Deploying Wazuh agents on Linux endpoints
The agent runs on the host you want to monitor and communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel.
The deployment of a Wazuh agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the Wazuh agent package directly, see the packages list section.
Note
You need root user privileges to run all the commands described below.
Add the Wazuh repository
Add the Wazuh repository to download the official packages.
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Note
For Debian 7, 8, and Ubuntu 14 systems import the GCP key and add the Wazuh repository (steps 1 and 2) using the following commands.
# apt-get install gnupg apt-transport-https
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Refresh the repository:
# zypper refresh
Import the RSA key:
# wget -O /etc/apk/keys/alpine-devel@wazuh.com-633d7457.rsa.pub https://packages.wazuh.com/key/alpine-devel%40wazuh.com-633d7457.rsa.pub
Add the repository:
# echo "https://packages.wazuh.com/4.x/alpine/v3.12/main" >> /etc/apk/repositories
Update the metadata information:
# apk update
Deploy a Wazuh agent
To deploy the Wazuh agent on your endpoint, select your package manager and edit the
WAZUH_MANAGERvariable to contain your Wazuh manager IP address or hostname.# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.
# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.
# WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.
Install the Wazuh agent:
# apk add wazuh-agent
Edit the agent configuration to add the address of your Wazuh manager:
# export WAZUH_MANAGER="10.0.0.2" && sed -i "s|MANAGER_IP|$WAZUH_MANAGER|g" /var/ossec/etc/ossec.conf
For more customization options, like agent name or group, see the Linux/Unix endpoint configuration page. For more security options, check the Additional security options section.
Enable and start the Wazuh agent service.
# systemctl daemon-reload # systemctl enable wazuh-agent # systemctl start wazuh-agent
Choose one option according to your operating system.
RPM-based operating systems:
# chkconfig --add wazuh-agent # service wazuh-agent start
Debian-based operating systems:
# update-rc.d wazuh-agent defaults 95 10 # service wazuh-agent start
On some systems, like Alpine Linux, you need to start the agent manually:
# /var/ossec/bin/wazuh-control start
The deployment process is now complete, and the Wazuh agent is successfully running on your Linux system.
Recommended action - Disable Wazuh updates
Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get update
Alternatively, you can set the package state to
hold. This action stops updates but you can still upgrade it manually usingapt-get install.# echo "wazuh-agent hold" | dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
# sed -i "s|^https://packages.wazuh.com|#https://packages.wazuh.com|g" /etc/apk/repositories
Uninstall a Wazuh agent
To uninstall the agent, run the following commands:
Remove the Wazuh agent installation.
# yum remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the
/var/ossecfolder.# apt-get remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, run the following command:
# apt-get remove --purge wazuh-agent
# zypper remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the
/var/ossecfolder.# apk del wazuh-agent
Disable the Wazuh agent service.
# systemctl disable wazuh-agent # systemctl daemon-reload
Choose one option according to your operating system.
RPM-based operating systems:
# chkconfig wazuh-agent off # chkconfig --del wazuh-agent
Debian-based operating systems:
# update-rc.d -f wazuh-agent remove
No action required.
The Wazuh agent is now completely removed from your Linux endpoint.