Wazuh Admin API Authentication Guide#

Security management is a critical aspect of any infrastructure, and Wazuh provides powerful tools for monitoring and securing your environment. This guide explains how to authenticate with the Wazuh API and create an admin user with elevated privileges.

Overview#

Wazuh’s API enables administrators to interact with and manage the Wazuh server programmatically. Proper authentication is essential to ensure that only authorized users can access these powerful controls.

Base URL#

1
https://34.93.219.205:55000

Authentication Process#

1. Authenticate with Existing Credentials#

Obtain an authentication token using existing credentials:

1
curl -k -u "wazuh-wui:MyS3cr37P450r.*-" -X POST "https://34.93.219.205:55000/security/user/authenticate" \
2
-H "Content-Type: application/json"

2. Store the Authentication Token#

Save the returned token for subsequent API calls:

1
TOKEN="eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3..."

User Management#

Create a New Admin User#

1
curl -k -X POST "https://34.93.219.205:55000/security/users" \
2
-H "Content-Type: application/json" \
3
-H "Authorization: Bearer $TOKEN" \
4
-d '{
5
  "username": "ultraadmin",
6
  "password": "YourSecurePassword"
7
}'

Assign Administrator Role#

1
curl -k -X POST "https://34.93.219.205:55000/security/users/100/roles?role_ids=1" \
2
-H "Authorization: Bearer $TOKEN"

Note: Replace 100 with the actual user ID returned from the user creation response.

Enable Run As Permission#

1
curl -k -X PUT "https://34.93.219.205:55000/security/users/100/run_as?allow_run_as=true" \
2
-H "Authorization: Bearer $TOKEN"

List All Users#

1
curl -k -X GET "https://34.93.219.205:55000/security/users?pretty=true" \
2
-H "Authorization: Bearer $TOKEN"

Using the New Admin User#

Authenticate as the New Admin#

1
curl -k -u "ultraadmin:YourSecurePassword" -X POST "https://34.93.219.205:55000/security/user/authenticate" \
2
-H "Content-Type: application/json"

Make API Calls with the New Token#

1
NEW_TOKEN="eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3..."
2

3
curl -k -X GET "https://34.93.219.205:55000/agents?pretty=true" \
4
-H "Authorization: Bearer $NEW_TOKEN"

Security Best Practices#

When managing Wazuh API authentication, consider the following best practices:

Always use secure passwords: Implement strong password policies
Rotate tokens regularly: Set up a schedule for token rotation
Use HTTPS with valid certificates in production: Avoid using -k flag in production
Limit the number of admin users: Follow the principle of least privilege
Implement proper access controls: Create specific roles for different tasks
Monitor admin user activity in Wazuh logs: Set up alerts for suspicious admin actions

Token Expiration#

Tokens typically expire after a certain period. Always check for 401 errors and re-authenticate when needed. You can implement a token refresh mechanism in your scripts to handle this automatically.

Conclusion#

Properly managing authentication for your Wazuh API ensures that your security monitoring system remains secure. By creating dedicated admin users and following best practices, you can maintain the integrity of your security operations while enabling the full power of Wazuh’s API capabilities.

For more information on Wazuh API and security best practices, visit the official Wazuh documentation.