Deploying Wazuh agents on Linux endpoints

The agent runs on the host you want to monitor and communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel.

The deployment of a Wazuh agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the Wazuh agent package directly, see the packages list section.

Note

You need root user privileges to run all the commands described below.

Add the Wazuh repository

Add the Wazuh repository to download the official packages.

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-\$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
    
  2. Add the repository:

    # echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    

Note

For Debian 7, 8, and Ubuntu 14 systems import the GCP key and add the Wazuh repository (steps 1 and 2) using the following commands.

# apt-get install gnupg apt-transport-https
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  3. Refresh the repository:

    # zypper refresh
    
  1. Import the RSA key:

    # wget -O /etc/apk/keys/alpine-devel@wazuh.com-633d7457.rsa.pub https://packages.wazuh.com/key/alpine-devel%40wazuh.com-633d7457.rsa.pub
    
  2. Add the repository:

    # echo "https://packages.wazuh.com/4.x/alpine/v3.12/main" >> /etc/apk/repositories
    
  3. Update the metadata information:

    # apk update
    

Deploy a Wazuh agent

  1. To deploy the Wazuh agent on your endpoint, select your package manager and edit the WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname.

    # WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
    

    For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.

    Note

    Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.

    # WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent
    

    For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.

    Note

    Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.

    # WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent
    

    For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.

    Note

    Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.

    1. Install the Wazuh agent:

      # apk add wazuh-agent
      
    2. Edit the agent configuration to add the address of your Wazuh manager:

      # export WAZUH_MANAGER="10.0.0.2" && sed -i "s|MANAGER_IP|$WAZUH_MANAGER|g" /var/ossec/etc/ossec.conf
      

      For more customization options, like agent name or group, see the Linux/Unix endpoint configuration page. For more security options, check the Additional security options section.

  2. Enable and start the Wazuh agent service.

    # systemctl daemon-reload
    # systemctl enable wazuh-agent
    # systemctl start wazuh-agent
    

    Choose one option according to your operating system.

    1. RPM-based operating systems:

    # chkconfig --add wazuh-agent
    # service wazuh-agent start
    
    1. Debian-based operating systems:

    # update-rc.d wazuh-agent defaults 95 10
    # service wazuh-agent start
    

    On some system, like Alpine Linux, you need to start the agent manually:

    # /var/ossec/bin/wazuh-control start
    

The deployment process is now complete, and the Wazuh agent is successfully running on your Linux system.

  • Recommended action - Disable Wazuh updates

    Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:

    # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
    
    # sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
    # apt-get update
    

    Alternatively, you can set the package state to hold. This action stops updates but you can still upgrade it manually using apt-get install.

    # echo "wazuh-agent hold" | dpkg --set-selections
    
    # sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
    
    # sed -i "s|^https://packages.wazuh.com|#https://packages.wazuh.com|g" /etc/apk/repositories
    

Uninstall a Wazuh agent

To uninstall the agent, run the following commands:

  1. Remove the Wazuh agent installation.

    # yum remove wazuh-agent
    

    Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the /var/ossec folder.

    # apt-get remove wazuh-agent
    

    Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, run the following command:

    # apt-get remove --purge wazuh-agent
    
    # zypper remove wazuh-agent
    

    Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the /var/ossec folder.

    # apk del wazuh-agent
    
  2. Disable the Wazuh agent service.

    # systemctl disable wazuh-agent
    # systemctl daemon-reload
    

    Choose one option according to your operating system.

    1. RPM-based operating systems:

    # chkconfig wazuh-agent off
    # chkconfig --del wazuh-agent
    
    1. Debian-based operating systems:

    # update-rc.d -f wazuh-agent remove
    

    No action required.

The Wazuh agent is now completely removed from your Linux endpoint.