7. Wazuh Agents - Fooster171/Wazuh-SEIM-Home-Lab GitHub Wiki

Firewall NAT Rules

Because my Wazuh server/SIEM is outside of this lab network and using a private IP, we will need to make sure we establish some NAT rules within the firewall so that we are able to send information from our Wazuh Agents to the Wazuh Server. Wazuh uses TCP 1515 and UDP 1514 in order to communicate. I've also setup a rule for port 443 to connect as well. Sign into the pfsense firewall and go to Firewall -> NAT and make sure you're in the "port forward" section. Select "add" and edit these fields:

TCP 1515 - Used for Wazuh Agent Enrollment
Protocol -> TCP
Destination Port Range -> Set "From" to 1515
Redirect Target IP -> (use wazuh server IP)
Redirect Target Port -> 1515
Select Save
TCP/UDP 1514 - Used to send agent data to Wazuh
Protocol -> UDP
Destination Port Range -> Set "From" to 1514
Redirect Target IP -> (use wazuh server IP)
Redirect Target Port -> 1514
Select Save
TCP 443 - Access to the web ui
Protocol -> TCP
Destination Port Range -> Set "From" to 443
Redirect Target IP -> (use wazuh server IP)
Redirect Target Port -> 443
Select Save
UDP 514 - Used for sending Syslog info to Wazuh
Protocol -> UDP
Destination Port Range -> Set "From" to 514
Redirect Target IP -> (use wazuh server IP)
Redirect Target Port -> 514
Select Save

After making these changes the NAT screen should look like this:

Install Wazuh Agents

From within the Windows 10 User PC, open a web browser and navigate to this link: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-windows.html

Click on the "Windows Installer" link near the top of the page.

When attempting to download the file, you may be prompted with a message instructing you to add packages.wazuh.com to your trusted sites to perform the download. Do so if needed and continue to download the file.

Accept the license agreement and click install.

You should receive a prompt to run the Wazuh interface but I couldn’t get that to work. Instead I navigated to C:\Program Files (x86)\ossec-agent and ran the "win32ui" file. From there, specify the IP address of the Wazuh server. I left the authentication key section alone.

Next, open up the Wazuh server in a web browser. From the Wazuh menu, select "Agents":

On the right side of the screen select "Deploy new agents"

On this screen use the different variable to choose the windows edition, specify the IP address of the Wazuh server and assign any agent name or group name you want. This will generate a powershell command for you at the bottom of the page you can copy and execute on your machine. Also in the screenshot is a second command you need to use to start the agent:

After running the first command, it may be best to wait a moment. I used the "NET START Wazuh" command immediately after and instead received an error. Waiting a moment and trying it again(or running both commands again) fixed and provided the following output:

Once again if you navigate to the Wazuh menu and select "Agents", you should now see a screen with the newly added device onto the server: