Installing the Wazuh agent from sources

The Wazuh agent is a single and lightweight monitoring software. It is a multi-platform component that provides visibility into the endpoint’s security by collecting critical system and application records. The following section explains how to install it from sources.

Note

You need root user privileges to run all the commands described below. Since Wazuh 3.5, it is necessary to have an Internet connection when following this process.

Note

CMake 3.12.4 is the minimal library version required to build the Wazuh agent solution.

  1. Install development tools and compilers. In Linux, this can easily be done using your distribution’s package manager:

    # yum update -y
    # yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel wget bzip2 -y
    # curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /bin/g++ /usr/bin/c++ && ln -fs /bin/gcc /usr/bin/cc && cd .. && rm -rf gcc-*
    

    CMake 3.18 installation

    # curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
    # cd cmake-3.18.3 && ./bootstrap --no-system-curl
    # make -j$(nproc) && make install
    # cd .. && rm -rf cmake-*
    
  2. Download and extract the latest version:

    # curl -Ls https://github.com/wazuh/wazuh/archive/v4.7.3.tar.gz | tar zx
    
  3. Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:

    # cd wazuh-4.7.3
    # ./install.sh
    

    If you have previously compiled for another platform, you must clean the build using the Makefile in src:

    # cd wazuh-4.7.3
    # make -C src clean
    # make -C src clean-deps
    

    Note

    During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it. You can also run an unattended installation.

  4. The script will ask about what kind of installation you want. Type agent in order to install a Wazuh agent:

    1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent
    

Next steps

Now that the agent is installed, the next step is to enroll the agent with the Wazuh server. For more information about this process, please check the Wazuh agent enrollment section.

Uninstall

To uninstall the Wazuh agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

# [ -f /etc/rc.local ] && sed -i'' '/wazuh-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

Remove Wazuh user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null