Configuring Wazuh Groups

Today we will logically separate our wazuh agents in to groups. The major advantage of configuring wazuh groups is being able to customize agent config depending on grouping. Without the use of wazuh groups , you must configure any agent variances directly on the agents themselves. This is inefficient and can lead to inaccuracies.

Decide on Groups

Let’s decide on factors that would warrant creating wazuh groups .

  • Operating System – You probably want to group systems be operating system. This is helpful especially when using OpenSCAP and defining scan profiles
  • Function – Grouping systems by function also makes sense. Examples could include database, web, or application servers.
  • Location – Location could make sense from a management aspect.

The cool thing is a single agent can be in more than one group. Let’s get started 🙂

Creating Groups

I am using a solar system theme in my lab. I will create my groups based on solar system features and operating system

Add the Groups

/var/ossec/bin/agent_groups -a -g inner_planets_no_moons -q

/var/ossec/bin/agent_groups -a -g inner_planets_with_moons -q

/var/ossec/bin/agent_groups -a -g gas_giants -q

/var/ossec/bin/agent_groups -a -g dwarf_planets -q

/var/ossec/bin/agent_groups -a -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -g ubuntu_1604 -q

Verify the groups were successfully created

/var/ossec/bin/agent_groups
Groups (7):
  default (9)
  dwarf_planets (0)
  gas_giants (0)
  inner_planets_no_moons (0)
  inner_planets_with_moons (0)
  ubuntu_1604 (0)
  ubuntu_1804 (0)

List the Agents

Now let’s list the agents so we can note their ID numbers

/var/ossec/bin/manage_agents 
Available agents: 
   ID: 001, Name: mars, IP: 192.168.122.203
   ID: 002, Name: neptune, IP: 192.168.122.181
   ID: 003, Name: mercury, IP: 192.168.122.86
   ID: 004, Name: venus, IP: 192.168.122.8
   ID: 005, Name: jupiter, IP: 192.168.122.252
   ID: 006, Name: saturn, IP: 192.168.122.17
   ID: 007, Name: uranus, IP: 192.168.122.190
   ID: 008, Name: ceres, IP: 192.168.122.251
   ID: 009, Name: earth, IP: 192.168.122.112

P.S. Don’t worry about the dwarf planet pluto. He is actually our wazuh manager.

Start adding the agents to the appropriate groups

/var/ossec/bin/agent_groups -a -i 001 -g inner_planets_with_moons -q

/var/ossec/bin/agent_groups -a -i 001 -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -i 002 -g gas_giants -q

/var/ossec/bin/agent_groups -a -i 002 -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -i 003 -g inner_planets_no_moons -q

/var/ossec/bin/agent_groups -a -i 003 -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -i 004 -g inner_planets_no_moons -q

/var/ossec/bin/agent_groups -a -i 004 -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -i 005 -g gas_giants -q

/var/ossec/bin/agent_groups -a -i 005 -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -i 006 -g gas_giants -q

/var/ossec/bin/agent_groups -a -i 006 -g ubuntu_1604 -q

/var/ossec/bin/agent_groups -a -i 007 -g gas_giants -q

/var/ossec/bin/agent_groups -a -i 007 -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -i 008 -g dwarf_planets -q

/var/ossec/bin/agent_groups -a -i 008 -g ubuntu_1804 -q

/var/ossec/bin/agent_groups -a -i 009 -g inner_planets_with_moons -q

/var/ossec/bin/agent_groups -a -i 009 -g ubuntu_1804 -q

Now verify

/var/ossec/bin/agent_groups
Groups (7):
  default (9)
  dwarf_planets (1)
  gas_giants (4)
  inner_planets_no_moons (2)
  inner_planets_with_moons (2)
  ubuntu_1604 (1)
  ubuntu_1804 (8)

Agent Config Files

Your agent configuration files will be located in the following directory structure.

/var/ossec/etc/shared/inner_planets_no_moons/agent.conf

/var/ossec/etc/shared/inner_planets_with_moons/agent.conf

/var/ossec/etc/shared/gas_giants/agent.conf

/var/ossec/etc/shared/dwarf_planets/agent.conf

/var/ossec/etc/shared/ubuntu_1604/agent.conf

/var/ossec/etc/shared/ubuntu_1804/agent.conf

Making changes to Agent Config files

After making changes make sure to verify agent configs before trying to restart wazuh-agent and/or wazuh-manager

/var/ossec/bin/verify-agent-conf
verify-agent-conf: Verifying [/var/ossec/etc/shared/ubuntu_1604/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/gas_giants/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/dwarf_planets/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/ubuntu_1804/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/inner_planets_with_moons/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/inner_planets_no_moons/agent.conf]
verify-agent-conf: OK
0 Points


Leave a Reply

Your email address will not be published. Required fields are marked *