Deploying Wazuh agents on Linux endpoints
The agent runs on the host you want to monitor and communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel.
The deployment of a Wazuh agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the Wazuh agent package directly, see the packages list section.
Note
You need root user privileges to run all the commands described below.
Add the Wazuh repository
Add the Wazuh repository to download the official packages.
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Note
For Debian 7, 8, and Ubuntu 14 systems import the GCP key and add the Wazuh repository (steps 1 and 2) using the following commands.
# apt-get install gnupg apt-transport-https
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Refresh the repository:
# zypper refresh
Deploy a Wazuh agent
To deploy the Wazuh agent on your endpoint, select your package manager and edit the
WAZUH_MANAGERvariable to contain your Wazuh manager IP address or hostname.# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.
# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.
# WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.
Enable and start the Wazuh agent service.
# systemctl daemon-reload # systemctl enable wazuh-agent # systemctl start wazuh-agent
Choose one option according to your operating system.
RPM-based operating systems:
# chkconfig --add wazuh-agent # service wazuh-agent start
Debian-based operating systems:
# update-rc.d wazuh-agent defaults 95 10 # service wazuh-agent start
On some systems, you need to start the agent manually:
# /var/ossec/bin/wazuh-control start
The deployment process is now complete, and the Wazuh agent is successfully running on your Linux system.
Recommended action - Disable Wazuh updates
Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get update
Alternatively, you can set the package state to
hold. This action stops updates but you can still upgrade it manually usingapt-get install.# echo "wazuh-agent hold" | dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo