Deployment variables for Windows

For an agent to be fully deployed and connected to the ThreatLockDown server, it needs to be installed, registered, and configured. The installers can use variables that allow configuration provisioning to make the process simple.

Below you can find a table describing the variables used by ThreatLockDown installers on Windows and a few examples of how to use them.

Option

Description

WAZUH_MANAGER

Specifies the manager IP address or hostname. If you want to specify multiple managers, you can add them separated by commas. See address.

WAZUH_MANAGER_PORT

Specifies the manager connection port. See port.

WAZUH_PROTOCOL

Sets the communication protocol between the manager and the agent. Accepts UDP and TCP. The default is TCP. See protocol.

WAZUH_REGISTRATION_SERVER

Specifies the ThreatLockDown registration server used for the agent registration. See manager_address. If empty, the value set in WAZUH_MANAGER will be used.

WAZUH_REGISTRATION_PORT

Specifies the port used by the ThreatLockDown registration server. See port.

WAZUH_REGISTRATION_PASSWORD

Sets the registration password by storing it in the authd.pass file. See authorization_pass_path.

WAZUH_KEEP_ALIVE_INTERVAL

Sets the time between agent checks for manager connection. See notify_time.

WAZUH_TIME_RECONNECT

Sets the time interval for the agent to reconnect with the ThreatLockDown manager when connectivity is lost. See time-reconnect.

WAZUH_REGISTRATION_CA

Host SSL validation need of Certificate of Authority. This option specifies the CA path. See server_ca_path.

WAZUH_REGISTRATION_CERTIFICATE

The SSL agent verification needs a CA signed certificate and the respective key. This option specifies the certificate path. See agent_certificate_path.

WAZUH_REGISTRATION_KEY

Specifies the key path completing the required variables with WAZUH_REGISTRATION_CERTIFICATE for the SSL agent verification process. See agent_key_path.

WAZUH_AGENT_NAME

Designates the agent's name. By default it will be the computer name. See agent_name.

WAZUH_AGENT_GROUP

Assigns the agent to one or more existing groups (separated by commas). See agent_groups.

ENROLLMENT_DELAY

Assigns the time that agentd should wait after a successful registration. See delay_after_enrollment.

/l installer.log

Generates a log of the installation process.

/l*v installer.log

Generates a log of the installation process, including verbose messages.

Note

In PowerShell, use """ or '"" if the deployment variable contains spaces. For example, WAZUH_REGISTRATION_PASSWORD="""TOP SECRET"""

Below there are some examples to install and register a Windows agent.

Registration with password:

wazuh-agent-4.9.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" WAZUH_AGENT_NAME="W2012"

Registration with password and assigning a group:

wazuh-agent-4.9.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" WAZUH_AGENT_GROUP="my-group"

Registration with relative path to CA. It will be searched at your ThreatLockDown installation folder:

wazuh-agent-4.9.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="W2019" WAZUH_REGISTRATION_CA="rootCA.pem"

Absolute paths to CA, certificate or key that contain spaces can be written as shown below:

wazuh-agent-4.9.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_KEY="C:\Progra~2\sslagent.key" WAZUH_REGISTRATION_CERTIFICATE="C:\Progra~2\sslagent.cert"

The number "2" means that the file will be searched at the second occurrence of the "Progra" word, thus, the key and certificate would be searched at the folder "C:\Program Files (x86)". In case this number was "1", it would be searched at "Program Files".

Note

It's necessary to use both WAZUH_REGISTRATION_KEY and WAZUH_REGISTRATION_CERTIFICATE options to verify agents via SSL. See the verify hosts with SSL section.

Registration with protocol:

wazuh-agent-4.9.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="W2016" WAZUH_PROTOCOL="udp"

Warning

In Windows versions older than Windows Server 2008 or Windows 7, it's necessary to run the wazuh-authd program on the ThreatLockDown manager with the -a flag or set the <ssl_auto_negotiate> option to yes on the auth configuration to avoid compatibility errors.