The registration process

Every Wazuh Agent sends data to the Wazuh Manager via a secure way called OSSEC message protocol. This encrypts messages using a pre-shared key. Initially, when you successfully install a new Wazuh Agent, this cannot communicate with the Wazuh Manager due to a lack of that pre-shared key.

The registration process consists of a mechanism to create a trusted relationship between the Manager and an Agent. This process could be done in a Manager itself or with a registration service. This service runs on the Manager, where an Agent could request a pre-shared key using some credentials. The Manager will reply with the key and store the new Agent in a local database.

Another approach is using the RESTful API, this is just a wrapper for local registration on Wazuh Manager.

Agent keys

The manager uses the file /var/ossec/etc/client.keys to store the registration record of each agent, which includes ID, name, IP, and key. Example:

001 Server1 any e20e0394dca71bacdea57d4ca25d203f836eca12eeca1ec150c2e5f4309a653a
002 ServerProd 192.246.247.247 b0c5548beda537daddb4da698424d0856c3d4e760eaced803d58c07ad1a95f4c
003 DBServer 192.168.0.1/24 8ec4843da9e61647d1ec3facab542acc26bd0e08ffc010086bb3a6fc22f6f65b

The agents also have the file /var/ossec/etc/client.keys containing only their own registration record. Example for Server1 agent:

001 Server1 any e20e0394dca71bacdea57d4ca25d203f836eca12eeca1ec150c2e5f4309a653a

Basic data for registering an agent

In order to register an agent, it is necessary to provide the name and the IP of the agent.

There are several ways to set the agent IP:

• Any IP: Allow the agent to connect from any IP address. Example: Server1 has any IP.

• Fixed IP: Allow the agent to connect only from the specified IP. Example: ServerProd has the IP 192.246.247.247.

• Range IP: Allow the agent to connect from the specified range of IPs. Example: DBServer has the IP range 192.168.0.1/24.

Some registration methods automatically detect the IP of the agent during the registration process.