Install the Windows Wazuh agent¶
Run the installer to download, install and self-register the Wazuh agent¶
Log into your Windows Agent instance via Remote Desktop as Administrator. Remember to use the password you obtained previously.
Click the “Search Windows” icon (magnifying glass in bottom left of screen). Type: “powershell” and right click on Windows PowerShell
Click “Run as administrator”
In PowerShell, change to the Downloads directory with “cd Downloads”
Then download and run the installer with this command line:
A black window will pop up briefly and disappear. The Windows agent should now be installed and registered. Close PowerShell.
Create a shortcut to the Wazuh agent Manager tool on the taskbar¶
(This is only for lab purposes. In production you will rarely open this tool.)
Open File Explorer (Windows-key + E).
Navigate to the
C:\Program files(x86)\ossec-agentdirectory and find the win32ui executable.
Right click the “win32ui” file and select “Pin to the taskbar”.
Run the Wazuh agent Manager and confirm it is running and connected to the Wazuh manager¶
Click on the Wazuh icon on your taskbar. It should look like this:
Click on View->View Logs. You should find record of the agent successfully connecting to the Wazuh manager.
2019/11/22 12:05:23 ossec-agent: INFO: (4102): Connected to the server (172.30.0.10:1514/tcp).
Observe that Wazuh manager is aware of all the connected agents.¶
Switch over to your Wazuh Server SSH window and run these commands, looking for your self-registered agents.
[root@wazuh-manager centos]# /var/ossec/bin/agent_control -lWazuh agent_control. List of available agents: ID: 000, Name: wazuh-manager (server), IP: 127.0.0.1, Active/Local ID: 001, Name: linux-agent, IP: 172.30.0.30, Active ID: 002, Name: elastic-server, IP: 172.30.0.20, Active ID: 003, Name: windows-agent, IP: 172.30.0.40, Active List of agentless devices:[root@wazuh-manager centos]# grep "agent connected" /var/ossec/logs/alerts/alerts.log -B1 -A12019 Nov 22 11:41:35 (linux-agent) 172.30.0.30->ossec Rule: 501 (level 3) -> 'New ossec agent connected.' ossec: Agent started: 'linux-agent->172.30.0.30'. -- 2019 Nov 22 11:48:26 (elastic-server) 172.30.0.20->ossec Rule: 501 (level 3) -> 'New ossec agent connected.' ossec: Agent started: 'elastic-server->172.30.0.20'. -- 2019 Nov 22 12:05:23 (windows-agent) 172.30.0.40->ossec Rule: 501 (level 3) -> 'New ossec agent connected.' ossec: Agent started: 'windows-agent->172.30.0.40'.