In this tutorial, you will learn how to install Wazuh agents on Ubuntu/Debian systems. Wazuh operates in server-client architecture. It is made up of a Wazuh server and Wazuh agents.
Wazuh agents collect data from the end-points and ships it to the Wazuh manager for processing. It is capable of;
- Log and data collection
- File integrity monitoring
- Rootkit and malware detection
- Security policy monitoring.
- Configuration assessments
- Software inventor
Easy Way to Install Wazuh Agents on Ubuntu/Debian
Wazuh agent can be install on various platforms including AIX, HP-UX, Solaris, Windows systems. However, this tutorial focusses on how to install Wazuh agents on Ubuntu/Debian Linux systems.
Install Wazuh Agents on Ubuntu/Debian
Wazuh provides APT repositories which makes it easy to install Wazuh agents on Ubuntu/Debian systems.
Therefore, to use Wazuh APT repos to install Wazuh agents on Ubuntu/Debian system:
- Install Repository GPG signing Key
apt install curl
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
- Add Wazuh repository:
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
- Update system package cache:
Install Wazuh Agents on Ubuntu/Debian
Now that the repos are set, you can proceed to install Wazuh agents. However, there are two options here
Install and manually register the agent
So if you need to install the agent and later add it to the server for manual registration, simply run the command below to install it;
apt install wazuh-agent
If you choose to install the Wazuh agent this way, then you need to add the agent to the server by running the command below (on the server where the agent is installed):
/var/ossec/bin/agent-auth -m MANAGER-IP [-A AGENT_NAME]
To register the agent with the automatic system hostname name just omit the
However, before you can proceed, ensure you can connect to the Wazuh-manager registration ports 1515/TCP. Ensure that this port is open on firewall, if any is running.
telnet 192.168.59.17 1515
Trying 192.168.59.17... Connected to 192.168.59.17. Escape character is '^]'.
/var/ossec/bin/agent-auth -m 192.168.59.17
Sample command output;
2021/05/26 11:12:09 agent-auth: INFO: Started (pid: 5662). 2021/05/26 11:12:09 agent-auth: INFO: Requesting a key from server: 192.168.59.17 2021/05/26 11:12:09 agent-auth: INFO: No authentication password provided 2021/05/26 11:12:09 agent-auth: INFO: Using agent name as: debian10 2021/05/26 11:12:09 agent-auth: INFO: Waiting for server reply 2021/05/26 11:12:09 agent-auth: INFO: Valid key received
Next, set the Wazuh server IP in the Wazuh configuration file,
Simple replace MANAGER_IP with the IP address;
sed -i 's/MANAGER_IP/192.168.59.17/' /var/ossec/etc/ossec.conf
Install and automatically register Wazuh agent
To install and automatically register your Wazuh agent, execute the command below. Replace the Wazuh-manager IP accordingly.
WAZUH_MANAGER="192.168.59.17" apt install wazuh-agent
You can see other deployment variables on variables page.
Once the installation is done, if you list the agents on the Wazuh manager, you should see that the agent is registered but not connected.
Wazuh agent_control. List of available agents: ID: 000, Name: elk.kifarunix-demo.com (server), IP: 127.0.0.1, Active/Local ID: 001, Name: ubuntu20, IP: any, Never connected ID: 002, Name: debian10, IP: any, Never connected List of agentless devices:
Ensure that no hosts shares the same names.
Running Wazuh Agent
Once the agents are installed and registered, start and enable the agents to run on system boot:
Before that, you need to know that by default, Wazuh expects the agent to communicate with it through 1514/TCP.
Hence, ensure that this port is opened on the Wazuh server if firewall is running.
systemctl enable --now wazuh-agent.service
Be sure to check the logs;
tail -f /var/ossec/logs/ossec.log
Check Wazuh Agents Status
Verify that the agents are now connected to the server and active;
Wazuh agent_control. List of available agents: ID: 000, Name: elk.kifarunix-demo.com (server), IP: 127.0.0.1, Active/Local ID: 001, Name: ubuntu20, IP: any, Active ID: 003, Name: debian10, IP: any, Active List of agentless devices:
You can also verify from Wazuh interface. Wondering how? See our guide on integrating Wazuh Server with ELK stack.
You can then be able to view the events collected from the systems.
And that is all takes to install Wazuh Agents on Ubuntu/Debian.