In this tutorial I’ll going to demonstrate how to setup Wazuh.

What is Wazuh?

Wazuh is a free, open source and enterprise-ready security detection and monitoring solution.

Wazuh is born as a fork of OSSEC (HIDS) host based intrusion detection system. Later is was integrated with Elastic stack and OpenSCAP.

Which can perform threat detection, integrity monitoring, incident response and compliance.

Wazuh System consist with several components:

  • OSSEC HIDS - Host Based Intrusion Detection System

  • OpenSCAP - Open Vulnerability Assessment Language

  • Elastic Stack - Filebeat, Elasticsearch, Kibana

  • Wazuh is loaded with number of valued capabilities.

Main Features:

1. Security Analytics:

Wazuh is used to collect, aggregate, index and analyze security data which helping to detect intrusions, threats and anomalies.

Endpoint Detection and Response (EDR)

Wazuh Agent actively perform security analysts discover, investigate and perform block a network attack, stop a malicious process or quarantine a malware infected file.

2. Intrusion Detection

Wazuh-Agent scan the monitored system looking for malware, rootkits and suspicious anomalies. Also It can detect hidden files, clocked processes or unregistered network listeners.

3. Log Data Analysis

Wazuh-Agent read operating system and application logs, and forward them to a central Wazuh-Manager for rule-based analysis.

Which helps you to aware of application or system errors,miss-configuration, attempted successful malicious activities, policy violations and many more.

4. File Integrity Monitoring

Wazuh monitors the file system, identifying changes in content, permissions, ownership and attributes of files that you need to keep an eye on.

Also It can identify users and applications used to create or modify files.

5. Vulnerability Detection

Wazuh agent pull software inventory data and send them to the Wazuh Manager server. Then, they matches with CVE (Common Vulnerabilities and Exposure) databases, in order to identify well-know vulnerable software.

Automated vulnerability assessment helps you find the weak spots in your critical assets and take corrective action before attackers exploit them to sabotage your business or steal confidential data.

6. Configuration Assessment

Wazuh monitors system and application configuration settings to ensure they are compliant with you security policies and standards.

Agent automatically performs periodic scan to detect applications that are know to be vulnerable, unpatched, or insecurely configured.

And also It alerts recommendations for better configuration and security hardening.

7. Incident Response

Wazuh take action against active threats such as blocking access from the threat source when certain criteria are met.

8. Regulatory Compliance

Wazuh provides some of necessary security controls to become complaint with industry standards and regulations.

9. Cloud Security

Wazuh helps monitoring cloud infrastructure as an API level. It can pull security data from instances on well known cloud providers such as AWS, Azure, Google Cloud Platform.

10. Containers Security

Wazhuh provides security visibility into your docker hosts and containers.

STEP 01: Perform Prerequisites

A. Install latest yum repositories
yum install https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm

yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

yum install https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm

yum install http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

yum install https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm

yum install http://mirror.ghettoforge.org/distributions/gf/el/7/gf/x86_64/gf-release-7-10.gf.el7.noarch.rpm
B. Set Hostname with Fully Qualified Domain Name (FQDN)
[root@server1 ~]# vim /etc/hostname 

wazuh-elk
[root@server1 ~]# vim /etc/hosts

172.25.10.50    wazuh-elk.da.com        wazuh-elk
C. SELinux Configuration
[root@server1 ~]# vim /etc/selinux/config

SELINUX=permissive
D. Install Python3
root@server1 ~]# yum install python3

SETP 02: Install Wazuh Manager

A. Install Development Tools, Compilers, and Other Required Packages.
[root@server1 ~]# yum install make gcc policycoreutils-python automake autoconf libtool

OpenSSL will be required to create a system certificate while authentication with Wazuh Agents.

[root@server1 ~]# yum install openssl

Install Latest EPEL-Release

[root@server1 ~]# yum install epel-release yum-utils -y

Install Budild Dependencies of CPython

[root@server1 ~]# yum-builddep python34 -y
B. Download and Extract Wazuh Installation Files
[root@server1 ~]# curl -Ls https://github.com/wazuh/wazuh/archive/v3.11.1.tar.gz | tar zx

[root@server1 ~]# cd wazuh-3.11.1/
C. Run the “Install.sh” Script

This will guide you through the installation process. When Script ask for what kind of installation need to perform, type “manager” to install the Wazuh Manager.

