New port addition in ossec.conf

760 views
Skip to first unread message

Nithin Jose

unread,
May 9, 2022, 1:08:08 PM5/9/22
to Wazuh mailing list
Hi, 

Is it possible to add port 443 along with 1514 in   /var/ossec/etc/ossec.conf

<remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>


Best Regards.
Nithin

Aditya Sharma

unread,
May 11, 2022, 3:52:26 AM5/11/22
to Wazuh mailing list
Hi Nithin, Thanks for using Wazuh!

As you wanted to see & check the default ports please check out here: https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports

Just for your information, 443 is the default port to load the Kibana Wazuh Web Interface in Wazuhv4.2.6 & below or Wazuh Dashboard in Wazuhv4.3.0.

I hope this information helps you. Please let us know of any further help required.

Regards
Aditya Sharma

Alberto Rodriguez

unread,
May 11, 2022, 5:03:36 AM5/11/22
to Wazuh mailing list
Hello

  As Aditya mentioned, the 443 is the recommended port for Wazuh dashboard. Although, if you want, you can use 443 for agent connection, you should remember to change the Wazuh dashboard port if you finally decide to use it. 
You can change the block `remote` as you mentioned, but additionally, you should run `setcap 'cap_net_bind_service=+ep' /var/ossec/bin/wazuh-remoted`. 443 is a reserved OS port, so this command is adding to the `remoted` daemon the necessary permissions to use it. 

Regards, 
Alberto R

Nithin Jose

unread,
May 16, 2022, 9:02:06 AM5/16/22
to Wazuh mailing list
Hi Alberto,

Thanks for your comment, can you please explain is it possible to change agent registration default port (1515) in agent side. 

not able to see in  /var/ossec/etc/ossec.conf (Ubuntu 20).

I used below command for agent registration.
 
 /var/ossec/bin/agent-auth -m <Manager IP> 

Best Regards,
Nithin 

Alberto Rodriguez

unread,
May 16, 2022, 11:19:54 AM5/16/22
to Nithin Jose, Wazuh mailing list

Hello Nithin

You asked about 1514, but it’s the same as 1515 with a different location at ossec.conf.
Your goal: be able to register agents through 443 port. The Wazuh manager registration service must be listening on port 443. This can be done by modifying the /var/ossec/etc/ossec.conf section: 

  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

Replace 1515 with 443. I think you don’t need to run the setcap command explained before, but please make sure that no more process are using the 443 port. If they are using it, the Wazuh manager will not be able to start.
Then, after restarting the wazuh manager, you can use /var/ossec/bin/agent-auth -m <Manager IP> -p 443. Note that you need to indicate the port because agent-auth will use 1515 by default.

Anyway, let me recommend you check the autoenrollment feature: https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-agent-configuration/linux-endpoint.html

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e96d94bf-f079-4daa-8331-8a440765b9cdn%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages