In this tutorial, you will learn how to install Wazuh agents on Ubuntu/Debian systems. Wazuh operates in server-client architecture. It is made up of a Wazuh server and Wazuh agents.
Wazuh agents collect data from the end-points and ships it to the Wazuh manager for processing. It is capable of;
- Log and data collection
- File integrity monitoring
- Rootkit and malware detection
- Security policy monitoring.
- Configuration assessments
- Software inventor
Easy Way to Install Wazuh Agents on Ubuntu/Debian
Wazuh agent can be install on various platforms including AIX, HP-UX, Solaris, Windows systems. However, this tutorial focusses on how to install Wazuh agents on Ubuntu/Debian Linux systems.
Install Wazuh Agents on Ubuntu/Debian
Wazuh provides APT repositories which makes it easy to install Wazuh agents on Ubuntu/Debian systems.
Therefore, to use Wazuh APT repos to install Wazuh agents on Ubuntu/Debian system:
- Install Repository GPG signing Key
apt install curl
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
- Add Wazuh repository:
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
- Update system package cache:
apt update
Install Wazuh Agents on Ubuntu/Debian
Now that the repos are set, you can proceed to install Wazuh agents. However, there are two options here
Install and manually register the agent
So if you need to install the agent and later add it to the server for manual registration, simply run the command below to install it;
apt install wazuh-agent
If you choose to install the Wazuh agent this way, then you need to add the agent to the server by running the command below (on the server where the agent is installed):
/var/ossec/bin/agent-auth -m MANAGER-IP [-A AGENT_NAME]
To register the agent with the automatic system hostname name just omit the [-A AGENT_NAME]
.
However, before you can proceed, ensure you can connect to the Wazuh-manager registration ports 1515/TCP. Ensure that this port is open on firewall, if any is running.
telnet 192.168.59.17 1515
Trying 192.168.59.17...
Connected to 192.168.59.17.
Escape character is '^]'.
/var/ossec/bin/agent-auth -m 192.168.59.17
Sample command output;
2021/05/26 11:12:09 agent-auth: INFO: Started (pid: 5662).
2021/05/26 11:12:09 agent-auth: INFO: Requesting a key from server: 192.168.59.17
2021/05/26 11:12:09 agent-auth: INFO: No authentication password provided
2021/05/26 11:12:09 agent-auth: INFO: Using agent name as: debian10
2021/05/26 11:12:09 agent-auth: INFO: Waiting for server reply
2021/05/26 11:12:09 agent-auth: INFO: Valid key received
Next, set the Wazuh server IP in the Wazuh configuration file, /var/ossec/etc/ossec.conf
.
Simple replace MANAGER_IP with the IP address;
sed -i 's/MANAGER_IP/192.168.59.17/' /var/ossec/etc/ossec.conf
Install and automatically register Wazuh agent
To install and automatically register your Wazuh agent, execute the command below. Replace the Wazuh-manager IP accordingly.
WAZUH_MANAGER="192.168.59.17" apt install wazuh-agent
You can see other deployment variables on variables page.
You can also download the installation command to automatically enroll the agent right from the Wazuh manager agents dashboard.
Navigate to Wazuh App > Agents > Deploy new agent and follow the procedure.
Once the installation is done, if you list the agents on the Wazuh manager, you should see that the agent is registered but not connected.
/var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: elk.kifarunix-demo.com (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: ubuntu20, IP: any, Never connected
ID: 002, Name: debian10, IP: any, Never connected
List of agentless devices:
Ensure that no hosts shares the same names.
Running Wazuh Agent
Once the agents are installed and registered, start and enable the agents to run on system boot:
Before that, you need to know that by default, Wazuh expects the agent to communicate with it through 1514/TCP.
Hence, ensure that this port is opened on the Wazuh server if firewall is running.
systemctl enable --now wazuh-agent.service
Be sure to check the logs;
tail -f /var/ossec/logs/ossec.log
Check Wazuh Agents Status
Verify that the agents are now connected to the server and active;
/var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: elk.kifarunix-demo.com (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: ubuntu20, IP: any, Active
ID: 003, Name: debian10, IP: any, Active
List of agentless devices:
You can also verify from Wazuh interface. Wondering how? See our guide on integrating Wazuh Server with ELK stack.
Integrate Wazuh Manager with ELK Stack
You can then be able to view the events collected from the systems.
And that is all takes to install Wazuh Agents on Ubuntu/Debian.
Reference
Other Tutorials
Install and Setup Wazuh Server in CentOS 8/Fedora 32
Install OSSEC HIDS Agent on Ubuntu 20.04