The configuration used by the agents can be found in /var/ossec/etc/ossec.conf. In this file, you can enable or disable the different capabilities of Wazuh and adjust the configuration to fit your needs.

In those environments with a large number of agents, if you don’t want to edit every single ossec.conf file for each host, you have two options:

This feature was added with Wazuh v3.0.0 and allows you to define configuration groups (apache-servers for example), edit the configuration in a single file and assign agents to those groups. All the agents belonging to the same group will apply the configuration defined in that group.

In addition, in Wazuh v3.7.0, we included the ability to add agents to several groups at the same time, creating a multigroup. This allows applying the configuration defined in several groups at the same time to the agents.

Let’s look at an example where you’ve created four groups:

  • apache-servers where you’ve defined your configuration to monitor Apache logs and sensitive files.
  • windows-servers, where you’ve defined the configuration for your Windows hosts.
  • rhel-servers, where you’ve defined the configuration for your RHEL hosts.
  • sysmon-events, where you’ve defined the configuration to monitor sysmon events in your Windows hosts.

Now, you can add a Windows host to windows-servers and sysmon-events groups, and the configuration defined in both groups will be applied to that agent.  You also have the option to add the host to a single group only and apply the configuration defined in that group.

Creating the groups

To create the groups, you can use the terminal or the interface from the app in Kibana or Splunk. Both of them will give you the same result.  However, the interface is more user-friendly than the terminal.  The terminal method is useful if you want to create groups with your deployment tools.

Using the terminal

To create groups from the terminal and assign agents to those groups, you need to use the binary agent_groups. This binary allows us to create and remove groups, to assign and remove agents from a group, to list the agents in any group, etc.

Create the groups with agent_groups

# /var/ossec/bin/agent_groups -a -g apache-servers
Do you want to create the group 'apache-servers'? [y/N]: y
Group 'apache-servers' created.

If you want to create a group and auto-confirm the question prompt by agent_groups you can use the -q. Here’s an example:

# /var/ossec/bin/agent_groups -a -g windows-servers -q
Group 'windows-servers' created.
# /var/ossec/bin/agent_groups -a -g rhel-servers -q
Group 'rhel-servers' created.
# /var/ossec/bin/agent_groups -a -g sysmon-events -q
Group 'sysmon-events' created.

Add Wazuh Agents to groups

Once you have created the groups, you will need to add agents to those groups. You can use agent_groups to assign an agent to a group or groups. In the next example, we are going to add a Windows Agent to the groups windows-servers and sysmon-events and another Windows Agent to windows-servers. Also, we are going to assign a RHEL 7 Agent to the group rhel-servers and another RHEL 7 agent to rhel-servers and apache-servers.

First, you will need to list your agents. You can use manage_agents as follows:

# /var/ossec/bin/manage_agents -l

Available agents: 
   ID: 001, Name: windows-agent, IP: 172.16.1.55
   ID: 002, Name: windows-sysmon-agent, IP: 172.16.1.218
   ID: 003, Name: rhel-server, IP: 172.16.1.115
   ID: 004, Name: rhel-apache-server, IP: 172.16.1.18

Then, using agent_groups you can add an agent to one or more groups using its ID. Here you can see how to assign the agents to the groups as mentioned before:

# /var/ossec/bin/agent_groups -a -i 001 -g windows-servers -q
Group 'windows-servers' added to agent '001'.
# /var/ossec/bin/agent_groups -a -i 002 -g windows-servers -q
Group 'windows-servers' added to agent '002'.
# /var/ossec/bin/agent_groups -a -i 002 -g sysmon-events -q
Group 'sysmon-events' added to agent '002'.
# /var/ossec/bin/agent_groups -a -i 003 -g rhel-servers -q
Group 'rhel-servers' added to agent '003'.
# /var/ossec/bin/agent_groups -a -i 004 -g rhel-servers -q
Group 'rhel-servers' added to agent '004'.
# /var/ossec/bin/agent_groups -a -i 004 -g apache-servers -q
Group 'apache-servers' added to agent '004'.

Now, you can list the groups and the number of agents in those groups by running agent_groups -l:

# /var/ossec/bin/agent_groups -l 
Groups (5):
  apache-servers (1)
  default (1)
  rhel-servers (2)
  sysmon-events (1)
  windows-servers (2)
Unassigned agents: 0.

Or list the agents in a specific group with agent_groups -l -g group-name:

# /var/ossec/bin/agent_groups -l -g rhel-servers
2 agent(s) in group 'rhel-servers':
  ID: 003  Name: rhel-server.
  ID: 004  Name: rhel-apache-server.

