Rizwan
Senior Devops Engineer

WAZUH Agent Installation

Wazuh agent

The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.

The agent developed considering the need to monitor a wide variety of different endpoints without impacting their performance. Therefore, it is supported on the most popular operating systems and only requires about 0.1 GB of RAM

Deploying Wazuh agents on Linux systems

So, The agent runs on the host you want to monitor and communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.

The deployment of a Wazuh agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the Wazuh agent package directly

Add the Wazuh repository

Add the Wazuh repository to download the official packages.

Import the GPG key:

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Deploy a Wazuh agent


To deploy the Wazuh agent to your system, select your package manager and edit the WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname.

WAZUH_MANAGER="10.0.0.2" 
yum install wazuh-agent

Please don’t forget to update /etc/hosts on both Servers with IP and hostname of Server and agent

Enable and start the Wazuh agent service

systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

The deployment process is now complete and the Wazuh agent is successfully running on your Linux system.

Recommended action – Disable Wazuh updates

sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Uninstall a Wazuh agent

To uninstall the agent, select your package manager and run the following command.

yum remove wazuh-agent

Some files marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the /var/ossec folder.

Checking connection with Manager

Before you check the agent’s connection with the manager, first ensure the agent is pointing to the manager’s IP address. This is set in ossec.conf using the <client> XML tag. For more on this

<ossec_config>
  <client>
    <server>
      <address>10.0.0.10</address>
      <protocol>tcp</protocol>
    </server>
  </client>
</ossec_config>

This will set 10.0.0.10 as the Wazuh server. Once this is done, you will need to restart the Agent:

systemctl restart wazuh-agent

After you register the agent and it successfully connected, you can see a list of agents that are_ connected to the manager with

/var/ossec/bin/agent_control -lc

You can also check to see if an agent connected correctly by verifying if the TCP connection to the manager established:

netstat -vatunp|grep wazuh-agentd

Or

Verify the agent has properly connected:

# grep ^status /var/ossec/var/run/wazuh-agentd.state

The result should match the agent and manager IP addresses.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x