Pushing group settings to agents

[Guido Kellershof]

Hi there,

I definded a setting in the agent.conf of a the default group:

<agent_config>
<!-- Shared agent configuration here -->
</agent_config>
<agent_config os="windows">
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>

For any reason this is not being pushed to the Windows agents out there. Is there any additional setting I am missing? 

Best,
Guido

 

[Olusegun Adenrele Oyebo]

Thank you for using Wazuh.

Can you check your agent logs which is found in the directory C:\Program Files (x86)\ossec-agent\ossec.log and verify that the agent restarted as a result of receiving the shared configuration. You should see an entry like this "wazuh-agent: INFO: Agent is restarting due to shared configuration changes."

By default the agent restarts by itself automatically when it receives a new shared configuration. If auto_restart has been disabled in the <client section> section of Local configuration, the agent will have to be manually restarted so that the new agent.conf file will be used. To get more information on how the centralized configuration works, you can check the guide Centralized configuration.

I hope this was helpful. Do not hesitate to reach out to us again if you have any other query.

Best regards.

[Guido Kellershof]

Hi Olusegun,
thanks for your reply, I have checked both:

* There is no entry in the ossec.log showing that the agent received and/or restarted any settings.
* auto_restart in ossec.conf is enabled.

Any other ideas why it's not working?

Best,
Guido

[Guido Kellershof]

I did another test recommended in the manual with the following output:

root@wazuh:/# curl -k -X GET "https://localhost:55000/agents?agents_list=001&select=group_config_status&pretty=true" -H  "Authorization: Bearer $TOKEN"
{"title": "Unauthorized", "detail": "No authorization token provided"}
root@wazuh:/# /var/ossec/bin/agent_groups -S -i 001
Agent '001' is not synchronized. 

Can you shed any light on this?

Guido

[Kate Congdon]

That's an API command and it needs a bearer token to run.   A bearer token is what you present instead of your username and password to tell the API you're an authorized user.   There are instructions in the API section in the Wazuh Documentation for how to get an authentication bearer token.  The instructions didn't work for me, but that might have been because I was in the API Console in the dashboard and not running it from the command line on the Wazuh server.  Whenever you see "localhost:5500" in the Wazuh documentation, I'm assuming you have to run the command on Wazuh server (not the dashboard server and not the index server).

The reason the command didn't work is because it needs a bearer token.

A more useful command for you to run to check the agent.conf status---on the Wazuh server itself ---would be 

/var/ossec/bin/verify-agent-conf

[Olusegun Adenrele Oyebo]

Hello Guido,

Sorry for the late response.

As stated by Kate, you will need a token which will be used for authentication. First export the token to an environment variable to use it in authorization header of future API requests. Run the below command on the Wazuh server. You can check the link for more information:

• TOKEN=$(curl -u <user>:<password> -k -X POST "https://localhost:55000/security/user/authenticate?raw=true"). By default the username and password is wazuh. For security reasons, we recommend changing the default password.

To confirm that the token was generated, run the command: echo $TOKEN

You can then run the below command to confirm that the agent(s) received the configuration:

• curl -k -X GET "https://localhost:55000/agents?agents_list=<agent_id>&select=group_config_status&pretty=true" -H  "Authorization: Bearer $TOKEN". Replace <agent_id> with the list of agents you want to verify, separate with a comma if including more than one. e.g. curl -k -X GET "https://localhost:55000/agents?agents_list=001,002&select=group_config_status&pretty=true" -H  "Authorization: Bearer $TOKEN"

You can also check if there were configuration errors when you updated the agent.conf file with the below command:

• /var/ossec/bin/verify-agent-conf

Kindly let us know your findings after verifying the above so as to assist you further.

Best regards.

[Guido Kellershof]

Hi Kate, Hi Olusegun,

thanks for your support, it took a while to get done all of it but it's working now including the bearer token.

In case someone else is interested in this case:  I moved from an Ubuntu container to CentOS 8  without a container to make it work.
With the container installation it wasn't successful.

One question: as far as I can see the ossec.conf on a Windows machine will not be changed once a different configuration is being sent by the server.
The change is just happening in the agent.conf in the shared folder. Is my assumption correct?

Best,
Guido 

[Olusegun Adenrele Oyebo]

Hello Guido,

Thanks for reaching out again.

When the central configuration is used with the ossec.conf on the agent, the local configuration on the agent and the shared configuration are merged. However, the ossec.conf file is read before the shared agent.conf and the last configuration of any setting will overwrite the previous. Also if a file path for a particular setting is set in both of the configuration files, both paths will be included in the final configuration. You can check our documentation for more information on how it works.

I hope this was helpful and provided clarity. Don't hesitate to reach out again if you still need any other thing. We remain attentive.

Best regards.