Wazuh Agent is the software responsible for analyzing all kinds of actions that affect the equipment where it is installed. It runs on each device that the user wants to supervise. It is the main tool to detect any problem in each computer individually and keep all this information on a server where, in real time, Apolo recognizes the status of each agent.
Between the two components, the agent and the server, they use an encrypted and authenticated channel. The agent was developed considering the need to oversee a large variety of different endpoints without affecting their performance. It requires 35 MB of RAM on average. Therefore, it supports the most popular operating systems. More information can be consulted at Wazuh’s official documentatio
Prior to Wazuh Installation
Before starting we must have administrator access to the computer where we want to install the agent. Mainly, we will use a very simple script where we will introduce the different values to identify our device. That way, it will be not necessary to access to the configuration file once the installation is completed.
These agents can be divided by two groups, computers with the nomenclature of «PC» and servers with the nomenclature of «SERVER». Also, Wazuh allows to establish an alias to each computer registered. To establish the connection with the server we will have to make a record with the correct credentials in addition to defining the address of the server.
Here we find a grid with the possible variables that we can use in our
Script:
OPTION | DESCRIPTION |
WAZUH_MANAGER | Specifies the principal server address. |
WAZUH_REGISTRATION_SERVER | Specifies the Wazuh register server, used by the agent register. |
WAZUH_REGISTRATION_PASSWORD | Defines the key to register agents on the server. |
WAZUH_AGENT_NAME | Assignes the name of the device. |
WAZUH_AGENT_GROUP | Assignes which groups the device belongs. |
These variables should be completed with these values, including quotation marks:
OPTION | VALUE |
WAZUH_MANAGER | «wazuh-workers-company.apoloanalytics.com” |
WAZUH_REGISTRATION_SERVER | «wazuh-company.apoloanalytics.com” » as same as the start |
WAZUH_REGISTRATION_PASSWORD | «password» |
WAZUH_AGENT_NAME | Up to choose, the name of the device. |
WAZUH_AGENT_GROUP | «PC» or «SERVER». |
Install
- Open a terminal and introduce the following command:
curl -so wazuh-agent-4.3.9.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.3.9-1.pkg && sudo launchctl setenv WAZUH_MANAGER <wazuh-manager> WAZUH_REGISTRATION_PASSWORD <wazuh-registration-password> && WAZUH_AGENT_GROUP <wazuh-agent-group> sudo installer -pkg ./wazuh-agent-4.3.9.pkg -target /
- Next, execute the following to start with the installation:;
sudo /Library/Ossec/bin/wazuh-control start
- If, after installing the agent doesn’t appear as a new device, it means that authentication with the server has failed. Execute the following command to perform the registration in the manager:
sudo /Library/Ossec/bin/agent-auth -m <wazuh-registration-server> -P <wazuh-registration-password> -A <wazuh-agent-name> -G <wazuh-agent-group>