[root@server1 wazuh-3.11.1]# ./install.sh
** Para instalação em português, escolha [br].
 (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en

Wazuh v3.11.1 (Rev. 31116) Installation Script - http://www.wazuh.com

You are about to start the installation process of Wazuh.
You must have a C compiler pre-installed in your system.

 - System: Linux server1 3.10.0-862.el7.x86_64 (centos 7.5)
 - User: root
 - Host: server1

– Press ENTER to continue or Ctrl-C to abort. –

1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager

2- Setting up the installation environment.

 - Choose where to install Wazuh [/var/ossec]: 

3- Configuring Wazuh.

  3.1- Do you want e-mail notification? (y/n) [n]: y 
   - What's your e-mail address? user@gmail.com

   - We found your SMTP server as: alt1.gmail-smtp-in.l.google.com.
   - Do you want to use it? (y/n) [y]: y

   --- Using SMTP server:  alt1.gmail-smtp-in.l.google.com.

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

  3.4- Do you want to run policy monitoring checks? (OpenSCAP) (y/n) [y]: y

   - Running OpenSCAP (policy monitoring checks).

  3.5- Active response allows you to execute a specific
       command based on the events received.
       By default, no active responses are defined.

   - Default white list for the active response:
      - 172.25.10.1
      - 8.8.8.8
      
   - Do you want to add more IPs to the white list? (y/n)? [n]: n

  3.6- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y

   - Remote syslog enabled.

  3.7 - Do you want to run the Auth daemon? (y/n) [y]: y

   - Running Auth daemon.

  3.8- Do you want to start Wazuh after the installation? (y/n) [y]: y

   - Wazuh will start at the end of installation.

  3.9- Setting the configuration to analyze the following logs:

    -- /var/log/audit/audit.log
    -- /var/ossec/logs/active-responses.log
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at https://documentation.wazuh.com/.


   --- Press ENTER to continue ---

4- Installing the system

 - Running the Makefile

Finished processing dependencies for wazuh==3.11.1
Installing SCAP security policies...
Generating self-signed certificate for ossec-authd...
Building CDB lists...


Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /etc/systemd/system/wazuh-manager.service.
Starting Wazuh...

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/ossec-control start

 - To stop Wazuh:
      /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


---------------------------------
[root@server1 wazuh-3.11.1]# /var/ossec/bin/ossec-control start
Starting Wazuh v3.11.1...
Started ossec-csyslogd...
Started ossec-dbd...
2020/01/13 05:13:08 ossec-integratord: INFO: Remote integrations not configured. Clean exit.
Started ossec-integratord...
Started ossec-agentlessd...
ossec-authd already running...
wazuh-db already running...
ossec-execd already running...
ossec-maild already running...
ossec-analysisd already running...
ossec-syscheckd already running...
ossec-remoted already running...
ossec-logcollector already running...
ossec-monitord already running...
wazuh-modulesd already running...
Completed.
----------------------------------
D. Allow Wazuh Manager Service Ports Through The Firewall
[root@wazuh-elk ~]# firewall-cmd --permanent --add-port={514,1514,1515,1516}/tcp
[root@wazuh-elk ~]# firewall-cmd --permanent --add-port={514,1514}/udp
[root@wazuh-elk ~]# firewall-cmd --reload

514 - send collected events from syslogs

1514 - Send collected event from agents

1515 - Agents registration service

1516 - Wazuh cluster communications

E. Enable Service & Restart
[root@server1 wazuh-3.11.1]# systemctl daemon-reload
[root@server1 wazuh-3.11.1]# systemctl enable wazuh-manager.service
[root@server1 wazuh-3.11.1]# systemctl restart wazuh-manager.service
[root@server1 wazuh-3.11.1]# systemctl status -l  wazuh-manager.service

STEP 03: Install Wazuh API

A. Install NodeJS

NodeJS required in order to run Wazuh API.

