Remote command to a group
1,721 views
Skip to first unread message
SIIL IT
Jan 4, 2023, 8:57:01 AM1/4/23
to Wazuh mailing list
I'm trying to get a couple of my groups to run a powershell command configured in the group and in the logs I'm seeing
2022/12/28 08:10:45 wazuh-agent: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
I have checked both the internal_options.conf and the local_internal_options.conf and wazuh_command.remote_commands=1 in both cases.
What else can be blocking me from running the remote commands? I'd rather not have to add the powershell manually in each server as that would be a bugger to manage!
I'm running Wazuh 4.3.10
Francisco Tuduri
Jan 4, 2023, 9:57:29 AM1/4/23
to Wazuh mailing list
Hi!
Could be it that you enabled wazuh_command.remote_commands=1 in the etc/local_internal_options.conf of the manager instead of in the agents?
As mentioned here "Remote commands may be specified in the centralized configuration, however, they are disabled by default due to security reasons." So, when setting commands in a shared agent configuration you must enable the remote commands in each agent.
The remote commands must be enabled from the agent side because by default the Wazuh manager does not have the capability to run arbitrary code unless it is explicitly enabled on the agents side.
Let me know if that was the problem you were having.
Regards!
Could be it that you enabled wazuh_command.remote_commands=1 in the etc/local_internal_options.conf of the manager instead of in the agents?
As mentioned here "Remote commands may be specified in the centralized configuration, however, they are disabled by default due to security reasons." So, when setting commands in a shared agent configuration you must enable the remote commands in each agent.
The remote commands must be enabled from the agent side because by default the Wazuh manager does not have the capability to run arbitrary code unless it is explicitly enabled on the agents side.
Let me know if that was the problem you were having.
Regards!
SIIL IT
Jan 5, 2023, 12:49:07 AM1/5/23
to Wazuh mailing list
I have gone onto the specific devices and set the remote commands to 1 in both the local internal options and the internal options then restarted the agent. It's making no difference.
If I add the powsershell to the agent config on the device, it works fine but I'm running this on 50+ machines so I really need to get it to work via the group!
If I add the powsershell to the agent config on the device, it works fine but I'm running this on 50+ machines so I really need to get it to work via the group!
Francisco Tuduri
Jan 5, 2023, 8:48:20 AM1/5/23
to Wazuh mailing list
Hello!
Sorry, I made an important omission on my previous answer. There are two different internal options that have to be set on each agent's local_internal_options.conf to enable remote commands:
As a side note, there is no need to modify the internal_options.conf file. Every setting on local_internal_options.conf will override the one on internal_options.conf. Also internal_options.conf will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf file.
Sorry, I made an important omission on my previous answer. There are two different internal options that have to be set on each agent's local_internal_options.conf to enable remote commands:
- wazuh_command.remote_commands=1
- logcollector.remote_commands=1
As a side note, there is no need to modify the internal_options.conf file. Every setting on local_internal_options.conf will override the one on internal_options.conf. Also internal_options.conf will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf file.
Sorry again for the mishap and please let me know if this solved your issue.
Regards!
SIIL IT
Jan 5, 2023, 8:57:17 AM1/5/23
to Wazuh mailing list
Hi,
That's changed the output in the ossec.log on one of the systems to show it's actually monitoring the output of the commands now. I will add the logcollector to a few of the other systems and see if we can actually trigger an alert.
Thanks
Naveen Sharma
May 11, 2023, 9:14:30 AM5/11/23
to Wazuh mailing list
On top of it, the question I have is, if there is a large deployment like 1000+ endpoints. It is tedious to enable the central config option manually in each of them. Plus this is a mix of landscape win+linux+max etc... so how do I automate it?
Francisco Tuduri
May 11, 2023, 12:47:58 PM5/11/23
to Wazuh mailing list
Hello Naveen!
You may look into using some orchestration tool for that, like Ansible. Here is a guide on how to deploy Wazuh using Ansible, it is not exactly your use case but may be useful as an overview.
If you have more questions about this I recommend that you open a new thread dedicated to that issue. Thanks!
Regards!
You may look into using some orchestration tool for that, like Ansible. Here is a guide on how to deploy Wazuh using Ansible, it is not exactly your use case but may be useful as an overview.
If you have more questions about this I recommend that you open a new thread dedicated to that issue. Thanks!
Regards!
Reply all
Reply to author
Forward
0 new messages