Linux¶
This document will guide you to install or deploy the Wazuh agent.
Note
All the commands described below need to be executed with root user privileges.
Adding the Wazuh repository¶
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Installing Wazuh agent¶
On your terminal, install the Wazuh agent. You can choose between installation or deployment:
Installation:
# yum install wazuh-agent
# apt-get install wazuh-agent
# zypper install wazuh-agent
Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.
Deployment:
You can automate the agent registration and configuration using variables. It is necessary to define at least the variable
WAZUH_MANAGER
. The agent will use this value to register and this will be the assigned manager for forwarding events.# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent
# WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent
See the following document for additional deployment options: deployment variables.
Enable the service
# systemctl daemon-reload # systemctl enable wazuh-agent # systemctl start wazuh-agentChoose one option according to the OS used:
RPM based OS:
# chkconfig --add wazuh-agent # service wazuh-agent start
Debian based OS:
# update-rc.d wazuh-agent defaults 95 10 # service wazuh-agent start
(Optional) Disable the Wazuh updates:
We recommend maintaining the Wazuh manager version greater or equal to the Wazuh agents’. As a result, we recommended disabling the Wazuh repository in order to prevent accidental upgrades. To do this, use the following command:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get updateAlternatively, you can set the package state to
hold
, which will stop updates (although you can still upgrade it manually usingapt-get install
).# echo "wazuh-agent hold" | dpkg --set-selections# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
Alternatively, if you want to download the wazuh-agent package directly, or check the compatible versions, you can do it from here.
Uninstall¶
To uninstall the agent:
# yum remove wazuh-agent
There are files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. it can be done by removing the folder /var/ossec
.
# apt-get remove wazuh-agent
There are certain files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. A complete file removal can be done using the following command:
# apt-get remove --purge wazuh-agent
# zypper remove wazuh-agent
There are files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. it can be done by removing the folder /var/ossec
.