ossec agent lan/dmz configuration

[Peutre o/]

Hello everyone, 

I need to know how many port's autorizations i have to do with the ossec agent for wazuh.

My configuration : 

I got my wazuh server into the LAN : 10.1.24.14

And i will have many clients to monitor into the DMZ : 192.168.100....

I understand that i need to have the tcp/udp 1514 open ossec-agentd and maybe the 1515 for the registration.

The necessary working is only flow ? :

LAN : 10.1.24.14 to DMZ : 192.168.100.... with port 1514/1515

or

DMZ : 192.168.100.... to LAN : 10.1.24.14 with port 1514/1515

I am a bit lost with the way of the traffic, is it the agent that push data ? which port i need to autorize ?

On my lan's clients with netstat i see :

10.1.24.106:64107       10.1.24.14:1514        ESTABLISHED 92173/ossec-agentd

64107 is random port connection ?

Thanks for your help

[Julián Morales]

Hi  Peutre,

You are right, the default used ports are tcp:1514 and tcp:1515 for communication(wazuh-remoted) and agent registration(wazuh-authd) respectively.
Agents are always the ones who initiate the connection, and managers are always listening. In your case,
the firewall rules should allow the flow:

DMZ : 192.168.100.... to LAN : 10.1.24.14 with port 1514/1515

On the other hand, port 64107 is a random port of the client host. When starting the connection,
the client selects a free random port, generally greater than 50000, to establish the connection with the manager.

Regards,
Julian

[Peutre o/]

Many thanks for the answer Julian ! i will try to apply firewall's rules that way and we will see if everything is good :)