Wazuh agents perform the primary HIDS step: monitoring. Moreover, for IDPS-ESCAPE they play a central role in the integration of Wazuh and Suricata.
The Wazuh agent is multi-platform and runs on the endpoints that the user wants to monitor. It communicates with the Wazuh server or manager, sending data in near real-time through an encrypted and authenticated channel.
An agent SHALL be deployed on the central components host. Additionally, one can deploy an agent (connected to the central manager) on every other host to be monitored.
The installation of Wazuh agents require, Wazuh distribution to be running.
The Wazuh agent can be installed through the following two ways.
-
Using the Wazuh dashboard to deploy a new agent.
-
Deploying Wazuh agents on Linux endpoints through CLI.
We provide details to setup an agent through both the ways.
To deploy a new agent on the Wazuh Dashboard, follow these steps:
-
Navigate to Wazuh > Agents and click on Deploy new agent.
-
Choose the appropriate package for your system, such as Linux DEB amd64.
-
Specify the server address for the agent. This address is used for communication between the Wazuh agent and manager. If the agent and manager are on the same machine in a Docker installation, use the docker host address IP. Otherwise, use the IP address of the machine where the manager is deployed. To find the docker host address IP, run:
sudo docker network inspect bridge | grep Gatewayalternatively,
ip addr show docker0 | grep -Po 'inet \K[\d.]+'
-
Optionally, provide a name for the agent.
-
After entering the required information, download and install the agent using the provided command on the dashboard. For example:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.2-1_amd64.deb && sudo WAZUH_MANAGER='172.17.0.1' WAZUH_AGENT_NAME='test-agent' dpkg -i ./wazuh-agent_4.7.2-1_amd64.deb
-
Finally, start the agent by executing the following commands:
sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
And it can be seen that the agent is running. The status of the agent can be checked by:
sudo systemctl status wazuh-agentTo enroll Wazuh agents via agent configuration, follow these steps for a Unix/Linux endpoint:
-
Install the GPG key:
sudo curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && sudo chmod 644 /usr/share/keyrings/wazuh.gpg
-
Add the repository:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
-
Update the package information:
sudo apt-get update
-
Deploy a Wazuh agent: Select the appropriate package manager and set the
WAZUH_MANAGERvariable to include the IP address or hostname of the Wazuh manager. If the agent and manager are on the same machine in a Docker installation, use the docker host address IP. Otherwise, use the IP address of the machine where the manager is deployed.To find the docker host address IP, run:
```sh sudo docker network inspect bridge | grep Gateway` ```Or alternatively.
ip addr show docker0 | grep -Po 'inet \K[\d.]+'
-
Deploy the Wazuh agent with the following command:
WAZUH_MANAGER="172.17.0.1" WAZUH_AGENT_NAME="agent-on-host-machine" sudo apt-get install wazuh-agent
-
Enable and start the Wazuh agent service:
sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
These steps will configure and deploy a Wazuh agent on the Unix/Linux endpoint, allowing it to communicate with the Wazuh manager for monitoring and security purposes. The status of the agent can be checked by:
sudo systemctl status wazuh-agent