Starting point: a Wazuh manager already running on an AWS EC2 instance. No agents connected. The goal was to install the Windows agent, connect it to the manager, and start feeding real logs into the SIEM. Everything that follows — detection rules, correlations, attack chains — depends on getting this right first.
Step 1 — Locking down the network
Before installing anything, the AWS Security Group on the EC2 instance needed configuring. The principle is simple: only allow the specific traffic you need from the specific sources that need it.
Wazuh agents communicate on two ports:
| Port | Protocol | Purpose |
|---|---|---|
1514 | TCP + UDP | Log forwarding — the ongoing stream of events |
1515 | TCP | Agent registration — the one-time identity handshake |
Both rules were set with the laptop's public IP as the source — not open to the internet. Port 443 for the dashboard was left open to anywhere for browser access.
Step 2 — Installing the agent on Windows
One PowerShell command run as Administrator handles the full install. The /q flag makes it silent. The WAZUH_MANAGER parameter bakes the server IP in at install time.
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi \
-OutFile $env:tmp\wazuh-agent.msi
msiexec.exe /i $env:tmp\wazuh-agent.msi /q \
WAZUH_MANAGER='<EC2_IP>' WAZUH_AGENT_NAME='my-laptop'Start and verify the service:
NET START WazuhSvc
Get-Service WazuhSvcStep 3 — The connection problem
The agent showed as Never Connected in the dashboard. Reading the agent log identified the issue immediately:
Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" -Wait -Tail 20Port 1515 registration succeeded. Port 1514 TCP was timing out — the Security Group had 1514 as UDP only. Adding the TCP rule fixed it within seconds:
INFO: Connected to the server
INFO: Agent is now onlineWhat connected immediately
Without any additional configuration the agent started doing real work:
- Security Configuration Assessment — 395 CIS Windows 11 benchmark checks in 8 seconds
- File Integrity Monitoring — watching critical paths for changes
- Rootcheck — scanning for rootkits
- Syscollector — inventorying running processes, open ports, installed software
Key commands reference
# Start / stop / status
NET START WazuhSvc
NET STOP WazuhSvc
Get-Service WazuhSvc
# Watch live log
Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" -Wait -Tail 20
# Confirm manager IP in config
type "C:\Program Files (x86)\ossec-agent\ossec.conf" | findstr "address"One thing to know about EC2
When an EC2 instance stops and starts it gets a new public IP. The agent config needs updating manually each time — update the IP in ossec.conf, update the Security Group source IP, restart the agent. Build a checklist for this to avoid missing steps.