macOS from package¶
The package for macOS is suitable for macOS Sierra or greater. The macOS agent can be downloaded from packages list. You can install it by using the command line or following the GUI steps:
Using the command line, you can choose installation or deployment:
Installation:# installer -pkg wazuh-agent-3.10.2-1.pkg -target /
You can automate the agent registration and configuration using variables. It is necessary to define at least the variable
WAZUH_MANAGER. The agent will use this value to register and it will be the assigned manager for forwarding events.# launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-3.10.2-1.pkg -target /
See the following document for additional automated deployment options deployment variables.
By default, all agent files can be found at the following location:
Now that the agent is installed, if you didn’t use the deployment method, you will now have to register and configure the agent to communicate with the manager. For more information about this process, please visit user manual.
To uninstall the agent in macOS:
Stop the Wazuh agent service
# /Library/Ossec/bin/ossec-control stop
# /bin/rm -r /Library/Ossec # /bin/rm /etc/ossec-init.conf
Stop and unload dispatcher
# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist # /bin/rm -rf /Library/StartupItems/WAZUH
Remove User and Groups
# /usr/bin/dscl . -delete "/Users/ossec" # /usr/bin/dscl . -delete "/Groups/ossec"
# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent