from enrollment message.

Default value

src

Allowed values

string - Valid IP address

ssl_cipher

Override SSL used ciphers.

Default value

HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH

Allowed values

valid ssl ciphers.

server_ca_path

Used for manager verification. If no CA certificate is set server will not be verified.

Default value

NULL

Allowed values

Path to a valid CA certificate.

Note

Paths can be referred to relative paths under the Wazuh installation directory, or full paths.

agent_certificate_path

Required when agent verification is enabled in the manager.

Default value

NULL

Allowed values

Path to a valid agent certificate file.

agent_key_path

Required when agent verification is enabled in the manager.

Default value

NULL

Allowed values

Path to a valid agent key file.

authorization_pass_path

Required when enrollment is using password verification.

Default value

Windows: authd.pass Unix: /etc/authd.pass

Allowed values

Path to a valid password file

auto_method

Auto negotiates the most secure common SSL/TLS method with the manager, use "yes" for auto negotiate or "no" for TLS v1.2 only.

Default value

no

Allowed values

yes or no

delay_after_enrollment

Time that agentd should wait after a successful registration.

Default value

20

Allowed values

number of seconds

use_source_ip

Force manager to compute IP address from agent message.

Default value

no

Allowed values

yes or no

Sample configuration

<client>
  <enrollment>
    <enabled>yes</enabled>
    <manager_address>192.168.1.100</manager_address>
    <port>1515</port>
    <agent_name>agent</agent_name>
    <groups>Group1</groups>
    <agent_address>192.168.0.110</agent_address>
    <ssl_cipher>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ssl_cipher>
    <server_ca_path>/path/to/server_ca</server_ca_path>
    <agent_certificate_path>/path/to/agent.cert</agent_certificate_path>
    <agent_key_path>/path/to/agent.key</agent_key_path>
    <authorization_pass_path>/path/to/agent.pass</authorization_pass_path>
    <auto_method>no</auto_method>
    <delay_after_enrollment>20</delay_after_enrollment>
    <use_source_ip>no</use_source_ip>
  </enrollment>
</client>