LME Wazuh Agent Enrollment Guide
Reference the Wazuh Agent Install Documentation for official Wazuh installation information.
This guide walks you through the process of enrolling a Wazuh agent in the Logging Made Easy (LME) system.
Important Note
Ensure that the Wazuh agent version you’re installing is not newer than your Wazuh manager version, as this can lead to compatibility issues.
Variables
Throughout this guide, the following variables will be used. Replace them with your specific values:
{WAZUH_AGENT_VERSION}- the version of the Wazuh agent you’re installing (e.g., 4.9.0-1){WAZUH_MANAGER_IP}- the IP address of your Wazuh manager (e.g., 10.0.0.2)
To determine the version of Wazuh currently running on your system, run:
sudo -i podman exec -it lme-wazuh-manager /var/ossec/bin/wazuh-control -j info | jq
The output should look similar to this:
{
"error": 0,
"data": [
{
"WAZUH_VERSION": "v4.7.5"
},
{
"WAZUH_REVISION": "40720"
},
{
"WAZUH_TYPE": "server"
}
]
}
When using the Wazuh agent version variable, remove the v and add -1 at the end, as expected by Wazuh (e.g.,
4.7.5-1).You can verify the version’s accuracy by cross-referencing it with Wazuh’s List of Versions.
Steps to Enroll a Wazuh Agent (Windows)
Download the Wazuh Agent
To download the Wazuh agent Microsoft Installer (MSI) from the following URL, run:
https://packages.wazuh.com/4.x/windows/wazuh-agent-{WAZUH_AGENT_VERSION}-1.msiReplace
{WAZUH_AGENT_VERSION}with the appropriate version number.Alternatively, use this PowerShell command:
# Replace the values with the values you have above # where {WAZUH_AGENT_VERSION}=4.7.5 # where {WAZUH_MANAGER_IP}=10.1.0.5 Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi -OutFile wazuh-agent-4.7.5-1.msi;` Start-Process msiexec.exe -ArgumentList '/i wazuh-agent-4.7.5-1.msi /q WAZUH_MANAGER="10.1.0.5"' -Wait -NoNewWindow
Install the Wazuh Agent
Open a command prompt with administrator privileges.
Navigate to the directory containing the downloaded MSI file.
To install the agent, run:
wazuh-agent-{WAZUH_AGENT_VERSION}.msi /q WAZUH_MANAGER="{WAZUH_MANAGER_IP}"Replace
{WAZUH_AGENT_VERSION}with the version you downloaded.Replace
{WAZUH_MANAGER_IP}with the IP address of your Wazuh manager.
Verify Installation
After installation, the Wazuh agent service should start automatically.
You can verify the service status in the Windows Services manager.
Ensure the service starts. If it doesn’t start automatically, open PowerShell and mannually run:
NET START Wazuh
Steps to Enroll a Wazuh Agent (Debian-Based Systems)
Open a command prompt
- Open a command prompt with administrator privileges.
Add Wazuh GPG Key
To add the Wazuh GPG key, run:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add Wazuh Repository
To dd the Wazuh repository, run:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update Package Information
To update the package information, run:
apt-get update
Install Wazuh Agent and Configure Wazuh Manager IP Variable
To install the Wazuh agent and configure Wazuh manager IP variable, run:
WAZUH_MANAGER="{WAZUH_MANAGER_IP}" apt-get install wazuh-agent={WAZUH_AGENT_VERSION} && sed -i 's/MANAGER_IP/{WAZUH_MANAGER_IP}/i' /var/ossec/etc/ossec.confFor example:
WAZUH_MANAGER=10.0.0.15 apt-get install wazuh-agent=4.7.5-1 && sed -i 's/MANAGER_IP/10.0.0.15/i' /var/ossec/etc/ossec.conf
Verifying Installation
After installation, verify the status of the Wazuh agent service by running:
systemctl status wazuh-agent
Troubleshooting
If the Wazuh agent doesn’t start, run:
systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agentIf the agent fails to connect, verify your firewall settings to ensure the necessary ports are open. Reference the Wazuh Ports Documentation for more information.
Verify that the Wazuh manager IP address is correct and reachable from the agent. This is the IP address of your LME server running the containers.
By following these steps, you should be able to successfully enroll Wazuh agents into your LME system. Remember to keep your agents updated, but always ensure compatibility with your Wazuh manager version.
Verifying Wazuh Agent Status
This guide provides the steps to check the status of Wazuh agents in the LME setup. These commands can be run from the host system without needing to execute into the container.
Listing All Agents and Their Status
To get an overview of all registered agents and their current status, run:
sudo -i podman exec lme-wazuh-manager /var/ossec/bin/agent_control -l
This command will display a list of all agents, including the ID, name, IP address, and current status (e.g., active, disconnected, never connected).
Checking Status of a Specific Agent
To check the detailed status of a specific agent, run:
sudo -i podman exec lme-wazuh-manager /var/ossec/bin/agent_control -i [agent_id]Replace
[agent_id]with the ID of the agent you want to check. This will provide more detailed information about the agent, including its last keep alive time, version, and operating system.
This command gives you a quick overview of how many agents are active, disconnected, or never connected.
Reference Agent_Control for more information on the agent_control program.