[root@server1 ~]# curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
[root@server1 ~]# sudo yum install gcc-c++ make
[root@server1 ~]# sudo yum install -y nodejs
B. Install Yarn
[root@server1 ~]# curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
[root@server1 ~]# sudo yum install yarn
C. Install Wazuh API

Download & Extract Wazuh API Package

Run this command to download and install the Wazuh API

[root@server1 ~]# curl -s -o install_api.sh https://raw.githubusercontent.com/wazuh/wazuh-api/v3.11.1/install_api.sh && bash ./install_api.sh download
API URL: http://host_ip:55000/
user: 'foo'
password: 'bar'
Configuration: /var/ossec/api/configuration
Test: curl -u foo:bar -k http://127.0.0.1:55000?pretty
Note: You can configure the API executing /var/ossec/api/scripts/configure_api.sh

### [API installed successfully] ###
D. Allow Wazuh-API Service Port Through the Firewall

55000/TCP - Incoming HTTP requests

[root@wazuh-elk ~]# firewall-cmd --permanent --add-port=55000/tcp
[root@wazuh-elk ~]# firewall-cmd --reload
E. Enable Service & Restart
[root@wazuh-elk ~]# systemctl enable wazuh-api.service
[root@wazuh-elk ~]# systemctl restart wazuh-api.service
[root@wazuh-elk ~]# systemctl status -l wazuh-api.service

REF: https://documentation.wazuh.com/3.11/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_sources_centos.html#wazuh-server-sources-centos

STEP 04: Install Filebeat

Filebeat is a fork of the Elastic Stack. Filebeat use to forward alerts and event to Elasticsearch.

A. Import Public GPG Key
[root@wazuh-elk ~]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
B. Create YUM Repository File
[root@wazuh-elk ~]# vim /etc/yum.repos.d/elastic.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
C. Install Filebeat
[root@wazuh-elk ~]# yum install filebeat
D. Download pre-configured Configuration File

This file pre-configured to forward alerts Elasticsearch.

[root@wazuh-elk ~]# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.1/extensions/filebeat/7.x/filebeat.yml

Provide required permission

[root@wazuh-elk ~]# chmod go+r /etc/filebeat/filebeat.yml
E. Download alerts template for Elasticsearch
[root@wazuh-elk ~]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.1/extensions/elasticsearch/7.x/wazuh-template.json

Provide required permission

[root@wazuh-elk ~]# chmod go+r /etc/filebeat/wazuh-template.json
F. Download Wazuh module for Filebeat
[root@wazuh-elk ~]# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

REF: https://documentation.wazuh.com/3.11/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#wazuh-server-packages-centos-filebeat

STEP 05: Install JAVA JDK

Java is required for the Elastic stack deployment. Java is to be installed on Elasticseach node.

A. Download & Install JDK RPM
[root@wazuh-elk /]# rpm -ivh jdk-13.0.1_linux-x64_bin.rpm
B. Set Default JAVA Version
[root@wazuh-elk /]# alternatives --config java
[root@wazuh-elk /]# alternatives --set jar /usr/java/jdk-13.0.1/bin/jar
[root@wazuh-elk /]# alternatives --set javac /usr/java/jdk-13.0.1/bin/javac
C. Set JAVA Environment Variables

Set the JAR and JAVAC paths Add entries into .bashrc and .bash_profile for the persistence even after the reboot.

[root@wazuh-elk /]# export JAVA_HOME=/usr/java/jdk-13.0.1/
[root@wazuh-elk /]# export PATH=$PATH:/usr/java/jdk-13.0.1/bin/
[root@wazuh-elk /]# vim ~/.bashrc
export JAVA_HOME=/usr/java/jdk-13.0.1/
export PATH=$PATH:/usr/java/jdk-13.0.1/bin/
[root@wazuh-elk /]# vim ~/.bash_profile
export JAVA_HOME=/usr/java/jdk-13.0.1/
export PATH=$PATH:/usr/java/jdk-13.0.1/bin/

STEP 06: Install Elasticsearch

A. Install Elasticsearch From YUM Repositories.
[root@wazuh-elk ~]# yum install elasticsearch
B. Allow Elasticearch Service Ports Through The Firewall

9200/tcp - Elasticearch RESTful API 9300-9400/tcp - Elasticsearch cluster communication

[root@wazuh-elk ~]# firewall-cmd --permanent --add-port={9200,9300}/tcp
[root@wazuh-elk ~]# firewall-cmd --reload
C. Configure Elasticsearch

Make Elasticsearch to be able to listening on non loopback IP address. In here you can add current machine IP address. I’m not going to change the loopback IP, because this is the one Elastic node I’m going to setup. So, It doesn’t need to talk outside.

