Cyber Security Raspberry Pi

Adding Wazuh Agents

by admin

Installing Wazuh on your systems is just the first step in securing your home lab. The next step is to add agents to the Wazuh manager so that it can monitor the systems for any suspicious activity. In this blog post, we will go over the process of adding an agent to the Wazuh manager and provide an example of the code that you can use to do it.

First, let’s start by understanding what an agent is. In the context of Wazuh, an agent is a small program that runs on a system and sends log data to the Wazuh manager. The manager then processes this log data and sends alerts if any suspicious activity is detected.

To add an agent to the Wazuh manager, you will need to download the agent package for your system and install it. Once the agent is installed, you will need to configure it to connect to the Wazuh manager.

Here is an example of how to add an agent to the Wazuh manager on a Ubuntu system:

# Download the agent package
wget https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-agent/wazuh-agent_3.15.0-1_amd64.deb

# Install the package
sudo dpkg -i wazuh-agent_3.15.0-1_amd64.deb

# Configure the agent to connect to the manager
sudo sed -i "s:MANAGER_IP:10.0.0.10:g" /var/ossec/etc/ossec.conf

This code snippet downloads the agent package for a Ubuntu system, installs it and then configures it to connect to a Wazuh manager with IP address 10.0.0.1. Replace “MANAGER_IP” with the IP address of your Wazuh manager.

Just like we did in the initial installation we will want to configure the agent for our needs, so we edit the ossec.conf file:

<ossec_config>
  <client>
    <server-ip>10.0.0.10</server-ip>
    <config-profile>raspberry</config-profile>
  </client>
  <syscheck>
    <scan_on_start>yes</scan_on_start>
    <frequency>3600</frequency>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
  </syscheck>
</ossec_config>

After running this code, the agent should be connected to the manager and ready to start sending log data. You can check the status of the agent by running the command 

sudo systemctl status wazuh-agent

Install on Windows

Installing the Wazuh agent on a Windows system is a bit different than installing it on a Linux system, but it is still straightforward. In this section, we will go over the process of installing the Wazuh agent on a Windows system and provide an example of the code that you can use to do it.

First, you will need to download the Wazuh agent installer for Windows from the official Wazuh website. Once the installer has been downloaded, you can start the installation process by running the installer file as an administrator.

Here is an example of how to install the Wazuh agent on a Windows system using the command prompt:

# Download the agent installer
powershell (New-Object System.Net.WebClient).DownloadFile('https://packages.wazuh.com/3.x/windows/agent/wazuh_agent-3.15.0-1-windows-64-installer.exe','wazuh_agent-3.15.0-1-windows-64-installer.exe')

# Start the installation process
.\wazuh_agent-3.15.0-1-windows-64-installer.exe /S /SERVER=10.0.0.10

This code snippet downloads the agent installer for Windows and starts the installation process in silent mode, meaning it will not prompt for any user input. It also configures the agent to connect to the Wazuh manager with IP address 10.0.0.10. Replace “10.0.0.10” with the IP address of your Wazuh manager.

The agent’s configuration settings are stored in the file ossec.conf located in the C:\Program Files (x86)\ossec-agent directory.

Here is an example of the agent settings that you can use to configure the agent to connect to the Wazuh manager:

<ossec_config>
  <client>
    <server-ip>10.0.0.10</server-ip>
    <config-profile>default</config-profile>
    <notify_time>10</notify_time>
    <time-reconnect>1800</time-reconnect>
  </client>
</ossec_config>

This is the basic configuration, you can add more settings depending on your specific needs.

The <server-ip> setting is used to specify the IP address of the Wazuh manager. Replace “10.0.0.1” with the IP address of your Wazuh manager.

The <config-profile> setting is used to specify the configuration profile that the agent should use. This is useful if you want to apply different configurations to different groups of agents.

The <notify_time> setting is used to specify the time interval (in seconds) at which the agent should send log data to the manager.

The <time-reconnect> setting is used to specify the time interval (in seconds) at which the agent should try to reconnect to the manager if the connection is lost.

You can also add other settings to the ossec.conf file to configure the agent to monitor specific log files, ignore certain events, or to apply rules to the log data.

Make sure to save the changes to the ossec.conf file and restart the agent service for the changes to take effect.

After configuring the agent, it should be ready to start sending log data to the manager. You can check the status of the agent by running the command 

sc query WazuhAgent

Keep in mind that this is just an example configuration, you should adjust the settings according to your specific needs.

Also, the location of the ossec.conf file could be different based on the version of the agent, so you should check the Agent documentation to make sure you are editing the right file.

But that is it! You’ve successfully installed the Wazuh agent on Linux and a Windows system. With the agents in place, you can now monitor the system for any suspicious activity and keep your environment secure.

Note:

  • Make sure you have the powershell script execution policy set to allow the script to run.
  • Also make sure you run the command prompt as administrator before running the script.

Leave a Reply

Your email address will not be published. Required fields are marked *