AI SECURITY logo AI SECURITY
Wazuh Linux Agent SIEM Monitoring Cybersecurity

How to Install the Wazuh Agent on Linux

Step-by-step guide to install and configure the Wazuh agent on Linux (Debian/Ubuntu). Install command, ossec.conf setup, localfile and restarting the service.

AI Security
8 min read
Background

To install the Wazuh agent on Linux (Debian/Ubuntu), add the official repository, install the wazuh-agent package, set the server IP in ossec.conf and start the service with systemctl start wazuh-agent. The whole process takes less than 10 minutes.

How do you install the Wazuh agent on Linux step by step?

In this guide I'll show you how to install the Wazuh agent on Linux (Debian/Ubuntu) and configure the most important parts of the ossec.conf file. The agent is the component that collects logs, monitors file integrity and sends all the information to the Wazuh server.

Video: Installing the Wazuh Agent on Linux
Course content

Video: Installing the Linux Agent

8 minutes - Installation and ossec.conf setup

Professional implementation

Get hands-on help deploying Wazuh in production

Prerequisite: connectivity with the server

Important: Before installing the agent, make sure the machine has connectivity with the Wazuh server. The agent needs to communicate with the server to send logs and receive its configuration.

You can verify connectivity in several ways:

1. Ping the server

ping IP_SERVIDOR

2. Check access to the Dashboard (port 443)

# Using curl
curl -k https://IP_SERVIDOR

# Or open it in the browser
https://IP_SERVIDOR

If the Dashboard loads correctly, there is connectivity. If it doesn't work, check:

  • Server firewall (ports 443 and 1514 open)
  • Client firewall
  • Network/VPN configuration if they are on different networks

Installation command

Run these commands as root or with sudo. You must replace the following values with the ones from your environment:

  • WAZUH_MANAGER: IP or hostname of your Wazuh server
  • WAZUH_AGENT_NAME: Identifying name for this agent (e.g.: web-server, db-production, etc.)

Debian/Ubuntu

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.2-1_amd64.deb && sudo WAZUH_MANAGER='TU_IP_SERVIDOR' WAZUH_AGENT_NAME='NOMBRE_AGENTE' dpkg -i ./wazuh-agent_4.9.2-1_amd64.deb

Real example: If your Wazuh server is at 192.168.1.100 and you want to name the agent "web-server":

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.2-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.100' WAZUH_AGENT_NAME='servidor-web' dpkg -i ./wazuh-agent_4.9.2-1_amd64.deb

Enable and start the service

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

The ossec.conf configuration file

The agent configuration file is located at: 

/var/ossec/etc/ossec.conf

This XML file contains the entire agent configuration. The two most important sections are localfile and syscheck.

The localfile section - log monitoring

The <localfile> section defines which system logs you want to send to Wazuh. By default the agent monitors system logs, but you can add logs from specific applications.

Example: adding Apache2 logs

To monitor Apache2 error logs, edit the ossec.conf file: 

sudo nano /var/ossec/etc/ossec.conf

Add the following configuration inside the <ossec_config> block: 

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/error.log</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/access.log</location>
</localfile>

Available log formats:

  • syslog - For system logs (/var/log/syslog, /var/log/auth.log)
  • apache - For Apache/Nginx logs
  • json - For applications that generate logs in JSON
  • multi-line - For logs that span several lines

The syscheck section - File Integrity Monitoring (FIM)

The <syscheck> section configures File Integrity Monitoring. This feature detects changes in critical system files and folders.

Example configuration: 

<syscheck>
  <frequency>300</frequency>
  <directories check_all="yes">/etc</directories>
  <directories check_all="yes">/usr/bin</directories>
  <directories check_all="yes">/var/www</directories>
</syscheck>

Restart the agent service

After modifying the ossec.conf file, you must restart the service to apply the changes: 

# Restart the agent
sudo systemctl restart wazuh-agent

# Check status
sudo systemctl status wazuh-agent

# Enable automatic startup
sudo systemctl enable wazuh-agent

Useful commands

Some additional commands to manage the agent: 

# View the agent logs
sudo tail -f /var/ossec/logs/ossec.log

# Verify the connection with the server
sudo /var/ossec/bin/agent-auth -m IP_SERVIDOR

# View agent information
sudo /var/ossec/bin/agent_control -i

Additional resources

Related articles:

Learn Wazuh hands-on

Learn to configure agents, create custom rules, integrate with other tools and much more.

Professional implementation
Background
Back to blog