Install Wazuh Agent on Windows: Complete Guide 2026

To install the Wazuh agent on Windows, download the MSI installer from the Wazuh portal, run it with the WAZUH_MANAGER=SERVER_IP parameter, and the agent registers and connects to the server automatically. The whole process takes less than 5 minutes.

How to install the Wazuh agent on Windows step by step?

In this guide I'll show you how to install the Wazuh agent on Windows and configure the most important parts of the ossec.conf file. The agent is the component that collects logs, monitors file integrity and sends all the information to the Wazuh server.

Video: Installing the Windows Agent

10 minutes - Installation and ossec.conf configuration

Prerequisite: connectivity with the server

You can verify connectivity in several ways:

1. Ping the server

ping SERVER_IP

2. Check access to the Dashboard (port 443)

# Using PowerShell
Invoke-WebRequest -Uri https://SERVER_IP -SkipCertificateCheck

# Or open it in the browser
https://SERVER_IP

If the Dashboard loads correctly, there's connectivity. If it doesn't work, check:

• The server firewall (ports 443 and 1514 open)
• The Windows firewall on the client
• Network/VPN configuration if they are on different networks

Installation command

Run this command in PowerShell as Administrator. You must replace the following values with the ones for your environment:

• WAZUH_MANAGER: IP or hostname of your Wazuh server
• WAZUH_AGENT_NAME: Identifying name for this agent (e.g.: PC-ACCOUNTING, SERVER-WEB, etc.)

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi; Start-Process msiexec.exe -ArgumentList "/i wazuh-agent.msi /q WAZUH_MANAGER=YOUR_SERVER_IP WAZUH_AGENT_NAME=AGENT_NAME" -Wait

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi; Start-Process msiexec.exe -ArgumentList "/i wazuh-agent.msi /q WAZUH_MANAGER=192.168.1.100 WAZUH_AGENT_NAME=PC-OFFICE" -Wait

The ossec.conf configuration file

The agent's configuration file is located at:

C:\Program Files (x86)\ossec-agent\ossec.conf

This XML file holds the entire agent configuration. The two most important sections are localfile and syscheck.

The localfile section - log monitoring

The <localfile> section defines which Windows system logs you want to send to Wazuh. By default, the agent monitors the main Event Logs:

• Security: Security events (logons, failed access, permission changes, etc.)
• System: Operating system events (boot, service stops, hardware errors)
• Application: Events from installed applications

Example configuration in ossec.conf:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
</localfile>

<localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
</localfile>

The syscheck section - File Integrity Monitoring (FIM)

The <syscheck> section configures File Integrity Monitoring. This feature detects changes in critical system files and folders:

• Creation of new files
• Modification of existing files
• Deletion of files
• Permission changes
• Changes to the Windows registry

Example configuration:

<syscheck>
  <frequency>300</frequency>
  <directories check_all="yes">C:\Windows\System32</directories>
  <directories check_all="yes">C:\Users\*\Documents</directories>
  <windows_registry>HKEY_LOCAL_MACHINE\Software</windows_registry>
</syscheck>

Useful commands

Some PowerShell commands to manage the agent:

# Restart the agent service
Restart-Service WazuhSvc

# Check the service status
Get-Service WazuhSvc

# View the agent logs (last 50 lines)
Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" -Tail 50

Additional resources

• Official documentation: Windows agent
• File Integrity Monitoring in Wazuh
• Installing Wazuh Server on Linux

Related articles:

• How to Install Wazuh on Linux (Ubuntu 24.04)
• How to Install Wazuh with Docker Compose
• What is Wazuh and what is it used for?