Deploying Wazuh agents on Linux systems
The agent runs on the host you want to monitor and communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.
The deployment of a Wazuh agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the Wazuh agent package directly, see the packages list section.
Note
To execute all the commands, root user privileges are required.
Add the Wazuh repository
Add the Wazuh repository to download the official packages.
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Deploy a Wazuh agent
To deploy the Wazuh agent to your system, select your package manager and edit the
WAZUH_MANAGERvariable to contain your Wazuh manager IP address or hostname.# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent-4.1.5-1
# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent=4.1.5-1
# WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent-4.1.5-1
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Registering Wazuh agents section.
Enable and start the Wazuh agent service.
# systemctl daemon-reload # systemctl enable wazuh-agent # systemctl start wazuh-agentChoose one option according to your operating system.
RPM based operating systems:
# chkconfig --add wazuh-agent # service wazuh-agent start
Debian based operating systems:
# update-rc.d wazuh-agent defaults 95 10 # service wazuh-agent start
The deployment process is now complete and the Wazuh agent is successfully running on your Linux system.
Recommended action - Disable Wazuh updates
Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get update
Alternatively, you can set the package state to
hold. This action stops updates but you can still upgrade it manually usingapt-get install.# echo "wazuh-agent hold" | dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
Uninstall a Wazuh agent
To uninstall the agent, select your package manager and run the following command.
# yum remove wazuh-agentSome files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the
/var/ossecfolder.# apt-get remove wazuh-agentSome files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, run the following command:
# apt-get remove --purge wazuh-agent# zypper remove wazuh-agentSome files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the
/var/ossecfolder.
The Wazuh agent is now completely removed from your Linux system.