Wazuh agent
The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.
The agent developed considering the need to monitor a wide variety of different endpoints without impacting their performance. Therefore, it is supported on the most popular operating systems and only requires about 0.1 GB of RAM
Deploying Wazuh agents on Linux systems
So, The agent runs on the host you want to monitor and communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.
The deployment of a Wazuh agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the Wazuh agent package directly
Add the Wazuh repository
Add the Wazuh repository to download the official packages.
Import the GPG key:
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUHAdd the repository:
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
Deploy a Wazuh agent
To deploy the Wazuh agent to your system, select your package manager and edit the WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname.
WAZUH_MANAGER="10.0.0.2"
yum install wazuh-agentPlease don’t forget to update /etc/hosts on both Servers with IP and hostname of Server and agent
Enable and start the Wazuh agent service
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
The deployment process is now complete and the Wazuh agent is successfully running on your Linux system.
Recommended action – Disable Wazuh updates
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repoUninstall a Wazuh agent
To uninstall the agent, select your package manager and run the following command.
yum remove wazuh-agentSome files marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the /var/ossec folder.
Checking connection with Manager
Before you check the agent’s connection with the manager, first ensure the agent is pointing to the manager’s IP address. This is set in ossec.conf using the <client> XML tag. For more on this
<ossec_config>
<client>
<server>
<address>10.0.0.10</address>
<protocol>tcp</protocol>
</server>
</client>
</ossec_config>This will set 10.0.0.10 as the Wazuh server. Once this is done, you will need to restart the Agent:
systemctl restart wazuh-agentAfter you register the agent and it successfully connected, you can see a list of agents that are_ connected to the manager with
/var/ossec/bin/agent_control -lcYou can also check to see if an agent connected correctly by verifying if the TCP connection to the manager established:
netstat -vatunp|grep wazuh-agentd
Or
Verify the agent has properly connected:
# grep ^status /var/ossec/var/run/wazuh-agentd.state
The result should match the agent and manager IP addresses.
