Groups in Wazuh
Facu Basgall
I would like to know if there is a possibility to create sub groups within Wazuh, to keep the agents organised.
And in turn, if you can implement dynamic groups, for example, create a rule that if the operating system is Windows Server automatically add it to a specific group.
Gerardo David Caceres Fleitas
Thanks for using Wazuh!.... I'll review the requirement you mention and get back to you as soon as possible with the most similar feature we have today, I also find it interesting to be able to do it that way.
Greetings.
Gerardo David Caceres Fleitas
Hello Facu,
I hope you are very well... I've been looking into your question, and I wanted to let you know that since Wazuh V3.7.0, we have the ability to assign multiple groups to each agent. However, these groups don't operate in a hierarchical or subgroup mode.
Screenshot from Wazuh / Agents:
Using multiple groups can help us distribute some settings centrally and each group can have its own settings.
This is an example of code to enroll a new Centos-Linux agent and add It to the "Linux" and "Branch" groups. The group assignment could be done via registration, API, and GUI.
sudo WAZUH_MANAGER='192.168.100.150' WAZUH_AGENT_GROUP='Linux,Branch' WAZUH_AGENT_NAME='Centos-server' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.4.4-1.x86_64.rpm
Deployment variables are discussed in more detail here:
https://documentation.wazuh.com/current/user-manual/deployment-variables/deployment-variables.html
In order to deploy numerous agents simultaneously, the deployment phase could even be automated. Here is an example using Windows agents and PDQ.
https://wazuh.com/blog/deploying-wazuh-agents-to-windows-endpoints-with-pdq-deploy/
Our User manual / Agent management / Grouping agents contains even more details about groups. You can find it here:
The platform is constantly evolving and we are making improvements to it, the idea of a "dynamic group" for already registered endpoints sounds like an interesting thing to consider.
For now, I think one way to achieve that goal could be to create an external script that validates the OS information and communicates through the Wazuh API to request a group assignment based on the parameters we're looking for, such as the host OS.
PUT request example:
“PUT” /agents/{agent_id}/group/{group_id}
Response example:
{
"data": {
"affected_items": [
"003"
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "All selected agents were assigned to group3",
"error": 0
}
Our API documentation is available here:
We are grateful that you use our platform, and we know that our community helps us improve. If you would like to contribute to the project, you are welcome to do so.
Our GitHub URL is:
Greetings.
Gerardo Caceres
Facu Basgall
Thank you very much for your early reply
Perfect, I knew about the functionality to assign multiple groups to an agent, I will continue to use it that way.
And thanks for considering the dynamic groups for future versions of Wazuh, I think it can help to automate the administration of agents and groups.