The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.
The agent developed considering the need to monitor a wide variety of different endpoints without impacting their performance. Therefore, it is supported on the most popular operating systems and only requires about 0.1 GB of RAM
Deploying Wazuh agents on Linux systems
So, The agent runs on the host you want to monitor and communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.
The deployment of a Wazuh agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the Wazuh agent package directly
Add the Wazuh repository to download the official packages.
Import the GPG key:
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
To deploy the Wazuh agent to your system, select your package manager and edit the
WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname.
WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
Please don’t forget to update /etc/hosts on both Servers with IP and hostname of Server and agent
Enable and start the Wazuh agent service
systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent
The deployment process is now complete and the Wazuh agent is successfully running on your Linux system.
Recommended action – Disable Wazuh updates
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
Uninstall a Wazuh agent
To uninstall the agent, select your package manager and run the following command.
yum remove wazuh-agent
Some files marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the
Before you check the agent’s connection with the manager, first ensure the agent is pointing to the manager’s IP address. This is set in
ossec.conf using the
<client> XML tag. For more on this
<ossec_config> <client> <server> <address>10.0.0.10</address> <protocol>tcp</protocol> </server> </client> </ossec_config>
This will set 10.0.0.10 as the Wazuh server. Once this is done, you will need to restart the Agent:
systemctl restart wazuh-agent
After you register the agent and it successfully connected, you can see a list of agents that are_ connected to the manager with
You can also check to see if an agent connected correctly by verifying if the TCP connection to the manager established:
netstat -vatunp|grep wazuh-agentd
Verify the agent has properly connected:
# grep ^status /var/ossec/var/run/wazuh-agentd.state
The result should match the agent and manager IP addresses.