Linux

This document will guide you to install or deploy the Wazuh agent.

Note

To execute the commands described below, root privileges are required.

Adding the Wazuh repository

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    
  2. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Installing Wazuh agent

  1. Install the Wazuh agent on your terminal. You can choose between installation or deployment:

    1. Installation:

    # yum install wazuh-agent-4.0.4-1
    
    # apt-get install wazuh-agent=4.0.4-1
    
    # zypper install wazuh-agent-4.0.4-1
    

    Once the agent is installed, the next step is to register it and configure it to communicate with the manager. For more information on this process, visit the user manual section.

    1. Deployment:

    The registration and configuration of the agent can be automated using variables. It is necessary to define, at least, the variable WAZUH_MANAGER. The agent will use this value to register and this will be the assigned manager for forwarding events.

    # WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent-4.0.4-1
    
    # WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent=4.0.4-1
    
    # WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent-4.0.4-1
    

    See the following document for additional deployment options: deployment variables.

  2. Enable the service

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

Choose one option according to the OS used:

  1. RPM based OS:

# chkconfig --add wazuh-agent
# service wazuh-agent start
  1. Debian based OS:

# update-rc.d wazuh-agent defaults 95 10
# service wazuh-agent start

(Optional) Disable Wazuh updates:

The version of the Wazuh manager is recommended to be greater than or equal to that of the Wazuh agents. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update

Alternatively, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

# echo "wazuh-agent hold" | dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo

Visit our packages list section to download the Wazuh agent package directly or to check the compatible versions.

Uninstall

To uninstall the agent:

# yum remove wazuh-agent

Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. The complete file deletion action is the responsibility of the user and can be done by deleting the folder /var/ossec.

# apt-get remove wazuh-agent

There are certain files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. A complete file removal can be done using the following command:

# apt-get remove --purge wazuh-agent
# zypper remove wazuh-agent

There are files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. it can be done by removing the folder /var/ossec.