Wazuh - Configuring Groups for Centralized Management

IRJ

Since my lab servers are planets. I will create three different groups based on planet features.

red_planets - Mercury and Mars

caputured_planets (myth) - Venus 

gas_giants - Jupiter

Create the Groups

/var/ossec/bin/agent_groups -a -g red_planets -q

/var/ossec/bin/agent_groups -a -g gas_giants -q

/var/ossec/bin/agent_groups -a -g captured_planets -q

Now list your agents from the wazuh-manager

/var/ossec/bin/agent_groups

Note the Agent IDs

Available agents: 
   ID: 001, Name: mercury, IP: 192.168.122.86
   ID: 002, Name: venus, IP: 192.168.122.8
   ID: 003, Name: mars, IP: 192.168.122.203
   ID: 004, Name: jupiter, IP: 192.168.122.252

Add Agents to the appropriate groups

/var/ossec/bin/agent_groups -a -i 001 -g red_planets -q
/var/ossec/bin/agent_groups -a -i 003 -g red_planets -q
/var/ossec/bin/agent_groups -a -i 002 -g captured_planets -q
/var/ossec/bin/agent_groups -a -i 004 -g gas_giants -q

We can now edit a centralized configuration file based on groups from our Wazuh server

/var/ossec/etc/shared/red_planets/agent.conf
/var/ossec/etc/shared/captured_planets/agent.conf
/var/ossec/etc/shared/gas_giants/agent.conf

Whenever you make changes to these config files you can quickly verify if the configuration is valid by running

/var/ossec/bin/verify-agent-conf

Example output of /var/ossec/bin/verify-agent-conf

verify-agent-conf: Verifying [/var/ossec/etc/shared/gas_giants/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/captured_planets/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/red_planets/agent.conf]
verify-agent-conf: OK