Wazuh - Configuring Groups for Centralized Management



  • Since my lab servers are planets. I will create three different groups based on planet features.

    red_planets - Mercury and Mars
    
    caputured_planets (myth) - Venus 
    
    gas_giants - Jupiter
    
    

    Create the Groups

    /var/ossec/bin/agent_groups -a -g red_planets -q
    
    /var/ossec/bin/agent_groups -a -g gas_giants -q
    
    /var/ossec/bin/agent_groups -a -g captured_planets -q
    

    Now list your agents from the wazuh-manager

    /var/ossec/bin/agent_groups
    

    Note the Agent IDs

    Available agents: 
       ID: 001, Name: mercury, IP: 192.168.122.86
       ID: 002, Name: venus, IP: 192.168.122.8
       ID: 003, Name: mars, IP: 192.168.122.203
       ID: 004, Name: jupiter, IP: 192.168.122.252
    

    Add Agents to the appropriate groups

    /var/ossec/bin/agent_groups -a -i 001 -g red_planets -q
    /var/ossec/bin/agent_groups -a -i 003 -g red_planets -q
    /var/ossec/bin/agent_groups -a -i 002 -g captured_planets -q
    /var/ossec/bin/agent_groups -a -i 004 -g gas_giants -q
    

    We can now edit a centralized configuration file based on groups from our Wazuh server

    /var/ossec/etc/shared/red_planets/agent.conf
    /var/ossec/etc/shared/captured_planets/agent.conf
    /var/ossec/etc/shared/gas_giants/agent.conf
    

    Whenever you make changes to these config files you can quickly verify if the configuration is valid by running

    /var/ossec/bin/verify-agent-conf
    
    

    Example output of /var/ossec/bin/verify-agent-conf

    verify-agent-conf: Verifying [/var/ossec/etc/shared/gas_giants/agent.conf]
    verify-agent-conf: OK
    
    verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
    verify-agent-conf: OK
    
    verify-agent-conf: Verifying [/var/ossec/etc/shared/captured_planets/agent.conf]
    verify-agent-conf: OK
    
    verify-agent-conf: Verifying [/var/ossec/etc/shared/red_planets/agent.conf]
    verify-agent-conf: OK
    
    

Log in to reply