macOS from package

The macOS agent can be downloaded from packages list. You can install it by using the command line or following the GUI steps:

  1. Using the command line, you can choose installation or deployment:

  • Installation:

    # installer -pkg wazuh-agent-3.9.5-1.pkg -target /
    
  • Deployment:

    You can automate the agent registration and configuration using variables. It is necessary to define at least the variable WAZUH_MANAGER_IP. The agent will use this value to register and it will be the assigned manager for forwarding events.

    # launchctl setenv WAZUH_MANAGER_IP "10.0.0.2" && installer -pkg wazuh-agent-3.9.5-1.pkg -target /
    

    See the following document for additional automated deployment options deployment variables.

  1. Using the GUI:

    Using the GUI you can perform a simple installation, without register and configure the agent. Double click on the downloaded file and follow the wizard. If you are not sure how to respond to some of the prompts, simply use the default answers.

By default, all agent files can be found at the following location: /Library/Ossec/.

Now that the agent is installed, if you didn't use the deployment method, you will now have to register and configure the agent to communicate with the manager. For more information about this process, please visit user manual.

Uninstall

To uninstall the agent in macOS:

  1. Stop the Wazuh agent service

    # /Library/Ossec/bin/ossec-control stop
    
  2. Remove the /Library/Ossec/ folder and ossec-init.conf file

# /bin/rm -r /Library/Ossec
# /bin/rm /etc/ossec-init.conf
  1. Stop and unload dispatcher

# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
  1. Remove launchdaemons and StartupItems

# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
# /bin/rm -rf /Library/StartupItems/WAZUH
  1. Remove User and Groups

# /usr/bin/dscl . -delete "/Users/ossec"
# /usr/bin/dscl . -delete "/Groups/ossec"
  1. Remove from pkgutil

# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent-etc