Modify the configuration files

After creating the groups, it is necessary to modify the configuration file of those groups. This file is located in the Wazuh Manager in this path: /var/ossec/etc/shared/group-name/agent.conf. Here you can see a configuration example for each group:

  • apache-servers:
    <agent_config>
     
      <localfile>
        <log_format>apache</log_format>
        <location>/var/log/httpd/error_log</location>
      </localfile>
     
      <localfile>
        <log_format>apache</log_format>
        <location>/var/log/httpd/access_log</location>
      </localfile>
     
      <syscheck>
        <disabled>no</disabled>
        <!-- Execute a scan every 5 minutes -->
        <frequency>300</frequency>
     
        <scan_on_start>yes</scan_on_start>
     
        <!-- Generate alert when new file detected -->
        <alert_new_files>yes</alert_new_files>
     
        <!-- Directories to check (perform all possible verifications) -->
        <directories check_all="yes" whodata="yes"></directories>
        <ignore>/etc/httpd/logs</ignore>
         
        <!-- File types to ignore -->
        <ignore type="sregex">.log$|.swp$</ignore>
     
        <skip_nfs>yes</skip_nfs>
      </syscheck>
     
    </agent_config>
    

    After saving this file, only the agent 004 (rhel-apache-server) will apply this configuration.

  • rhel-servers:
    <agent_config>
    
     <sca>
       <enabled>yes</enabled>
       <scan_on_start>yes</scan_on_start>
       <interval>1h</interval>
       <skip_nfs>yes</skip_nfs>
    
       <policies>
         <policy>cis_rhel7_linux_rcl.yml</policy>
         <policy>system_audit_ssh.yml</policy>
       </policies>
     </sca>
    
     <wodle name="vulnerability-detector">
       <disabled>yes</disabled>
       <interval>5m</interval>
       <ignore_time>6h</ignore_time>
       <run_on_start>yes</run_on_start>
    
       <feed name="redhat">
         <disabled>yes</disabled>
         <update_from_year>2010</update_from_year>
         <update_interval>1h</update_interval>
       </feed>
     </wodle>
    
    </agent_config>
    

    After saving this file, the agents 003 (rhel-server) and 004 (rhel-apache-server) will apply this configuration.

  • widows-servers:
    <agent_config>
    
     <syscheck>
       <disabled>no</disabled>
    
       <!-- Execute a scan every 30 minutes -->
       <frequency>1800</frequency>
    
       <directories check_all="yes" whodata="yes">C:\Windows\System32\drivers\etc</directories>
     </syscheck>
    
    </agent_config>
    

    After saving this file, the agents 001 (windows-agent) and 002 (windows-sysmon-agent) will apply this configuration.

  • widows-sysmon-servers:
    <agent_config>
    
     <localfile>
       <location>Microsoft-Windows-Sysmon/Operational</location>
       <log_format>eventchannel</log_format>
     </localfile>
    
    </agent_config>
    

    After saving this file, the agent 002 (windows-sysmon-agent) will apply this configuration.

Once you finished creating the groups, grouping the agents, and modifying the configuration files, the agents will be grouped as follows:

Clustering and agent groups

Using the Kibana app

The Kibana App is an extremely useful tool for creating groups, adding and removing agents from those groups, and editing the configuration files.   The App is a user-friendly tool to administer the configuration applied to your agents since you don’t need to navigate through your terminal, ask for root access to your Wazuh Manager hosts, etc. In the following example, we are going to create the same groups and apply the same configuration that we did in the previous section, but we will always use the Kibana interface.

Creating the groups

To create a group, you will need to go to the Wazuh App in Kibana and follow these steps: Management > Groups. This page allows you to list, create, edit and delete groups. To create a group, click on the + icon.

Once you have added the four groups, they will be listed in the Groups page, along with the number of agents in every group, the configuration checksum, and some actions buttons:

Add Wazuh Agents to groups

Once you have created the group, you can assign agents to that group. To do this, you need to click on the group that you have just created and click on the Add or remove agents

This button will lead you to a page where you can easily add or remove your agents from a group.

Once you have added the agents to the group and applied the changes, the agents will be added to that group and default group. So, if you want to remove these agents from the default group, you can click on default group, and remove the agents by clicking on the bin icon.

Modify the configuration file

Each group has a configuration file name as agent.conf. This file is empty by default and here you can define new configuration files or overwrite the ones defined in the ossec.conf. To modify this file go to Management > Groups > Group to modify > Content > agent.conf. In this page, you can modify the file and save the changes.

  • apache-servers:After saving this file, only the agent 004 (rhel-apache-server) will apply this configuration.
  • rhel-servers:After saving this file, the agents 003 (rhel-server) and 004 (rhel-apache-server) will apply this configuration.
  • widows-servers: After saving this file, the agents 001 (windows-agent) and 002 (windows-sysmon-agent) will apply this configuration.
  • widows-sysmon-servers: After saving this file, the agent 002 (windows-sysmon-agent) will apply this configuration.

After saving the changes, the cluster will apply the configuration to the agents by sending this file and restarting the agents.