Easy Way to Install Wazuh Agents on Ubuntu/Debian

0
387

In this tutorial, you will learn how to install Wazuh agents on Ubuntu/Debian systems. Wazuh operates in server-client architecture. It is made up of a Wazuh server and Wazuh agents.

Wazuh agents collect data from the end-points and ships it to the Wazuh manager for processing. It is capable of;

  • Log and data collection
  • File integrity monitoring
  • Rootkit and malware detection
  • Security policy monitoring.
  • Configuration assessments
  • Software inventor

Easy Way to Install Wazuh Agents on Ubuntu/Debian

Wazuh agent can be install on various platforms including AIX, HP-UX, Solaris, Windows systems. However, this tutorial focusses on how to install Wazuh agents on Ubuntu/Debian Linux systems.

Install Wazuh Agents on Ubuntu/Debian

Wazuh provides APT repositories which makes it easy to install Wazuh agents on Ubuntu/Debian systems.

Therefore, to use Wazuh APT repos to install Wazuh agents on Ubuntu/Debian system:

  • Install Repository GPG signing Key
apt install curl
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
  • Add Wazuh repository:
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  • Update system package cache:
apt update

Install Wazuh Agents on Ubuntu/Debian

Now that the repos are set, you can proceed to install Wazuh agents. However, there are two options here

Install and manually register the agent

So if you need to install the agent and later add it to the server for manual registration, simply run the command below to install it;

apt install wazuh-agent

If you choose to install the Wazuh agent this way, then you need to add the agent to the server by running the command below (on the server where the agent is installed):

/var/ossec/bin/agent-auth -m MANAGER-IP [-A AGENT_NAME]

To register the agent with the automatic system hostname name just omit the [-A AGENT_NAME].

However, before you can proceed, ensure you can connect to the Wazuh-manager registration ports 1515/TCP. Ensure that this port is open on firewall, if any is running.

telnet 192.168.59.17 1515
Trying 192.168.59.17...
Connected to 192.168.59.17.
Escape character is '^]'.
/var/ossec/bin/agent-auth -m 192.168.59.17

Sample command output;

2021/05/26 11:12:09 agent-auth: INFO: Started (pid: 5662).
2021/05/26 11:12:09 agent-auth: INFO: Requesting a key from server: 192.168.59.17
2021/05/26 11:12:09 agent-auth: INFO: No authentication password provided
2021/05/26 11:12:09 agent-auth: INFO: Using agent name as: debian10
2021/05/26 11:12:09 agent-auth: INFO: Waiting for server reply
2021/05/26 11:12:09 agent-auth: INFO: Valid key received

Next, set the Wazuh server IP in the Wazuh configuration file, /var/ossec/etc/ossec.conf.

Simple replace MANAGER_IP with the IP address;

sed -i 's/MANAGER_IP/192.168.59.17/' /var/ossec/etc/ossec.conf
Install and automatically register Wazuh agent

To install and automatically register your Wazuh agent, execute the command below. Replace the Wazuh-manager IP accordingly.

WAZUH_MANAGER="192.168.59.17" apt install wazuh-agent

You can see other deployment variables on variables page.

Once the installation is done, if you list the agents on the Wazuh manager, you should see that the agent is registered but not connected.

/var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
   ID: 000, Name: elk.kifarunix-demo.com (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: ubuntu20, IP: any, Never connected
   ID: 002, Name: debian10, IP: any, Never connected

List of agentless devices:

Ensure that no hosts shares the same names.

Running Wazuh Agent

Once the agents are installed and registered, start and enable the agents to run on system boot:

Before that, you need to know that by default, Wazuh expects the agent to communicate with it through 1514/TCP.

Hence, ensure that this port is opened on the Wazuh server if firewall is running.

systemctl enable --now wazuh-agent.service

Be sure to check the logs;

tail -f /var/ossec/logs/ossec.log

Check Wazuh Agents Status

Verify that the agents are now connected to the server and active;

/var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
   ID: 000, Name: elk.kifarunix-demo.com (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: ubuntu20, IP: any, Active
   ID: 003, Name: debian10, IP: any, Active

List of agentless devices:

You can also verify from Wazuh interface. Wondering how? See our guide on integrating Wazuh Server with ELK stack.

Integrate Wazuh Manager with ELK Stack

Install Wazuh Agents on Ubuntu/Debian

You can then be able to view the events collected from the systems.

Install Wazuh Agents on Ubuntu/Debian

And that is all takes to install Wazuh Agents on Ubuntu/Debian.

Reference

Wazuh Agent installation

Other Tutorials

Install and Setup Wazuh Server in CentOS 8/Fedora 32

Install OSSEC HIDS Agent on Ubuntu 20.04

Install OSSEC Agent on CentOS 8

Install OSSEC Agent on Debian 10 Buster

LEAVE A REPLY

Please enter your comment!
Please enter your name here