windows-agent.md

Windows enrollment Guide

This guide walks you through the process of enrolling a Windows system with the Wazuh Manager. By following these steps, you will install and configure necessary components, ensuring secure communication between the Wazuh Agent and the Wazuh Manager.

Prerequisites

• Internet Connectivity: Verify that the system is connected to the internet.
• Adiminstrator Privileges: Ensure you open Powershell In Administrator Mode

Step by step process

Step 0: Set Execution Policy

Set Execution Policy to Remote Signed to allow powershell scripts to run.

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned

When prompted, respond with A [Yes to All], to enable the execution policy.

Step 1: Download and Run the Setup Script

Download the setup script from the repository and run it to configure the Wazuh agent with the necessary parameters for secure communication with the Wazuh Manager.

$env:WAZUH_MANAGER = "manager.wazuh.adorsys.team"
Invoke-WebRequest -UseBasicParsing -Uri  'https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-agent/refs/heads/main/scripts/setup-agent.ps1' | Invoke-Expression 

Step 2: Gnu Sed Installation

In the dependency intallation a pop-up running the GNU sed installation will show.

Please choose the options shown in the images below to install GNU sed

i. In order for installation to begin you need to accepts GNU's license agreement

ii. Please install sed in the default location (C:\Program Files (x86)\GnuWin32)

iii. Select Full Installation on the drop down with both binaries and documentation selected

iv. Please select next

v. Please uncheck both addition icon options

vi. The GNU Sed installation is now finished.

The Installation will now continue

Step 3: Snort Installation

For Snort A POP-UP window will come up to perform the installation. Please follow these steps:

i. Snort has been installed. Please click OK to continue installation and install Npcap.

ii. Please click Finish once Npcap installation is complete.

iii. Installation will now continue:

Step 4: Please Restart Your Powershell terminal in Administrator mode.

This is a very important step, the installation will not work well if this step is not completed

Step 5: Enrolling your agent with cert-oauth2

1. Generate the Enrollment URL

Run the following command to start the enrollment process:

& 'C:\Program Files (x86)\ossec-agent\wazuh-cert-oauth2-client.exe' o-auth2

This command will generate a URL. Copy the link and paste it into your web browser.

2. Authentication via browser

• i. Login: You will be prompted to log in page,Log in using Active directories: Adorsys GIS or adorsys GmbH & CO KG, which will generate an authentication token using Keycloak.

• ii. Two-Factor Authentication: For first-time logins, authentication via an authenticator is required.

• iii. Token generation: After a successful authentication a token will be generated.

3. Complete the Enrollment

Return to the command line and complete the enrollment process using the generated token.

4. Reboot your Device

Reboot your device to apply the changes.

Step 6: Validate the Installation

After completing the agent enrollment, verify that the agent is properly connected and functioning:

1. Check the Agent Status:

Look for the Wazuh icon in the system tray to confirm that the agent is running and connected.

2. Verify Agent Logs:

Check the Wazuh agent logs to ensure there are no errors:

Get-Content 'C:\Program Files (x86)\ossec-agent\ossec.log' -Tail 20

Check the Wazuh agent logs to ensure there are no errors:

3. Check Agent service

Run the following command:

Get-Service -Name "Wazuh"

4. Check the Wazuh Manager Dashboard:

Ping an admin for confirmation that the agent appears in the Wazuh Manager dashboard.

Checklist of Elements Installed and Configured During Agent Enrollment

i. Components Installed by the Script:

1. Wazuh Dependencies:

The dependencies installed for the wazuh-agent and other components include:

• Visual C++ Redistributable
• GNU sed
• jq

2. Wazuh Agent: Monitors your endpoint and sends data to the Wazuh Manager. The agent is installed and configured to connect to the specified manager (WAZUH_MANAGER).

3. OAuth2 Authentication Client: Adds certificate-based OAuth2 authentication for secure communications.

4. Wazuh Agent Status: Provides real-time health and connection status of the agent.

5. Yara: Enables advanced file-based malware detection by integrating Yara rules into Wazuh.

6. Snort: Adds network intrusion detection capabilities to monitor suspicious traffic.

For Snort A POP-UP window will come up to perform the installation. Please follow these steps:

i. Snort has been installed. Please click OK to continue installation and install Npcap.Setup agent script defaults wazuh manager to: events.dev.wazuh.adorsys.team

v. Please click Finish once Npcap installation is complete.

vi. Installation will now continue:

ii. Tools Installed:

• YARA

yara64 -v

• Snort

snort -V

• Agent Status

Select-String -Path 'C:\Program Files (x86)\ossec-agent\wazuh-agent.state' -Pattern '^status'

OR

Get-Service -Name "Wazuh"

iii. Installation Validation:

• Test registration successful
• Logs reviewed for errors
• Cleanup Completed

Troubleshooting

• If the enrollment URL fails to generate, check internet connectivity and script permissions.

• For errors during authentication, ensure Active Directory credentials are correct and two-factor authentication is set up.

• Consult the Wazuh logs (C:\Program Files (x86)\ossec-agent\ossec.log) for detailed error messages.

  Get-Content 'C:\Program Files (x86)\ossec-agent\ossec.log' -Tail 20

Additional Resources

• Wazuh Documentation