Wazuh Agent Install - CentOS




  • Add CentOS repository


    cat > /etc/yum.repos.d/wazuh.repo <<\EOF
    [wazuh_repo]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=Wazuh repository
    baseurl=https://packages.wazuh.com/3.x/yum/
    protect=1
    EOF
    

    Install agent


    yum install -y wazuh-agent
    

    Disable automatic updates for agents


    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
    yum update
    
     
    

    Copy ossec.conf file for agent configuration settings.


    I used this area to push an automatically configured ossec.conf file down to client
    You can manually edit /var/ossec/etc/ossec.conf
    

    Add agent to wazuh server using SSL


    systemctl restart wazuh-agent
    /var/ossec/bin/agent-auth -m 192.168.1.1
    systemctl restart wazuh-agent
     
    
    **********************************************************
    Manual agent registration notes are below in case
    automation fails
    ***********************************************************
    
    
    #***********************************************************
    #On Wazuh Manager
    #***********************************************************
    
    # sudo /var/ossec/bin/manage_agents
    # A to add
    # Enter Hostname and IP address of client(s)
    # E to Extract Key for Agent
    #***********************************************************
    
    #***********************************************************
    #On Wazuh Agent Machine
    #***********************************************************
    # sudo /var/ossec/bin/manage_agents
    # I to import key (copy and paste key from wazuh manager)
    #**********************************************************


  • Why are you disabling agent updates?



  • @JaredBusch said in Wazuh Agent Install - CentOS:

    Why are you disabling agent updates?

    It is recommended by wazuh in their documentation to prevent automatic updates.



  • @JaredBusch said in Wazuh Agent Install - CentOS:

    Why are you disabling agent updates?

    Wazuh doesn't understand how to maintain their own repository, so when OSSIM updates their stuff, it breaks Wazuh. It's silly, easily fixable, and I don't have the time to maintain the thing myself.