Installing Wazuh agent from sources

Linux

Windows

macOS

AIX

HP-UX

Solaris

Note

All the commands described below need to be executed with root user privileges. Since Wazuh 3.5 it is necessary to have internet connection when following this process.

  1. Install development tools and compilers. In Linux this can easily be done using your distribution's package manager:

Yum

APT

ZYpp

# yum install make gcc policycoreutils-python automake autoconf libtool

# apt-get install python gcc make libc6-dev curl policycoreutils automake autoconf libtool

# zypper install make gcc policycoreutils-python automake autoconf libtool

Note

For Suse 11, it is possible that some of the tools are not found in the package manager, in that case you can add the following official repository:

# zypper addrepo http://download.opensuse.org/distribution/11.4/repo/oss/ oss

  1. Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v4.0.4.tar.gz | tar zx

  1. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

# cd wazuh-*
# ./install.sh

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# cd wazuh-*
# make -C src clean
# make -C src clean-deps

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exist the installer will ask if delete the directory or if installing Wazuh inside. You can also run an unattended installation.

  1. The script will ask about what kind of installation you want. Type agent in order to install a Wazuh agent:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent

Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.

Uninstall

To uninstall Wazuh agent:

# OSSEC_INIT="/etc/ossec-init.conf"
# . $OSSEC_INIT 2> /dev/null

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $DIRECTORY/bin/ossec-control stop 2> /dev/null

Remove files and service artifacts:

# rm -rf $DIRECTORY $OSSEC_INIT

Delete the service:

For SysV Init:

# [ -f /etc/rc.local ] && sed -i'' '/ossec-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh" | xargs rm -f

For Systemd:

# find /etc/systemd/system -name "wazuh*" | xargs rm -f
# systemctl daemon-reload

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null

Note

The following procedure has been tested on Ubuntu 16.04 and other Debian based distributions and may work with other Debian/Ubuntu versions as well.

  1. Set up the Ubuntu build environment. Install these dependencies to build the Windows Wazuh agent installer on Ubuntu:

# apt-get install gcc-mingw-w64
# apt-get install nsis
# apt-get install make

  1. Set up Windows build environment. To generate the installer, the following dependencies must be in place on the Windows machine:

  • WiX Toolset.

  • .NET framework 3.5.1.

  • Microsoft Windows SDK.

  1. Download the Wazuh source code and unzip it:

# curl -Ls https://github.com/wazuh/wazuh/archive/v4.0.4.tar.gz | tar zx
# cd wazuh-4.0.4/src

  1. Compile the Agent by running the make command:

# make deps
# make TARGET=winagent

The following output will appear at the end of the building process:

Done building winagent

  1. Moves the entire repository to the Windows machine. It is recommended to compress it to speed up the process.

# zip -r wazuh.zip ../../wazuh-4.0.4

  1. Decompress the repository on the Windows machine, run the wazuh-installer-build-msi.bat script from the win32 folder.

cd wazuh-4.0.4\src\win32
.\wazuh-installer-build-msi.bat

If you do not want to sign the installer, you will have to comment or delete the signtool line in the previous script.

:: signtool sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /d "%MSI_NAME%" /td SHA256 "%MSI_NAME%"

Note

Once the Agent is deployed with a normal or unattended installation, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit user manual.

Uninstall

To uninstall the agent, the original MSI file will be needed to perform the unattended process:

msiexec.exe /x wazuh-agent-4.0.4-1.msi /qn

  1. Install development tools and compilers. In macOS, this can be easily done by installing brew, a package manager for macOS:

$ /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

  1. Download and extract the latest version:

$ curl -Ls https://github.com/wazuh/wazuh/archive/v4.0.4.tar.gz | tar zx

Note

All the commands described below need to be executed with root user privileges.

  1. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

# cd wazuh-*
# USER_DIR="/Library/Ossec" ./install.sh

Note

Note that with the variable USER_DIR it has been indicated that the agent installation path is /Library/Ossec

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# cd wazuh-*
# make -C src clean
# make -C src clean-deps

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exist the installer will ask if delete the directory or if installing Wazuh inside. You can also run an unattended installation.

Note

Since Wazuh 3.5 it is necessary to have internet connection when following this step.

  1. The script will ask about what kind of installation you want. Type agent in order to install a Wazuh agent:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent

Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.

