Automatic registration of windows Wazuh clients with SO

771 views

Skip to first unread message

Stephen Eaton

unread,

Oct 9, 2018, 8:08:23 PM10/9/18

to security-onion

Hi all,

I want to be able to deploy unattended via our PDQDeploy server to our desktop fleet and appears that I need to register the client with SO first, then obtain a key that gets manually entered in on the client install.

How are others automating deployment of wazuh windows clients and registration with SO?

Cheers,

Stephen…

Kevin Branch

unread,

Oct 10, 2018, 11:19:47 PM10/10/18

to securit...@googlegroups.com

You can make your new Windows agents do one-time password-authenticated self-registration with the Wazuh manager on SO. In fact, the Wazuh MSI installer lets you specify the name of the registration server and the shared self registration password as parameters, like this:

wazuh-agent-3.6.1-1.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" PASSWORD="TopSecret"

See this for more detail on the MSI options:

https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_windows.html?highlight=msi

First you have to turn on the self-registration service with this (only one time) on the SO server

/var/ossec/bin/ossec-control enable auth

Then you must configure the service. See the <auth> section of /var/ossec/etc/ossec.conf on the same SO server. Turn on the password option! Documentation for <auth>:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html?highlight=auth

Then remember to open the Wazuh self-registration port in SO's firewall, perhaps like this:

ufw allow 1515/tcp

Lastly restart Wazuh manager on SO

/var/ossec/bin/ossec-control restart

Now you should be able to run the installer MSI with the self-registration options such that Wazuh agent gets registered as part of the installation process.

Note that self-registration does not actually edit the ossec.conf file of the agent, so it's still on you as part of your mass-deployment process to push out your own stock version(s) of ossec.conf to your fleet. You at least need to customize part that tells the agent how to find the manager.

Also if you are just getting started, I strongly recommend two things:

Switch the <protocol> value to tcp in ossec.conf on your Wazuh manager (SO server) and on your Wazuh agents. It defaults to udp for legacy reasons but tcp is very much the way to go with Wazuh these days.
Get familiar with Centralized Configuration. You do not need the headache of separately maintaining ossec.conf files for each member of your fleet. https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html?highlight=agent%20conf

Enough for now. Feel free to ask other questions. For general Wazuh topics, you would do well to check out the Wazuh mailing list as well: wazuh+s...@googlegroups.com

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages