Retrieve Wazuh agent status
875 views
Skip to first unread message
Cyprien Chapelle
Oct 4, 2022, 10:04:31 AM10/4/22
to Wazuh mailing list
Hello,
I use Wazuh with Filebeat, Logstash and OpenSearch. I am currently looking for a way to display in real time the agents active or not. Looks like you have this feature with wazuh-dashboard.
I found that you could retrieve the status via API requests, in particular with: GET /agents/<YOUR_AGENT_ID>/stats/agent. However, is this really the best way to do it? I would like the display of the status to be practically in real time, that is to say that as soon as an agent is disconnected, it is displayed on OpenSearch.
Cyprien.
I use Wazuh with Filebeat, Logstash and OpenSearch. I am currently looking for a way to display in real time the agents active or not. Looks like you have this feature with wazuh-dashboard.
I found that you could retrieve the status via API requests, in particular with: GET /agents/<YOUR_AGENT_ID>/stats/agent. However, is this really the best way to do it? I would like the display of the status to be practically in real time, that is to say that as soon as an agent is disconnected, it is displayed on OpenSearch.
Cyprien.
Francisco Tuduri
Oct 4, 2022, 11:43:40 AM10/4/22
to Wazuh mailing list
Hello Cyprien!
As you said, one way to get the status of the agents is through the API. You can check this example: https://documentation.wazuh.com/current/user-manual/agents/listing/listing.html
You can also filter the agents by their connection status: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.get_agents
Another option that could work for you is monitoring the agent connection status alerts that the manager generates.
When the manager detects that an agent disconnects it generates an alert. The rule that triggers this alert is rule id 504:
<rule id="504" level="3">
<if_sid>500</if_sid>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
As you said, one way to get the status of the agents is through the API. You can check this example: https://documentation.wazuh.com/current/user-manual/agents/listing/listing.html
You can also filter the agents by their connection status: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.get_agents
Another option that could work for you is monitoring the agent connection status alerts that the manager generates.
When the manager detects that an agent disconnects it generates an alert. The rule that triggers this alert is rule id 504:
<rule id="504" level="3">
<if_sid>500</if_sid>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
You can check the 0015-ossec_rules.xml to see the other related rules.
Keep in mind that an agent is considered disconnected after a certain period after it's last keepalive message. By default this period is 10 minutes, but can be modified in the configuration file. Please check this documentation:
Regards!Cyprien Chapelle
Oct 5, 2022, 9:27:53 AM10/5/22
to Wazuh mailing list
Hello and thank you for your answer!
The idea is to display the current state of the agent, but I'm not sure how to do it.
If I use the alerts generated by the manager when the agents are shut down or started, the status displayed should remain the same as long as there have been no other status alerts, you See what I mean ?
I don't see how to do it, because if for example I retrieve an event with a field saying "Ossec agent disconnected", let's imagine that I have a tag that is added to then filter this tag on OpenSearch and display the agent as disconnected . How can I make the display update when the agent starts?
If I use the alerts generated by the manager when the agents are shut down or started, the status displayed should remain the same as long as there have been no other status alerts, you See what I mean ?
I don't see how to do it, because if for example I retrieve an event with a field saying "Ossec agent disconnected", let's imagine that I have a tag that is added to then filter this tag on OpenSearch and display the agent as disconnected . How can I make the display update when the agent starts?
Francisco Tuduri
Oct 5, 2022, 7:01:09 PM10/5/22
to Wazuh mailing list
Hi!
The recommended method to get the agents status is through the API: https://documentation.wazuh.com/current/user-manual/agents/listing/listing.html
But if I understand correctly, the problem you have with using the "Ossec agent disconnected" alert is that there is no alert when the agent reconnects.
A possible work around for this is to make a process that checks periodically which agents are connected to the Wazuh Manager using the Wazuh API and write them into a custom log file, which can be analyzed using logcollector (https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-logcollector.html) and creating a custom rule (https://documentation.wazuh.com/current/user-manual/ruleset/custom.html) to generate the needed alerts.
Regards!
Cyprien Chapelle
Oct 6, 2022, 5:39:36 AM10/6/22
to Wazuh mailing list
Hi Francisco,
Thank you for your help, I had also thought of this idea for the process.
