Ports and traffic
8,879 views
Skip to first unread message
Emlyn Stokes
Aug 9, 2017, 10:52:51 AM8/9/17
to Wazuh mailing list
I'm setting up Wazuh in a pretty locked down environment and wanted some clarification on ports used so I can configure both the firewalls on instances as well as general network traffic rules.
Here's my current understanding:
The API accepts traffic on 55000 from the Kibana app
The agents register with the Manager on 1515 (tcp), and send traffic on 1514 (udp)
Questions:
Does the Manager ever initiate connections back to the Agents on 1514 or 1515?
I notice the config on the Agents and Manager offer a protocol option, does changing 1514 to tcp have any significant downsides?
I'm tying this into an existing ELK stack, I'm already familiar with traffic flow for those pieces.
Thanks!
Jonathan Narvaez
Aug 9, 2017, 11:33:02 AM8/9/17
to Emlyn Stokes, Wazuh mailing list
Hi Emlyn,
Q:I notice the config on the Agents and Manager offer a protocol option, does changing 1514 to tcp have any significant downsides?
You can change the ports without problem, see the comunications diagram (https://documentation.wazuh.com/current/getting-started/architecture.html#communications-and-data-flow).
And if you wish you can use TCP to communicate the agents with Wazuh-Manager
RegardsQ: Does the Manager ever initiate connections back to the Agents on 1514 or 1515?
A: Wazuh-Manager
establishes communication with wazuh-agent via port 1514 (TCP or UDP),
and Wazuh-Manager communicates with clients through port 1514,
establishing a bidirectional communication.Q:I notice the config on the Agents and Manager offer a protocol option, does changing 1514 to tcp have any significant downsides?
You can change the ports without problem, see the comunications diagram (https://documentation.wazuh.com/current/getting-started/architecture.html#communications-and-data-flow).
And if you wish you can use TCP to communicate the agents with Wazuh-Manager
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0799b851-9394-4921-a74f-d46d97841085%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Victor Fernandez
Aug 9, 2017, 1:36:33 PM8/9/17
to Wazuh mailing list
Hi Emlyn,
extending Jonathan's answer, Wazuh uses these ports:
- 1515/TCP for agent authentication. This procedure is optional, it is one of the methods to register an agent in the manager. Each agent must be registered once.
- 1514/TCP or 1514/UDP. This port is used to send data between agent and manager.
In both cases only the server listens to these ports. Communication is never initiated by the manager to the agent.
On the other hand, UDP is the default protocol for historical reasons. TCP is a more reliable protocol and gives some advantages to agents: they detect a connection issue immediately and they receive the shared configuration faster. TCP may saturate the network although using UDP may lose events. Nowadays the manager can listen agents using one protocol only. But I recommend you to use TCP if you are able.
Hope it help.
Best regards.
Emlyn Stokes
Aug 9, 2017, 1:53:23 PM8/9/17
to Wazuh mailing list
Thanks, super clear answer!
Reply all
Reply to author
Forward
0 new messages