[root@wazuh-elk ~]# vim /etc/elasticsearch/elasticsearch.yml
node.name: node-1
network.host: 127.0.0.1
http.port: 9200
cluster.initial_master_nodes: ["node-1""]
[root@wazuh-elk ~]# cat /etc/elasticsearch/elasticsearch.yml | grep -v "^#"
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 127.0.0.1
http.port: 9200
cluster.initial_master_nodes: ["node-1"]
D. JVM Option Configuration

Set initial/maximum size of total heap space. If your system has less memory. You should configure it to use small megabytes of ram.

This amount of assigned memory may be vary to amount of your server’s total physical memory.

In this case I have 6GiB of total physical memory for the demonstration purpose.

[root@wazuh-elk ~]# vim /etc/elasticsearch/jvm.options
-Xms2g
-Xmx2g
D. Enalbe Service & Restart
[root@wazuh-elk /]# sudo systemctl daemon-reload
[root@wazuh-elk /]# sudo systemctl enable elasticsearch.service
[root@wazuh-elk /]# sudo systemctl start elasticsearch.service

STEP 07: Configure Filebeat Output For Elasticsearch

[root@wazuh-elk ~]# vim /etc/filebeat/filebeat.yml
output.elasticsearch.hosts: ['http://127.0.0.1:9200']

REF: https://documentation.wazuh.com/3.11/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#wazuh-server-packages-centos-filebeat

STEP 08: Load Filebeat Template
[root@wazuh-elk ~]# filebeat setup --index-management -E setup.template.json.enabled=false

REF: https://documentation.wazuh.com/3.11/installation-guide/installing-elastic-stack/elastic_server_rpm.html

STEP 09: Install Kibana

Kibana is the Web interface for visualizing the events stored in elasticsearch.

A. Install Kibana
[root@wazuh-elk ~]# yum install kibana
B. Install Wazuh App plugin For Kibana
[root@wazuh-elk /]# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.1_7.5.1.zip
C. Configure Kibana

Make Kibana to be able to listening on outside of the network and provide Elasticsearch instance IP address.

In this case I’m going to keep loopback IP for Elasticsearch, Since I don’t want to expose outside network.

[root@wazuh-elk /]# vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "172.25.10.50"
elasticsearch.hosts: ["http://127.0.0.1:9200"]
D. Allow Kibana Service Port Through The Firewall

5601/tcp - Kibana Web Interface

[root@wazuh-elk /]# firewall-cmd --permanent --add-port=5601/tcp
[root@wazuh-elk /]# firewall-cmd --reload
E. Enable Service & Restart
[root@wazuh-elk /]# systemctl daemon-reload
[root@wazuh-elk /]# systemctl enable kibana.service
[root@wazuh-elk /]# systemctl start kibana.service

REF: https://documentation.wazuh.com/3.11/installation-guide/installing-elastic-stack/elastic_server_rpm.html

-------------- TROUBLESHOOTING TIPS --------------------
ERROR: wazuh-elk kibana[6972]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`

[root@wazuh-elk ~]# yarn install

[root@wazuh-elk ~]# yarn upgrade caniuse-lite browserlist

[root@wazuh-elk ~]# npm update

CLIENT SIDE CONFIGURATION - Adding & Registering Wazuh Agent

Wazuh Agent:

Wazuh agent runs on the host that you want to monitor.

Wazuh Agent has following capabilities.

  • Log & data collection
  • File integrity monitoring
  • Rootkit and malware detection
  • security policy monitoring
  • Configuration assessment
  • software inventory

In this scenario I’m going to install Wazuh Agent on CentOS and Ubuntu.

