Install Wazuh Agent on Rocky Linux 8

|
Last Updated:
|
|

In this tutorial, you will learn how to install Wazuh agent on Rocky Linux 8. Our previous setup was on setting up Wazuh server with ELK on Rocky Linux. The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in near real time through an encrypted and authenticated channel.

In our previous guide, we learnt how to install Wazuh server on Rocky Linux 8.

Install Wazuh Server on Rocky Linux 8

Installing Wazuh Agent on Rocky Linux 8

In this tutorial, we are going to install the Wazuh agent in another Rocky Linux 8 Desktop acting at the end point from which we are collecting logs.

Create the Wazuh Repository

Run the command below to create the Wazuh 4.x repository on Rocky Linux 8.


cat > /etc/yum.repos.d/wazuh.repo << 'EOL'
[wazuh_repo] 
gpgcheck=1 
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH 
enabled=1 
name=Wazuh repository 
baseurl=https://packages.wazuh.com/4.x/yum/ 
protect=1 
EOL

Import the Wazuh repository GPG key

rpm --import http://packages.wazuh.com/key/GPG-KEY-WAZUH

Install Wazuh Agent

Once the repos are in place, you can install Wazuh agent by running the command below;

dnf -y install wazuh-agent

The installation is now complete.

You can also specify the Wazuh manager from the command line. Replace the IP appropriately.

WAZUH_MANAGER="192.168.60.19" dnf install wazuh-agent

The next step is to enable the agent to communicate with the manager.

Add Wazuh Agent on Wazuh Server

Login to Wazuh manager, and run the command below to add the agent to the server.

/var/ossec/bin/manage_agents

Wazuh v4.1.5 Agent manager. *
The following options are available: *

(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A

Select add an agent (A) and press enter.

Provide a name for the agent(in our case RockyLinux8Desktop) and IP of the agent and confirm.


- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: RockyLinux8Desktop
   * The IP Address of the new agent: 192.168.60.18
Confirm adding it?(y/n): y
Agent added with ID 001.

Note the ID given to the agent, 001, in our case.

If you want to add more agents, please do so.

To automatically add the agent, Wazuh from the command line, simply use the command below;

/var/ossec/bin/manage_agents -a <agent_IP> -n <agent_name>

For example, to add the second agent to Wazuh server;

/var/ossec/bin/manage_agents -a 192.168.60.20 -n Ubuntu20

Sample output;


****************************************
* Wazuh v4.1.5 Agent manager.          *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: 
- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent:    * The IP Address of the new agent: Confirm adding it?(y/n): Agent added with ID 002.

manage_agents: Exiting.

You can list the agents using the command below;

/var/ossec/bin/manage_agents -l

Sample output;

Available agents:
ID: 001, Name: RockyLinux8Desktop, IP: 192.168.60.18
ID: 002, Name: Ubuntu20, IP: 192.168.60.20

Register Wazuh Agents

For an agent to communicate with the manager, you need to register the the agent key from the server and install it on the agent.

There are two ways in which you can register Wazuh agents.

Manual Wazuh Agent Registration

To manually register Wazuh agents, login to the server and extract the registration key for the specific Wazuh agent. You can use the /var/ossec/bin/manage_agents command manually or automatically as shown below;

Manual agent key extraction;

/var/ossec/bin/manage_agents

When command runs, select option E and specify the agent ID and press Enter.


