Unattended Windows Agent Install/Registration Issue

[Luis Arriaga]

Estoy tratando de hacer un attended installation del Agent con una Windows 7 computador pero estoy teniendo problemas. Usando las instrucciones que estan en https://documentation.wazuh.com/3.x/installation-guide/installing-wazuh-agent/wazuh_agent_windows.html al ultimo. Un problem que vi es que cuando tengo PROTOCOL="TCP" la registration aggrega TCP al ossec.conf en vez the tcp.  No e pudido hacer la instalacion y el authd registracion completamente. 

Tambien tuve este problema con la primera iniciacion, esta en el imagen.

[Braulio Vargas]

Hi Luis,

sorry for the late response. In Wazuh 3.2.0, the protocol must be set in lowercase, if not, it will generate an invalid ossec.conf as you are getting. This is fixed in Wazuh 3.2.1. Also, Windows 7 has an old version of SSL, so in order to register an agent successfully using authd, you must start in your manager ossec-authd with the option to auto negotiate the SSL protocol with the agent. To do that, run the following in your manager:

# /var/ossec/bin/ossec-authd -a

More information in: http://documentation.wazuh.com/current/user-manual/reference/daemons/ossec-authd.html

Finally, the window that pops up when you try to run the msi installer is a problem related to Windows. Windows, in many cases, "blocks" any script or installer downloaded from the internet, even if the installer is signed (as it happens with Wazuh installer). This block makes appear the window that you are getting in the screenshot, asking you for a double confirmation.

To unblock the installer you can go to the properties of the file (right click in the installer, properties) and click in the Unblock button, but if you are deploying the agent remotely, please, do not download the installer from Internet Explorer. You can do it with Powershell:

$url = "https://packages.wazuh.com/3.x/windows/wazuh-agent-3.2.1-1.msi"
$output = "Path\to\wazuh-agent-3.2.1-1.msi"
(New-Object Net.WebClient).DownloadFile($url, $output)

Once it is downloaded, you can execute it without problems.

Hope it helps.

Regards,
Braulio.

[Robert H]

Hi Braulio,

I'm working with Luis.  We were able to resolve the issue with two things.

1.  (Thanks for you info on TLS/SSL).  We have a large number of Windows 7 systems and found a post about the default Mgr TLS/SSL by default is TLS 1.2 which Windows 7 doesn't support.  So we allowed the configuration in the manager to auto negotiate in the authd section.

2.  We found this install, uninstall command to work.

Install:

msiexec.exe /i <path\wazuh-agent.#.#.#.msi> /qn ADDRESS="manager1" AUTHD_SERVER="manager1" PROTOCOL="tcp"  etc.

Uninstall:  (from the directory where the msi is located)

msiexec /x wazuh-agent.msi /qn

Thanks,

Robert

[Michael Kasede]

Hi Robert, Braulio and Luis

I have been looking for a working solution to an automated/unattended deployment of Wazuh-ossec windows agent but nothing has worked for me and I haven't found the documentation very helpful either.

I have a virtual wazuh setup and I have been testing the unattended agent setup with windows 10 virtual machines. I am using Wazuh 3.2.1, ELK stack 6.2.1 and Wazuh-agent-3.2.1. Is there something I am not getting right? Is there a video tutorial I can follow?

I need your help guys. I want to use this as a free SIEM solution for my home office and friends offices.

Appreciate all your support.

[Robert H]

Hi Michael,

There are 2 components to doing it.  One is the installation/registration of the agent, the other is the registration service running on the manager using authd.

This is the page that describes how to setup Authd

https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html.

We use the password method.  You'll need to configure the ossec.conf and enable authd (the command is in the documentation and also in the ossec.conf right above the authd section, shown below).

If you're using any Win7 systems you'll need to change the ssl option in the authd configuration.  For newer versions they maybe be able to connect using the default, which I think is TLS 1.2 I believe.

 <!-- Configuration for ossec-authd

    To enable this service, run:

    /path_to/ossec-control enable auth

  -->

By default this is no.  We changed it to yes (for Win7).

<ssl_auto_negotiate>yes</ssl_auto_negotiate>

Make sure port 1515 (and 1514 for logs) is open on your manager firewall.  When authd is running.  You can move to the next part.  Verify authd is working by grep authd /path_to/ossec.log  

////////////////////////////////////////////////////////////////////////////

For the install on the client computer:

https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_windows.html

This is the example from the above page.  It can be included in a GPO or software deployment system or run in a Admin CMD or Powershell

wazuh-agent-3.2.1-1.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" PASSWORD="TopSecret" AGENT_NAME="W2012"

In our situation that didn't work, so I had to use this:

msiexec.exe /i <path_to_the_file>\wazuh-agent-3.2.1.msi /qn ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" PASSWORD="TopSecret"

For example msiexec.exe /i c:\Users\<username>\Downloads\wazuh-agent-3.2.1.msi /qn ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" PASSWORD="TopSecret"

To remove it (might have to be run from the directory where the msi is located).

msiexec /x wazuh-agent-3.2.1.msi /qn

Hope that helps.  Regards,

Robert