STEP 01: Install Wazuh Agent

A. Install Development Tools and Compilers
[root@cl1 ~]# yum install make gcc policycoreutils-python automake autoconf libtool

Install “openssl” in order to support certificate creation while installation.

[root@cl1 ~]# yum install openssl
B. Download & Extract Latest Wazuh Package
[root@cl1 ~]# curl -Ls https://github.com/wazuh/wazuh/archive/v3.11.1.tar.gz | tar zx
C. Install Wazuh Agent

Run “install.sh” script. This will guide you through out the installation process.

Provide necessary responses while the installation process.

[root@cl1 ~]# cd wazuh-3.11.1/

[root@cl1 wazuh-3.11.1]# ./install.sh
[root@cl1 wazuh-3.11.1]# ./install.sh

  ** Para instalação em português, escolha [br].
  ** ?????????, ??? [cn].
  ** Für eine deutsche Installation, wählen Sie [de].
  ** G?a e??at?stas? sta ????????, ep????te [el].
  ** For installation in English, choose [en].
  ** Para instalar en español, elija [es].
  ** Pour une installation en français, choisissez [fr]
  ** A Magyar nyelvu telepítéshez válassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** ?????????????.???????.[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalowac w jezyku Polskim, wybierz [pl].
  ** ??? ?????????? ?? ????????? ?? ??????? ,??????? [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Türkçe kurulum için seçin [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
 Wazuh v3.11.1 (Rev. 31116) Installation Script - http://www.wazuh.com

 You are about to start the installation process of Wazuh.
 You must have a C compiler pre-installed in your system.

  - System: Linux cl1 3.10.0-862.el7.x86_64 (centos 7.5)
  - User: root
  - Host: cl1


  -- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent

  - Agent (client) installation chosen.

2- Setting up the installation environment.

 - Choose where to install Wazuh [/var/ossec]: 


    - Installation will be made at  /var/ossec .

3- Configuring Wazuh.

  3.1- What's the IP Address or hostname of the Wazuh server?: 172.25.10.50

   - Adding Server IP 

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

  3.4- Do you want to run policy monitoring checks? (OpenSCAP) (y/n) [y]: y

   - Running OpenSCAP (policy monitoring checks).

  3.5 - Do you want to enable active response? (y/n) [y]: y

   - Active response enabled.

  3.6- Remote upgrades use packages signed by the system maintainer. The
       corresponding certificate (or root certificate) must be installed
       in the system in order to verify the WPK packages. By default,
       the root certificate by Wazuh is installed.

   - Do you want to add more certificates? (y/n)? [n]: 

  3.7- Setting the configuration to analyze the following logs:

    -- /var/log/audit/audit.log
    -- /var/ossec/logs/active-responses.log
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at https://documentation.wazuh.com/.


   --- Press ENTER to continue ---

4- Installing the system

 - Running the Makefile

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/ossec-control start

 - To stop Wazuh:
      /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


 - You first need to add this agent to the server so they
   can communicate with each other. When you have done so,
   you can run the 'manage_agents' tool to import the
   authentication key from the server.
   /var/ossec/bin/manage_agents

D. Allow Wazuh-Agent Service Port Through The Firewall
[root@cl1 ~]# firewall-cmd --permanent --add-port={514,1514}/udp
[root@cl1 ~]# firewall-cmd --reload

Now, Wazuh manger and agent configuration has been completed. Then, We need to add Wazuh-Agents into Wazuh-Manager.

REF: https://documentation.wazuh.com/3.11/installation-guide/installing-wazuh-agent/linux/centos6-or-greater/wazuh_agent_sources_centos6_or_greater.html#wazuh-agent-sources-centos6-or-greater

Registering Agents

STEP 01: Add an agent - Add a CentOS/Redhat Client Agent To Wazuh-Manager

Let’s head over to Wazuh-Manager and perform these configurations.

On the Manager:

Execute this command to add new agent to wazuh-manager.

/var/ossec/bin/manage_agents -a -n

[root@wazuh-elk /]# /var/ossec/bin/manage_agents -a 172.25.10.100 -n cl1
****************************************
* Wazuh v3.11.1 Agent manager.         *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: 
- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent:    * The IP Address of the new agent: Confirm adding it?(y/n): Agent added with ID 001.

manage_agents: Exiting.
STEP 02: List The Agents

Execute this command to list the agent to get the ID of the added agent (cl1).

