Deploying Wazuh agents on macOS endpoints

The Wazuh agent runs on the endpoint you want to monitor and communicates with the Wazuh manager, sending data in near real-time through an encrypted and authenticated channel.

1. To start the installation process, download the Wazuh agent according to your architecture:

   • Intel: wazuh-agent-4.13.1-1.intel64.pkg. Suitable for macOS Sierra and later.

   • Apple silicon: wazuh-agent-4.13.1-1.arm64.pkg. Suitable for macOS Big Sur and later.

2. Select the installation method you want to follow: Command line interface (CLI) or graphical user interface (GUI).

   CLIGUI

   1. To deploy the Wazuh agent on your endpoint, choose your architecture, edit the WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname, and run the following command.

      IntelApple silicon

      # echo "WAZUH_MANAGER='10.0.0.2'" > /tmp/wazuh_envs && sudo installer -pkg wazuh-agent-4.13.1-1.intel64.pkg -target /
      

      For additional deployment options such as agent name, agent group, and enrollment password, see the Deployment variables for macOS section.

      Note

      Alternatively, if you want to install an agent without enrolling it, omit the deployment variables. To learn more about the different enrollment methods, see the Wazuh agent enrollment section.

   2. Start the Wazuh agent to complete the installation process:

      # launchctl bootstrap system /Library/LaunchDaemons/com.wazuh.agent.plist
      

   The installation process is now complete, and the Wazuh agent is successfully deployed and running on your macOS endpoint.

By default, all agent files are stored in /Library/Ossec/ after the installation.