****************************************
* Wazuh v4.1.5 Agent manager.          *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents: 
   ID: 001, Name: RockyLinux8Desktop, IP: 192.168.60.18
   ID: 002, Name: Ubuntu20, IP: 192.168.60.20
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is: 
MDAxIFJvY2t5TGludXg4RGVza3RvcCAxOTIuMTY4LjYwLjE4IDhmYjY5OGNjMTRmMGI4Zjg1NjIxZDk2ODgxOTM1M2JkODA5ZTE3NTRiZjA5MGQ4NTdlY2E5ZjgxZmEzMDBjMzM=

** Press ENTER to return to the main menu.
...

Automatic agent Key extraction:

/var/ossec/bin/manage_agents -e <agent-id>

For example:

/var/ossec/bin/manage_agents -e 001

Sample output;

Agent key information for '001' is: 
MDAxIFJvY2t5TGludXg4RGVza3RvcCAxOTIuMTY4LjYwLjE4IDhmYjY5OGNjMTRmMGI4Zjg1NjIxZDk2ODgxOTM1M2JkODA5ZTE3NTRiZjA5MGQ4NTdlY2E5ZjgxZmEzMDBjMzM=

Copy the key and paste it in an accessible place as we will be using in the next step.

Set the Wazuh Server Address on Wazuh Agent

On the agent, edit the file /var/ossec/etc/ossec.conf and add the Wazuh manager IP/resolvable hostname.

vim /var/ossec/etc/ossec.conf
... 
<ossec_config>
  <client>
    <server>
      <address>192.168.60.19</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
...

Save and quit

Import the Wazuh Agent Key extracted above

/var/ossec/bin/manage_agents

Press I to import the key previously generated from the manager.


****************************************
* Wazuh v4.1.5 Agent manager.          *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIFJvY2t5TGludXg4RGVza3RvcCAxOTIuMTY4LjYwLjE4IDhmYjY5OGNjMTRmMGI4Zjg1NjIxZDk2ODgxOTM1M2JkODA5ZTE3NTRiZjA5MGQ4NTdlY2E5ZjgxZmEzMDBjMzM=

Agent information:
   ID:001
   Name:RockyLinux8Desktop
   IP Address:192.168.60.18

Confirm adding it?(y/n): y
Added.
...

Quit and restart the agent.

/var/ossec/bin/ossec-control restart

Automatic Wazuh Agent Registration

With the automatic agent registration, run the command below on Wazuh agent server.

/var/ossec/bin/agent-auth -m 192.168.60.19 -A RockyLinux8Desktop -I 192.168.60.18

Consult /var/ossec/bin/agent-auth -h for more info on command line options used.

Sample output of the command;


2021/07/10 15:51:15 agent-auth: INFO: Started (pid: 19633).
2021/07/10 15:51:15 agent-auth: INFO: Requesting a key from server: 192.168.60.19
2021/07/10 15:51:15 agent-auth: INFO: No authentication password provided
2021/07/10 15:51:15 agent-auth: INFO: Using agent name as: RockyLinux8Desktop
2021/07/10 15:51:15 agent-auth: INFO: Waiting for server reply
2021/07/10 15:51:15 agent-auth: INFO: Valid key received

Restart Wazuh agent;

systemctl restart wazuh-agent

List Active Wazuh Agents on Wazuh Server

Run the command below on Wazuh server to check agent status;

/var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
   ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: RockyLinux8Desktop, IP: 192.168.60.18, Active
   ID: 002, Name: Ubuntu20, IP: 192.168.60.20, Never connected

List of agentless devices:

Verify Agent Data Reception on Kibana

The agent registration is complete.

Check that the agents are now active. Note, we only connected a single agent in this setup.

Install Wazuh Agent on Rocky Linux 8

To see more information, click on Active agents options.

active agent details

Navigate to Wazuh>Modules>Security Events to view security related events and dashboards.

wazuh security events

You can explore more on the modules such as Auditing and Policy Monitoring,Regulatory Compliance and Threat Detection and Response.

That concludes our guide on how to install Wazuh agent.

Reference

Wazuh Agent installation

Other Tutorials

Install OSSEC Agent on Rocky Linux 8

Install Nagios NRPE Agent on Rocky Linux 8

Easy Way to Install Wazuh Agents on Ubuntu/Debian

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
gen_too
Co-founder of Kifarunix.com, Linux Tips and Tutorials. Linux/Unix admin and author at Kifarunix.com.

Leave a Comment