Installing Wazuh agent from sources

Note

All the commands described below need to be executed with root user privileges. Since Wazuh 3.5 it is necessary to have internet connection when following this process.

Note

CMake 3.12.4 is the minimal library version required to build the Wazuh agent solution.

  1. Install development tools and compilers. In Linux this can easily be done using your distribution's package manager:

# yum update
# yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel
# yum update
# yum install devtoolset-7
# scl enable devtoolset-7 bash

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
# cd cmake-3.18.3 && ./bootstrap --no-system-curl
# make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
  1. Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v4.2.7.tar.gz | tar zx
  1. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

# cd wazuh-*
# ./install.sh

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# cd wazuh-*
# make -C src clean
# make -C src clean-deps

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exist the installer will ask if delete the directory or if installing Wazuh inside. You can also run an unattended installation.

  1. The script will ask about what kind of installation you want. Type agent in order to install a Wazuh agent:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent

Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: Wazuh agent enrollment.

Uninstall

To uninstall Wazuh agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

For SysV Init:

# [ -f /etc/rc.local ] && sed -i'' '/wazuh-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

For Systemd:

# find /etc/systemd/system -name "wazuh*" | xargs rm -f
# systemctl daemon-reload

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null