Linux
This document will guide you to install or deploy the Wazuh agent.
Note
To execute the commands described below, root privileges are required.
Adding the Wazuh repository
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Installing Wazuh agent
Install the Wazuh agent on your terminal. You can choose between installation or deployment:
Installation:
# yum install wazuh-agent-4.0.4-1
# apt-get install wazuh-agent=4.0.4-1
# zypper install wazuh-agent-4.0.4-1
Once the agent is installed, the next step is to register it and configure it to communicate with the manager. For more information on this process, visit the user manual section.
Deployment:
The registration and configuration of the agent can be automated using variables. It is necessary to define, at least, the variable
WAZUH_MANAGER
. The agent will use this value to register and this will be the assigned manager for forwarding events.# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent-4.0.4-1
# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent=4.0.4-1
# WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent-4.0.4-1
See the following document for additional deployment options: deployment variables.
Enable the service
# systemctl daemon-reload # systemctl enable wazuh-agent # systemctl start wazuh-agentChoose one option according to the OS used:
RPM based OS:
# chkconfig --add wazuh-agent # service wazuh-agent start
Debian based OS:
# update-rc.d wazuh-agent defaults 95 10 # service wazuh-agent start
(Optional) Disable Wazuh updates:
The version of the Wazuh manager is recommended to be greater than or equal to that of the Wazuh agents. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get updateAlternatively, you can set the package state to
hold
, which will stop updates (although you can still upgrade it manually usingapt-get install
).# echo "wazuh-agent hold" | dpkg --set-selections# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
Visit our packages list section to download the Wazuh agent package directly or to check the compatible versions.
Uninstall
To uninstall the agent:
# yum remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. The complete file deletion action is the responsibility of the user and can be done by deleting the folder /var/ossec
.
# apt-get remove wazuh-agent
There are certain files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. A complete file removal can be done using the following command:
# apt-get remove --purge wazuh-agent
# zypper remove wazuh-agent
There are files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user's responsibility. it can be done by removing the folder /var/ossec
.