Groups in Wazuh let you apply a centralized ossec.conf configuration to multiple agents at once. Create a group from the dashboard or with the CLI, assign agents, and the server automatically distributes the configuration without touching each machine individually.
What are groups in Wazuh and what are they for?
In this guide I'll show you how to configure groups in Wazuh to organize your agents and apply centralized configurations. Groups are essential when you manage many agents of different types (Windows, Linux, databases, web servers, etc.).
Video: Configuring Groups
10 minutes - Groups and centralized configuration
Professional implementationGet hands-on help deploying Wazuh in production
What are Wazuh groups used for?
Groups in Wazuh let you organize agents by their type or function and apply specific configurations to each group. This is essential to manage environments with many agents efficiently.
Instead of configuring each agent individually, you define the configuration once at the group level and every agent that belongs to that group receives it automatically.
Examples of groups by system type
Some typical examples of groups you can create:
- windows - All Windows machines (desktops, servers)
- linux - Linux servers and machines
- databases - Database servers (MySQL, PostgreSQL, MongoDB)
- webservers - Web servers (Apache, Nginx, IIS)
- production - Production systems (stricter monitoring)
- development - Development/testing systems
- dmz - Servers in the demilitarized zone
Tip: An agent can belong to several groups. For example, a server can be in the "linux" group and also in "webservers" and "production".
Centralized configuration per group
The main advantage of groups is that you can define an ossec.conf configuration that is automatically applied to every agent in the group. When you modify the group configuration on the server, all agents receive it.
Location of group configurations (on the Wazuh server)
/var/ossec/etc/shared/Inside this folder you'll find a subfolder for each group:
/var/ossec/etc/shared/default/ # Default group (all agents)
/var/ossec/etc/shared/windows/ # windows group
/var/ossec/etc/shared/linux/ # linux group
/var/ossec/etc/shared/databases/ # databases group
/var/ossec/etc/shared/webservers/ # webservers groupThe agent.conf file
Each group has an agent.conf file containing the configuration that will be pushed to the agents in that group:
/var/ossec/etc/shared/linux/agent.confExample agent.conf for the Linux group
Typical configuration for Linux servers that monitors Apache logs and critical directories:
<agent_config>
<!-- Monitor Apache logs -->
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
<!-- Monitor Nginx logs -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>
<!-- File Integrity Monitoring -->
<syscheck>
<frequency>300</frequency>
<directories check_all="yes">/etc</directories>
<directories check_all="yes">/var/www</directories>
<directories check_all="yes">/usr/bin</directories>
</syscheck>
</agent_config>Example agent.conf for the Databases group
Configuration for database servers (MySQL/MariaDB):
<agent_config>
<!-- MySQL logs -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mysql/error.log</location>
</localfile>
<!-- PostgreSQL logs -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/postgresql/postgresql-*.log</location>
</localfile>
<!-- Monitor DB configuration files -->
<syscheck>
<frequency>300</frequency>
<directories check_all="yes">/etc/mysql</directories>
<directories check_all="yes">/etc/postgresql</directories>
</syscheck>
</agent_config>Create groups from the Dashboard
You can create and manage groups from the Wazuh web interface:
- Open the Wazuh Dashboard
- Go to Management → Groups
- Click Add new group
- Enter the group name (e.g.: "webservers")
- Save the group
Assign agents to groups
Agents can be assigned to groups in two ways:
1. During agent installation
Using the WAZUH_AGENT_GROUP environment variable:
# Linux - assign to the "linux" group
WAZUH_MANAGER="192.168.1.100" WAZUH_AGENT_GROUP="linux" apt-get install wazuh-agent
# Linux - assign to multiple groups
WAZUH_MANAGER="192.168.1.100" WAZUH_AGENT_GROUP="linux,webservers,production" apt-get install wazuh-agent2. From the Dashboard (already installed agents)
- Go to Agents
- Select the agent
- On the information tab, find Groups
- Assign the groups you want
Verify the configuration received by the agent
To check which configuration a Linux agent has received from its group, log in to the agent and run:
# View the shared configuration received from the server
cat /var/ossec/etc/shared/agent.conf
# View information about the assigned group
cat /var/ossec/etc/shared/ar.conf
# View all the shared files received
ls -la /var/ossec/etc/shared/Important: After modifying a group's agent.conf on the server, agents receive the new configuration automatically (it may take a few minutes). There's no need to restart the agents manually.
Additional resources
- Official documentation: Grouping agents
- Centralized configuration
- Installing the Agent on Linux
- Installing the Agent on Windows
Related articles:
- How to Install Wazuh on Linux (Ubuntu 24.04)
- How to Install the Wazuh Agent on Linux
- How to Install the Wazuh Agent on Windows
- What is Wazuh and what is it for?
Learn Wazuh hands-on
Learn to configure groups, create custom rules, integrate with other tools and much more.