Linux

This document will guide you to install or deploy the Wazuh agent.

Note

All the commands described below need to be executed with root user privileges.

Adding the Wazuh repository

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    
  2. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Installing Wazuh agent

  1. On your terminal, install the Wazuh agent. You can choose between installation or deployment:

    1. Installation:

    # yum install wazuh-agent
    
    # apt-get install wazuh-agent
    
    # zypper install wazuh-agent
    

    Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.

    1. Deployment:

    You can automate the agent registration and configuration using variables. It is necessary to define at least the variable WAZUH_MANAGER. The agent will use this value to register and this will be the assigned manager for forwarding events.

    # WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
    
    # WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent
    
    # WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent
    

    See the following document for additional deployment options: deployment variables.

  2. Enable the service

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

Choose one option according to the OS used:

  1. RPM based OS:

# chkconfig --add wazuh-agent
# service wazuh-agent start
  1. Debian based OS:

# update-rc.d wazuh-agent defaults 95 10
# service wazuh-agent start

(Optional) Disable the Wazuh updates:

We recommend maintaining the Wazuh manager version greater or equal to the Wazuh agents’. As a result, we recommended disabling the Wazuh repository in order to prevent accidental upgrades. To do this, use the following command:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update

Alternatively, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

# echo "wazuh-agent hold" | dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo

Alternatively, if you want to download the wazuh-agent package directly, or check the compatible versions, you can do it from here.

Uninstall

To uninstall the agent:

# yum remove wazuh-agent

There are files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. it can be done by removing the folder /var/ossec.

# apt-get remove wazuh-agent

There are certain files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. A complete file removal can be done using the following command:

# apt-get remove --purge wazuh-agent
# zypper remove wazuh-agent

There are files marked as configuration files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. it can be done by removing the folder /var/ossec.