Registering Wazuh agents

Note

Since Wazuh 4.0, by default, the agent registers automatically with the manager through enrollment. Configuration details can be found on the Enrollment section.

The security event data collection from the Wazuh agent requires enabling the communication with the Wazuh manager.

The Wazuh manager needs to know which Wazuh agent is sending the security events and if they are authorized. This step is called Wazuh agent registration and can be performed using the registration service. Using the port 1515 and TCP protocol, the Wazuh manager will attend the registration request of the Wazuh agent using a TLS connection. The Wazuh agent will obtain an unique key used to encrypt the traffic between them. Once the registration is done, this communication will no longer be used, unless the Wazuh agent needs to be registered into a new Wazuh manager.

After the registration, the Wazuh agent has to be configured to indicate the destination where the collected security events will be sent. By default, the Wazuh manager will use a communication channel over the port 1514 using TCP protocol, through which The Wazuh Agent will send the collected data.

Note

This documentation section can be skipped if the Wazuh agent was deployed using Deployment variables, Deployed with Ansible or Deployed with Puppet. In these cases, the registration process is different and described in their corresponding sections of the documentation.

Registering the Wazuh agent using simple registration service

To register the Wazuh agent, choose the tab corresponding to the Wazuh agent’s host operating system:

Open a terminal in the Linux/Unix Wazuh agent’s host as a root user.

  1. To register the Wazuh agent, run the agent-auth utility, using the Wazuh manager’s IP address:

    # /var/ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at /var/ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# systemctl restart wazuh-agent
# service wazuh-agent restart
# /var/ossec/bin/wazuh-control restart

The Wazuh agent registration can be adjusted by using different agent-auth options.

Open a Powershell or CMD session in the Wazuh agent’s host as an Administrator.

The Wazuh agent’s installation directory depends on the architecture of the host:

  • C:\Program Files (x86)\ossec-agent for x86_64 hosts.

  • C:\Program Files\ossec-agent for x86 hosts.

Note

This guide supposes that the Wazuh agent is installed in a x86_64 host. The installation path will be: C:\Program Files (x86)\ossec-agent.

  1. To register the Wazuh agent, run the agent-auth.exe utility, using the Wazuh manager’s IP address:

    # &'C:\Program Files (x86)\ossec-agent\agent-auth.exe' -m <manager_IP>
    
    # "C:\Program Files (x86)\ossec-agent\agent-auth.exe" -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at C:\Program Files (x86)\ossec-agent\ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

# Restart-Service -Name wazuh
# net stop wazuh
# net start wazuh

The Wazuh agent registration can be adjusted by using different agent-auth options.

Open a terminal in the MacOS X Wazuh agent’s host as a root user.

  1. To register the Wazuh agent, run the agent-auth utility, using the Wazuh manager’s IP address:

    # /Library/Ossec/bin/agent-auth -m <manager_IP>
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent’s name add -A <agent_name> to the command above.

  2. To enable the communication with the Wazuh manager, edit the Wazuh agent’s configuration file placed at /Library/Ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server’s IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  3. Restart the Wazuh agent:

    # /Library/Ossec/bin/wazuh-control restart
    

The Wazuh agent registration can be adjusted by using different agent-auth options.

There are also other easy registration methods. The choice depends on the particular use case and the preferences of the user:

Registration method

Description

Using command line (CLI)

Manual registeration using manage_agents utility. Requires extracting the registration key from the Wazuh manager and inserting it manually in the Wazuh agent.

Using Wazuh API

Uses a simple Wazuh API request from any host. Requires adding returned registration key manually to the Wazuh agent using manage_agents utility.

Using registration service with password authorization

Registration using agent-auth utility. Allows additional protection of the Wazuh manager from unauthorized registrations by using a password.

Using registration service with host verification

Registration using agent-auth utility. Ensures that the connection between the right Wazuh agent and the right Wazuh manager is established.

To learn more about the Wazuh agent registration process, please read the registering Wazuh agents - additional information.

In case of problems during registration, visit the registering Wazuh agents - troubleshooting page to find a solution.