Uninstall

To uninstall Wazuh agent:

# OSSEC_INIT="/etc/ossec-init.conf"
# . $OSSEC_INIT 2> /dev/null

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $DIRECTORY/bin/ossec-control stop 2> /dev/null

Remove files and service artifacts:

# rm -rf $DIRECTORY $OSSEC_INIT

Delete the service:

# rm -rf /Library/StartupItems/OSSEC

Remove users:

# dscl . -delete "/Users/ossec" > /dev/null 2>&1
# dscl . -delete "/Users/ossecm" > /dev/null 2>&1
# dscl . -delete "/Users/ossecr" > /dev/null 2>&1
# dscl . -delete "/Groups/ossec" > /dev/null 2>&1

Note

All the commands described below need to be executed with root user privileges. Since Wazuh 3.5 it is necessary to have internet connection when following this process.

  1. Install development tools and compilers.

1.1 Download the wget tool.

# rpm -Uvh --nodeps http://www.oss4aix.org/download/RPMS/wget/wget-1.19.2-1.aix5.1.ppc.rpm

1.2 Download the following script

# wget https://raw.githubusercontent.com/wazuh/wazuh-packages/master/aix/generate_wazuh_packages.sh --no-check-certificate

Note

If you can't download the script this way, then you should copy it through the scp utility.

1.3 Install the necessary dependencies using the script.

# chmod +x generate_wazuh_packages.sh
# ./generate_wazuh_packages.sh -e

Note

This step may take a few minutes.

  1. Download the latest version.

# wget -O wazuh.tar.gz --no-check-certificate https://api.github.com/repos/wazuh/wazuh/tarball/v4.0.4 && gunzip -c wazuh.tar.gz | tar -xvf -

Note

If you can't download the repository this way, then you should copy it through the scp utility.

  1. Compile the sources.

# cd wazuh-*
# gmake -C src deps RESOURCES_URL=https://packages.wazuh.com/deps/4.0
# gmake -C src TARGET=agent USE_SELINUX=no PREFIX=/var/ossec DISABLE_SHARED=yes DISABLE_SYSC=yes

  1. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

# DISABLE_SHARED="yes" DISABLE_SYSC="yes" ./install.sh

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# gmake -C src clean-deps
# gmake -C src clean

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exist the installer will ask if delete the directory or if installing Wazuh inside. You can also run an unattended installation.

  1. Finally apply the following configuration:

# sed '/System inventory/,/^$/{/^$/!d;}' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp
# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf

Note

Note that the above commands have been executed for the default installation path /var/ossec. If you have installed the agent in another path, you will have to modify the path of those commands.

Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.

Uninstall

To uninstall Wazuh agent:

# OSSEC_INIT="/etc/ossec-init.conf"
# . $OSSEC_INIT 2> /dev/null

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $DIRECTORY/bin/ossec-control stop 2> /dev/null

Remove files and service artifacts:

# rm -rf $DIRECTORY $OSSEC_INIT

Delete the service:

# find /etc/rc.d -name "*wazuh" | xargs rm -f

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null

Note

All the commands described below need to be executed with root user privileges. Since Wazuh 3.5 it is necessary to have internet connection when following this process.

  1. Install development tools and compilers.

1.1 Download the depothelper-2.10-hppa_32-11.31.depot file.

# /usr/local/bin/wget https://github.com/wazuh/wazuh-packages/raw/master/hp-ux/depothelper-2.10-hppa_32-11.31.depot --no-check-certificate

Note

If you can't download the script this way, then you should copy it through the scp utility.

1.2 Install the package manager.

# swinstall -s depothelper-2.10-hppa_32-11.31.depot \*

1.3 Download the wget tool (If it is not installed).

# /usr/local/bin/depothelper -f wget

1.4 Download the following script

# /usr/local/bin/wget https://raw.githubusercontent.com/wazuh/wazuh-packages/master/hp-ux/generate_wazuh_packages.sh --no-check-certificate

Note

If you can't download the script this way, then you should copy it through the scp utility.

1.5 Install the necessary dependencies using the script.

# chmod +x generate_wazuh_packages.sh
# ./generate_wazuh_packages.sh -e

Note

This step may take a long time.

  1. Download the latest version.

# /usr/local/bin/curl -k -L -O https://github.com/wazuh/wazuh/archive/v4.0.4.zip && /usr/local/bin/unzip v4.0.4

Note

If you can't download the repository this way, then you should copy it through the scp utility.

  1. Compile the sources.

# cd wazuh-*
# /usr/local/bin/gmake -C src deps RESOURCES_URL=https://packages.wazuh.com/deps/4.0/
# /usr/local/bin/gmake -C src TARGET=agent USE_SELINUX=no DISABLE_SHARED=yes

  1. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

# DISABLE_SHARED=yes ./install.sh

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# /usr/local/bin/gmake -C src clean-deps
# /usr/local/bin/gmake -C src clean

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exist the installer will ask if delete the directory or if installing Wazuh inside. You can also run an unattended installation.

Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.

