Wazuh - Configuring Groups for Centralized Management
-
Since my lab servers are planets. I will create three different groups based on planet features.
red_planets - Mercury and Mars caputured_planets (myth) - Venus gas_giants - Jupiter
Create the Groups
/var/ossec/bin/agent_groups -a -g red_planets -q /var/ossec/bin/agent_groups -a -g gas_giants -q /var/ossec/bin/agent_groups -a -g captured_planets -q
Now list your agents from the wazuh-manager
/var/ossec/bin/agent_groups
Note the Agent IDs
Available agents: ID: 001, Name: mercury, IP: 192.168.122.86 ID: 002, Name: venus, IP: 192.168.122.8 ID: 003, Name: mars, IP: 192.168.122.203 ID: 004, Name: jupiter, IP: 192.168.122.252
Add Agents to the appropriate groups
/var/ossec/bin/agent_groups -a -i 001 -g red_planets -q /var/ossec/bin/agent_groups -a -i 003 -g red_planets -q /var/ossec/bin/agent_groups -a -i 002 -g captured_planets -q /var/ossec/bin/agent_groups -a -i 004 -g gas_giants -q
We can now edit a centralized configuration file based on groups from our Wazuh server
/var/ossec/etc/shared/red_planets/agent.conf /var/ossec/etc/shared/captured_planets/agent.conf /var/ossec/etc/shared/gas_giants/agent.conf
Whenever you make changes to these config files you can quickly verify if the configuration is valid by running
/var/ossec/bin/verify-agent-conf
Example output of
/var/ossec/bin/verify-agent-conf
verify-agent-conf: Verifying [/var/ossec/etc/shared/gas_giants/agent.conf] verify-agent-conf: OK verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf] verify-agent-conf: OK verify-agent-conf: Verifying [/var/ossec/etc/shared/captured_planets/agent.conf] verify-agent-conf: OK verify-agent-conf: Verifying [/var/ossec/etc/shared/red_planets/agent.conf] verify-agent-conf: OK