[root@wazuh-elk /]# /var/ossec/bin/manage_agents -l

OR

[root@wazuh-elk /]# /var/ossec/bin/manage_agents
****************************************
* Wazuh v3.11.1 Agent manager.         *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: L

Available agents: 
   ID: 001, Name: cl1, IP: 172.25.10.100
STEP 03: Extract Newly Added Agent’s Key

Execute this command with the agent “ID” and extract the new agent’s key. Cpy this key you will need it for the agent registration.

[root@wazuh-elk /]# /var/ossec/bin/manage_agents -e 001
Agent key information for '001' is: 
MDAxIGNsMSAxNzIuMjUuMTAuMTAwIDU4N2Y2ZmYyMDA0NmY1NzZmMDc2ODJkOWFlMzM5ZmM1OWY0YzQzYjBhZTk0MjI3NTQyZTkxYTczZmEyZTk4Njk=

Now, Let’s head over to agent host.

On the Agent

STEP 04: Import the Key To The Agent and Connect Agent To The Manger
[root@cl1 /]# /var/ossec/bin/manage_agents -i MDAxIGNsMSAxNzIuMjUuMTAuMTAwIDU4N2Y2ZmYyMDA0NmY1NzZmMDc2ODJkOWFlMzM5ZmM1OWY0YzQzYjBhZTk0MjI3NTQyZTkxYTczZmEyZTk4Njk=
Agent information:
   ID:001
   Name:cl1
   IP Address:172.25.10.100

Confirm adding it?(y/n): y
Added.

OPTIONAL: Check for Wazuh Manager’s IP

Edit the Wazuh agent configuration in “/var/ossec/etc/ossec.conf” to add/change the Wazuh Manager Server IP address.

[root@cl1 /]# vim /var/ossec/etc/ossec.conf
STEP 05: Restart Wazuh Agent Service
[root@cl1 /]# systemctl restart wazuh-agent

[root@cl1 /]# systemctl status -l  wazuh-agent

REF: https://documentation.wazuh.com/3.11/user-manual/registering/cli/using-command-line-linux.html

Add a Ubuntu Client Agent To Wazuh-Manager

On The Manager:

[root@wazuh-elk ~]# /var/ossec/bin/manage_agents -a 172.25.10.110 -n DA-PC
****************************************
* Wazuh v3.11.1 Agent manager.         *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: 
- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent:    
   * * The IP Address of the new agent: 
   * Confirm adding it?(y/n): 
   * Agent added with ID 002.

manage_agents: Exiting.

Follow the on screen guide and generate a code.

STEP 01: Adding an agent
root@DA-PC:~# curl -so wazuh-agent.deb https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-agent/wazuh-agent_3.11.1-1_amd64.deb && sudo WAZUH_MANAGER_IP='172.25.10.50'  dpkg -i ./wazuh-agent.deb
STEP 02: Extract new agent’s key
[root@wazuh-elk ~]# /var/ossec/bin/manage_agents -e 002
Agent key information for '002' is: 
MDAyIERBLVBDIDE3Mi4yNS4xMC4xMTAgMDU3NGM5NGE3M2I5MDE4ZTE5NDdmMGQ4NTBjYzE0MWIwNDgwYTViZGY4YmY0NmU5MTA1ZWE2YWZmN2M3ODc2OA==

On the Agent

STEP 03: Import the created key for new agent at the Manger
root@DA-PC:~# /var/ossec/bin/manage_agents -i MDAyIERBLVBDIDE3Mi4yNS4xMC4xMTAgMDU3NGM5NGE3M2I5MDE4ZTE5NDdmMGQ4NTBjYzE0MWIwNDgwYTViZGY4YmY0NmU5MTA1ZWE2YWZmN2M3ODc2OA==
Agent information:
   ID:002
   Name:DA-PC
   IP Address:172.25.10.110

Confirm adding it?(y/n): y
Added.
STEP 04: Restart Wazuh Agent Service
root@DA-PC:~# systemctl restart wazuh-agent.service