Agent Onboarding and Log Sources [DL Series-2]

This article dives into the agent onboarding process, including creating agent groups, enrolling agents, and understanding how log sources are managed in Wazuh.

Agent Groups in Wazuh

In Wazuh, agent groups are essential for organizing and managing agents. These groups allow administrators to assign agents based on criteria such as role, location, or type of system. By grouping agents, you can centralize management and apply tailored configurations, rules, and policies to different types of systems.

For instance, you may have separate agent groups for Linux servers, Windows desktops, or critical network infrastructure. This organization streamlines the process of applying specific settings to each group of devices, enhancing security and performance.

Default Agent Group

When new agents are enrolled in Wazuh, they are automatically placed into a default group. This “default” group is a general category designed to provide basic monitoring and security configurations until the agent can be assigned to a more specific group based on its role or system type.

Creating Custom Agent Groups

To better manage the devices in your environment, you can create customized agent groups based on your specific needs. Here’s how you can do it:

→ Log into the Wazuh Dashboard using your credentials

→ Navigate to Endpoint Groups by clicking the menu icon (?) in the upper-left corner and selecting “Endpoint Groups”

→ Create a new group

→ Specify the group name (e.g., “Linux Servers,” “Windows Workstations”)

→ Save new group.

Now, you have successfully created a new agent group, ready for enrollment and assignment.

Enrolling Agents

The next step in your Wazuh setup is to deploy and enroll agents to start collecting logs and security data from your endpoints. The process is straightforward, but it requires careful attention to ensure proper communication between agents and the Wazuh Manager.

Steps to Enroll an Agent

• From the Wazuh dashboard, click on the Wazuh icon → Add agent.

• Select the Endpoint on which you want to install the agent (LINUX, WINDOWS, or macOS).
• Enter the Server address (Fill in the Wazuh Manager’s Public IP).
• Assign an agent name (Give a name for your agent).
• Select one or more existing groups (select the custom group you created, or it will be assigned to the default group).
• Run the following commands to download and install the agent (Run the given command in your terminal/PowerShell as admin).

• Enable the agent service by running the following commands.

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent        

Outbound Connectivity and Ports

Ensure these ports are open in your firewall and properly configured on both the agent and the Wazuh Manager for successful communication.

Verifying Agent Enrollment

Once the agent is deployed and service is started, you can verify its enrollment from the Wazuh dashboard. Navigate to the “Endpoints Summary” section, where you should see a list of all enrolled agents, their status, and other relevant information.

You can verify if logs are being received from the enrolled agents by navigating to the “Discover” section, where you should see incoming logs, as shown in the snippet below.

Monitoring auditd Logs on Ubuntu

In addition to the default logs Wazuh collects, such as journald, /var/log/auth.log, and /var/log/dpkg.log, integrating auditd logs adds an extra layer of security monitoring. These logs provide valuable insights into user actions, file access, and system changes, helping detect suspicious activity or unauthorized access.

Here’s how to set up and monitor auditd logs in Wazuh.

Install auditd on Ubuntu

Install auditd

sudo apt update
sudo apt install auditd        

Enable and start the service

sudo systemctl enable auditd
sudo systemctl start auditd
sudo systemctl status auditd
        

Verify auditd is Working

sudo tail -f /var/log/audit/audit.log        

You should see output similar to the following.

Configure Wazuh to Collect auditd Logs

Open the Wazuh agent configuration file

sudo vi /var/ossec/etc/ossec.conf        

Add this section to monitor auditd logs

<localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>        

Just like the snippet below.

Save the file and restart the Wazuh agent

sudo systemctl restart wazuh-agent        

Verify Logs in the Wazuh Dashboard

• Go to the Discover section in Wazuh dashboard.
• Search for logs from location:"/var/log/audit/audit.log” or decoder.name:”auditd”, and you should see logs similar to the snippet below.

We have successfully enrolled agents and onboarded auditd logs, alongside the default logs Wazuh collects, such as journald, /var/log/auth.log, and /var/log/dpkg.log.

Upcoming

Inthe next article, we will learn how to use the vi/vim editor, a handy tool for managing Wazuh configurations and log files throughout this project.

Check out the next article here: Working with vi/vim Editor [DL Series-3]

Feel free to ask questions or share your feedback in the comments section — I’d love to hear from you! You can also connect with me on Gibin John to clarify any doubts or continue the conversation.

Follow my Medium profile to stay updated on the full series: Gibin John.

#wazuh #WazuhSecurity #CyberDetectionLab #WazuhSIEM #ThreatHunting #CybersecurityLab #Wazuh #SecurityMonitoring #SIEM #IncidentResponse #ThreatDetection #SecurityOps #WazuhDetection #SOCLab #CyberThreatIntel #WazuhAlerting #LogAnalysis #CyberDefense #MalwareDetection #Sysmon #SOCAnalysis