Install Wazuh agent on Windows
Note
You will need administrator privileges to perform this installation.
The first step to installing the Wazuh agent on a Windows machine is to download the Windows installer from the packages list. Once this is downloaded, the Windows agent can be installed in one of two ways:
Using the GUI
To install the Windows agent from the GUI, run the downloaded file and follow the steps in the installation wizard. If you are not sure how to respond to some of the prompts, simply use the default answers.
Once installed, the agent uses a graphical user interface for configuration, opening the log file or starting and stopping the service.
By default, all agent files will be found in: C:\Program Files(x86)\ossec-agent
.
Note
Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the user manual.
Using the command line
Note
Unattended installations must be run with administrator permissions.
To install the Windows agent from the command line, run the installer using the following command (the /q
argument is used for unattended installations):
wazuh-agent-3.7.2-1.msi /q
To uninstall the agent, the original MSI file will be needed to perform the unattended process:
msiexec.exe /x wazuh-agent-3.7.2-1.msi /qn
You can automate the agent registration with authd using the following parameters:
Option |
Description |
---|---|
APPLICATIONFOLDER |
Sets the installation path. Default C:\Program Files (x86)\ossec-agent\. |
ADDRESS |
Specifies the managers IP address or hostname. This option also accepts a list of IPs or hostnames separated by semicolons. |
SERVER_PORT |
Specifies the managers connection port. |
PROTOCOL |
Sets the communication protocol between the manager and the agent. Accepts UDP and TCP. Default is UDP. |
AUTHD_SERVER |
Specifies the Authd IP address. |
AUTHD_PORT |
Specifies the Authd connection port. |
PASSWORD |
Sets the Authd password. |
NOTIFY_TIME |
Sets the time between manager checks. |
TIME_RECONNECT |
Sets the time in seconds until a reconnection attempt. |
CERTIFICATE |
Specifies the certificate of authority path. |
PEM |
Specifies the certificate path. |
KEY |
Specifies the key path. |
AGENT_NAME |
Designates the agent's name. By default will be the computer name. |
GROUP |
Assigns the specified group to the agent. |
/l installer.log |
Generates a log of the installation process. |
/l*v installer.log |
Generates a log of the installation process, including verbose messages. |
Below there are some examples to install and register a Windows agent.
Registration with password:
wazuh-agent-3.7.2-1.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" PASSWORD="TopSecret" AGENT_NAME="W2012"
Registration with password and assigning a group:
wazuh-agent-3.7.2-1.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" PASSWORD="TopSecret" GROUP="my-group"
Registration with relative path to CA. It will be searched at your APPLICATIONFOLDER folder:
wazuh-agent-3.7.2-1.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" AGENT_NAME="W2019" CERTIFICATE="rootCA.pem"
Absolute paths to CA, certificate or key that contain spaces can be written as shown below:
wazuh-agent-3.7.2-1.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" KEY="C:\Progra~2\sslagent.key" PEM="C:\Progra~2\sslagent.cert"
The number "2" means that the file will be searched at the second occurrence of the "Progra" word, thus, the key and certificate would be searched at the folder "C:\Program Files (x86)". In case this number was "1", it would be searched at "Program Files".
Note
To verify agents via SSL, it's necessary to use both KEY and PEM options. See the verify hosts with SSL section.
Registration with protocol:
wazuh-agent-3.7.2-1.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" AGENT_NAME="W2016" PROTOCOL="TCP"
Warning
In Windows versions older than Windows Server 2008 or Windows 7, it's necessary to run the ossec-authd
program on the Wazuh manager with the -a
flag or set the <ssl_auto_negotiate>
option to yes
on the auth configuration to avoid compatibility errors.