So I first tried to see what I could retrieve with API requests.
I generate a key with this command:
Then I do:
My first problem is that this token expires at the good of a certain time, how to have a token with an indefinite duration?
Then, with the command above, I can obtain information about the agent and in particular its status. However, is it possible to return, via the query, only the status of the agent (and not all the information that I don't need)?
Thank you for your help, I had also thought of this idea for the process.
So I first tried to see what I could retrieve with API requests.
I generate a key with this command:
curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"
curl -k -X GET “https://localhost:55000/agents?agents_list=008“ -H “Authorization: Bearer token”
Then, with the command above, I can obtain information about the agent and in particular its status. However, is it possible to return, via the query, only the status of the agent (and not all the information that I don't need)?
Francisco Tuduri
Oct 6, 2022, 12:22:34 PM10/6/22
to Wazuh mailing list
Hi Cyprien,
You can increase the token expiration time by modifying the auth_token_exp_timeout value (in seconds), with an API call to PUT /security/config. Check this for more details.
There is no way to completely disable token expiry, but you can greatly increase the value of the mentioned variable. However, keep in mind that automatic token expiration is a security feature that can be useful in case your token is leaked. It is more advisable to develop a mechanism in your script that automatically requests a new token if the current one expires.
As for your second question, you can use a tool like jq to easily parse the received data.
For example, let's say that this the response you get when listing the agents through the API, and it's saved on file agents_status.json (just for demonstration purposes)
{
"data": {
"affected_items": [
{
"os": {
"arch": "x86_64",
"codename": "Bionic Beaver",
"major": "18",
"minor": "04",
"name": "Ubuntu",
"platform": "ubuntu",
"uname": "Linux |wazuh-master |5.4.0-52-generic |#57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 |x86_64",
"version": "18.04.4 LTS"
},
"manager": "wazuh-master",
"status": "active",
"node_name": "master-node",
"lastKeepAlive": "9999-12-31T23:59:59Z",
"ip": "127.0.0.1",
"id": "000",
"version": "Wazuh v4.0.0",
"name": "wazuh-master",
"registerIP": "127.0.0.1",
"dateAdd": "2020-10-26T09:52:01Z"
},
{
"status": "never_connected",
"node_name": "unknown",
"group": [
"default",
"group1",
"dbms"
],
"ip": "any",
"id": "009",
"name": "wazuh-agent9",
"registerIP": "any",
"dateAdd": "1970-01-01T00:00:00Z"
}
],
"total_affected_items": 2,
"total_failed_items": 0,
"failed_items": []
},
"message": "All selected agents information was returned",
"error": 0
}
"data": {
"affected_items": [
{
"os": {
"arch": "x86_64",
"codename": "Bionic Beaver",
"major": "18",
"minor": "04",
"name": "Ubuntu",
"platform": "ubuntu",
"uname": "Linux |wazuh-master |5.4.0-52-generic |#57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 |x86_64",
"version": "18.04.4 LTS"
},
"manager": "wazuh-master",
"status": "active",
"node_name": "master-node",
"lastKeepAlive": "9999-12-31T23:59:59Z",
"ip": "127.0.0.1",
"id": "000",
"version": "Wazuh v4.0.0",
"name": "wazuh-master",
"registerIP": "127.0.0.1",
"dateAdd": "2020-10-26T09:52:01Z"
},
{
"status": "never_connected",
"node_name": "unknown",
"group": [
"default",
"group1",
"dbms"
],
"ip": "any",
"id": "009",
"name": "wazuh-agent9",
"registerIP": "any",
"dateAdd": "1970-01-01T00:00:00Z"
}
],
"total_affected_items": 2,
"total_failed_items": 0,
"failed_items": []
},
"message": "All selected agents information was returned",
"error": 0
}
Running this command:
cat agents_status.json | jq '.data.affected_items[] | .id + ":" + .status'
Will give you a line for each agent, with its id and its connection status:
"000:active"
"009:never_connected"
"009:never_connected"
I hope this helps.
Regards!
Reply all
Reply to author
Forward
Message has been deleted
0 new messages