Uninstall

To uninstall Wazuh agent:

# OSSEC_INIT="/etc/ossec-init.conf"
# . $OSSEC_INIT 2> /dev/null

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $DIRECTORY/bin/ossec-control stop 2> /dev/null

Remove files and service artifacts:

# rm -rf $DIRECTORY $OSSEC_INIT

Delete the service:

# find /sbin/{init.d,rc*.d} -name "*wazuh" | xargs rm -f

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null

This section describes how to download and build the Wazuh HIDS Solaris agent from sources for the following versions:

  • For Solaris i386

  • For Solaris SPARC

Solaris 11

Solaris 10

Note

All the commands described below need to be executed with root user privileges. Since Wazuh 3.5 it is necessary to have internet connection when following this process.

  1. Install development tools and compilers.

1.1 Install pkgutil an update it.

# pkgadd -d http://get.opencsw.org/now
# /opt/csw/bin/pkgutil -y -U

1.2 Install python 2.7

# /opt/csw/bin/pkgutil -y -i python27
# ln -sf /opt/csw/bin/python2.7 /usr/bin/python

1.3 Install the following tools:

# /opt/csw/bin/pkgutil -y -i git gmake gcc5core

  1. Download the latest version.

# git clone -b v4.0.4 https://github.com/wazuh/wazuh.git

Note

If you can't download the file due to an Open SSL error, then you should copy the directory with the scp utility.

  1. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

# cd wazuh*
# ./install.sh

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# gmake -C src clean
# gmake -C src clean-deps

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exist the installer will ask if delete the directory or if installing Wazuh inside. You can also run an unattended installation.

Note

Since Wazuh 3.5 it is necessary to have internet connection when following this process.

  1. The script will ask about what kind of installation you want. Type agent in order to install a Wazuh agent:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent

Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.

Uninstall

To uninstall Wazuh agent:

# OSSEC_INIT="/etc/ossec-init.conf"
# . $OSSEC_INIT 2> /dev/null

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $DIRECTORY/bin/ossec-control stop 2> /dev/null

Remove files and service artifacts:

# rm -rf $DIRECTORY $OSSEC_INIT

Delete the service:

# find /sbin/{init.d,rc*.d} -name "*wazuh" | xargs rm -f

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null

Note

All the commands described below need to be executed with root user privileges. Since Wazuh 3.5 it is necessary to have internet connection when following this process.

  1. Install development tools and compilers.

1.1 Install pkgutil.

# pkgadd -d http://get.opencsw.org/now

1.2 Install the following tools:

# /opt/csw/bin/pkgutil -y -i git automake gmake autoconf libtool wget curl gcc5core

  1. Download the latest version and a necessary file.

# git clone -b v4.0.4 https://github.com/wazuh/wazuh.git
# wget -P wazuh https://raw.githubusercontent.com/wazuh/wazuh-packages/master/solaris/solaris10/solaris10_patch.sh

  1. Create an user and group called ossec needed for installation.

# groupadd ossec
# useradd -g ossec ossec

  1. Run the following commands to update the makefile

# mv wazuh/src/Makefile wazuh/src/Makefile.tmp
# sed -n '/OSSEC_LDFLAGS+=-z relax=secadj/!p' wazuh/src/Makefile.tmp > wazuh/src/Makefile

  1. Compile the sources files.

  • For Solaris 10 i386:

# cd wazuh/src
# gmake clean
# gmake deps
# gmake -j 4 TARGET=agent PREFIX=/var/ossec USE_SELINUX=no DISABLE_SHARED=yes

  • For Solaris 10 SPARC:

# cd wazuh/src
# gmake clean
# gmake deps
# gmake -j 4 TARGET=agent PREFIX=/var/ossec USE_SELINUX=no USE_BIG_ENDIAN=yes DISABLE_SHARED=yes

  1. Run the solaris10_patch.sh that has previously been downloaded.

# cd ../
# chmod +x solaris10_patch.sh
# ./solaris10_patch.sh

  1. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

# ./install.sh

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# gmake -C src clean
# gmake -C src clean-deps

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exist the installer will ask if delete the directory or if installing Wazuh inside. You can also run an unattended installation.

  1. The script will ask about what kind of installation you want. Type agent in order to install a Wazuh agent:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent

Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.

Uninstall

To uninstall Wazuh agent:

# OSSEC_INIT="/etc/ossec-init.conf"
# . $OSSEC_INIT 2> /dev/null

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $DIRECTORY/bin/ossec-control stop 2> /dev/null

Remove files and service artifacts:

# rm -rf $DIRECTORY $OSSEC_INIT

Delete the service:

# find /sbin/{init.d,rc*.d} -name "*wazuh" | xargs rm -f

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null