Installing Wazuh agents on macOS endpoints

The agent runs on the endpoint you want to monitor and communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated.

Note

You need root user privileges to run all the commands described below.

  1. To start the installation process, download the Wazuh agent for macOS. The package is suitable for macOS Sierra or later.

  2. Select the installation method you want to follow: command line interface (CLI) or graphical user interface (GUI).

    1. To deploy the Wazuh agent on your endpoint, edit the WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname and run the following command.

      # launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.3.10-1.pkg -target /
      

      For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for macOS section.

      Note

      Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.

    2. To complete the installation process, start the Wazuh agent.

      # /Library/Ossec/bin/wazuh-control start
      

    The installation process is now complete, and the Wazuh agent is successfully deployed and running on your macOS endpoint.

    1. To install the Wazuh agent on your system, run the downloaded file and follow the steps in the installation wizard. If you are not sure how to answer some of the prompts, use the default answers.

    2. To complete the installation process, start the Wazuh agent.

      # sudo /Library/Ossec/bin/wazuh-control start
      

    The installation process is now complete, and the Wazuh agent is successfully installed on your macOS endpoint. The next step is to register and configure the agent to communicate with the Wazuh server. To perform this action, see the Wazuh agent enrollment section.

By default, all agent files are stored in /Library/Ossec/ after the installation.

Uninstall a Wazuh agent

To uninstall the agent, follow these steps:

  1. Stop the Wazuh agent service.

    # /Library/Ossec/bin/wazuh-control stop
    
  2. Remove the /Library/Ossec/ folder.

    # /bin/rm -r /Library/Ossec
    
  3. Stop and unload dispatcher.

    # /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
    
  4. Remove launchdaemons and StartupItems.

    # /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
    # /bin/rm -rf /Library/StartupItems/WAZUH
    
  5. Remove the Wazuh user and group.

    # /usr/bin/dscl . -delete "/Users/wazuh"
    # /usr/bin/dscl . -delete "/Groups/wazuh"
    
  6. Remove from pkgutil.

    # /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
    

The Wazuh agent is now completely removed from your macOS endpoint.