macOS

The package for macOS is suitable for macOS Sierra or greater. The macOS agent can be downloaded from packages list or directly from here. You can install it using the command line or following the GUI steps:

  1. Using the command line, you can choose between installation or deployment:

  • Installation:

    # installer -pkg wazuh-agent-4.0.4-1.pkg -target /
    
  • Deployment:

    You can automate the agent registration and configuration using variables. It is necessary to define at least the variable WAZUH_MANAGER. The agent will use this value to register and this will be the assigned manager for forwarding events.

    # launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.0.4-1.pkg -target /
    

    See the following document for additional automated deployment options deployment variables.

  1. Using the GUI:

    Using the GUI you can perform a simple installation without registering and configuring the agent. Double click on the downloaded file and follow the wizard. If you are not sure how to answer some of the prompts, simply use the default answers.

By default, all agent files can be found at the following location: /Library/Ossec/.

Now that the agent is installed, if you did not use the deployment method, you will have to register and configure the agent to communicate with the manager. For more information about this process, please visit user manual.

Finally, start the Wazuh agent:

# sudo /Library/Ossec/bin/ossec-control start

Uninstall

To uninstall the agent in macOS:

  1. Stop the Wazuh agent service

    # /Library/Ossec/bin/ossec-control stop
    
  2. Remove the /Library/Ossec/ folder and ossec-init.conf file

    # /bin/rm -r /Library/Ossec
    # /bin/rm /etc/ossec-init.conf
    
  3. Stop and unload dispatcher

    # /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
    
  4. Remove launchdaemons and StartupItems

    # /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
    # /bin/rm -rf /Library/StartupItems/WAZUH
    
  5. Remove User and Groups

    # /usr/bin/dscl . -delete "/Users/ossec"
    # /usr/bin/dscl . -delete "/Groups/ossec"
    
  6. Remove from pkgutil

    # /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent