Step-by-Step Guide to Install Wazuh on Ubuntu/CentOS and Deploy Agents (Windows & Linux)

You are currently viewing Step-by-Step Guide to Install Wazuh on Ubuntu/CentOS and Deploy Agents (Windows & Linux)

Step-by-Step Guide to Install Wazuh on Ubuntu/CentOS and Deploy Agents (Windows & Linux)

Hey there, future SOC hero! 🦸 So, you’re ready to ditch the chaos of manual log-scrolling and deploy Wazuh—the open-source SIEM that’s like a security guard, detective, and compliance officer rolled into one. I’ve set this up everywhere from Raspberry Pis to enterprise servers (and survived way too many “why isn’t this agent connecting?!” meltdowns). Let’s get your Wazuh server running and hook up those Windows/Linux agents like a pro.

FYI: I’ll reference the official Wazuh docs but keep things human. No copy-pasted robot speak here.

Pre-Installation: Don’t Skip This (Unless You Love Pain)

1. Hardware Basics

  • Wazuh Server: 4GB+ RAM, 2 CPU cores, 20GB+ storage.
  • Agents: Lightweight (500MB RAM, 1 CPU core). Even your grandma’s Windows XP VM can run one.

2. Choose Your OS

  • Server: Ubuntu 22.04/20.04 or CentOS 7/8/9.
  • Agents: Windows (7+), Linux (deb/rpm), macOS, Solaris… yes, Solaris.

3. Update & Prep Your System

# Ubuntu  
sudo apt update && sudo apt upgrade -y  

# CentOS  
sudo yum update -y  

# Disable SELinux (temporarily)  
sudo setenforce 0  
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config

Installing the Wazuh Server

Pick your OS and let’s roll. We’ll install the managerindexer, and dashboard.

Option 1: Ubuntu/Debian

Step 1: Add the Wazuh Repository

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring /usr/share/keyrings/wazuh.gpg --import  
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

Step 2: Install the Wazuh Manager

sudo apt update  
sudo apt install wazuh-manager  
sudo systemctl status wazuh-manager  # Should say "active (running)"

Step 3: Install the Indexer (Elasticsearch Backend)

curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -  
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list  
sudo apt update  
sudo apt install wazuh-indexer  
sudo systemctl enable wazuh-indexer && sudo systemctl start wazuh-indexer

Step 4: Install the Dashboard (Kibana GUI)

sudo apt install wazuh-dashboard  
sudo systemctl enable wazuh-dashboard && sudo systemctl start wazuh-dashboard

Option 2: CentOS/RHEL

Step 1: Add the Wazuh Repo

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH  
cat > /etc/yum.repos.d/wazuh.repo << EOF  
[wazuh]
name=Wazuh 
baseurl=https://packages.wazuh.com/4.x/yum/ 
gpgcheck=1 
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH 
enabled=1 
EOF

Step 2: Install the Wazuh Manager

sudo yum install wazuh-manager  
sudo systemctl enable wazuh-manager && sudo systemctl start wazuh-manager

Step 3: Install the Indexer

sudo yum install wazuh-indexer  
sudo systemctl enable wazuh-indexer && sudo systemctl start wazuh-indexer

Step 4: Install the Dashboard

sudo yum install wazuh-dashboard  
sudo systemctl enable wazuh-dashboard && sudo systemctl start wazuh-dashboard

Post-Server Setup: Unlock the Dashboard

  1. Navigate to http://your-server-ip:5601.
  2. Log in with admin/admin (change this immediately under Settings > Users).
  3. Boom! You’ll see the Wazuh dashboard. Now, let’s add agents.

Adding Agents: Windows, Linux, Whatever

Agents are the minions that report back to your Wazuh server. Here’s how to deploy them without losing your sanity.

Linux Agents (Debian/RPM-Based)

Step 1: Install the Agent

Replace MANAGER_IP with your Wazuh server’s IP.

For Debian/Ubuntu:

curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb  
sudo WAZUH_MANAGER='MANAGER_IP' dpkg -i ./wazuh-agent.deb

For CentOS/RHEL:

sudo yum install wazuh-agent  
sudo sed -i 's/MANAGER_IP/MANAGER_IP/' /var/ossec/etc/ossec.conf

Step 2: Start the Agent & Enroll It

sudo systemctl enable wazuh-agent  
sudo systemctl start wazuh-agent

Pro Tip: Use the agent installation assistant on your Wazuh server for easy enrollment:

sudo /var/ossec/bin/agent-auth -m MANAGER_IP -A "My_Linux_Agent"

Windows Agents (No PowerShell PTSD, Promise)

Step 1: Download the Windows Agent

Grab the installer from:

https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi

Step 2: Install the Agent

  • Run the .msi file.
  • In the installer, set Manager address to your Wazuh server’s IP.
  • Check “Start service after installation”.

Silent Install (For Automation Nerds):

cmd

msiexec.exe /i wazuh-agent-4.7.0-1.msi /qn WAZUH_MANAGER='MANAGER_IP' WAZUH_REGISTRATION_SERVER='MANAGER_IP'

Step 3: Enroll the Agent

  1. Open Command Prompt as Admin.
  2. Navigate to C:\Program Files (x86)\ossec-agent\.
  3. Enroll with:

cmd

agent-auth.exe -m MANAGER_IP -A "My_Windows_Agent"

Verify Agents in the Dashboard

  1. Go to the Wazuh dashboard > Agents.
  2. Look for your agents with a green ✅ status.
  3. No green? Check:
    • Firewalls blocking ports 1514/udp and 1515/tcp.
    • The agent’s ossec.conf has the correct manager IP.

Why Wazuh Agents Rule

  • Cross-platform: Monitor Windows, Linux, macOS, AWS, Azure… even your smart fridge if it’s sketchy.
  • Real-time alerts: Get notified about brute-force attacks, malware, or someone deleting C:\Windows\System32 (RIP).
  • Compliance checks: Automatically audit CIS benchmarks or GDPR rules.

Pro Tips to Avoid Disaster

  • Tag agents by purpose: Use names like “web-server” or “accounting-laptop” in the dashboard.
  • Automate deployments: Use Ansible, Puppet, or PowerShell to roll out agents at scale.
  • Monitor agent health: Set up alerts for agents going offline. Trust me, they will go offline.

Final Thoughts: Go Hunt Some Threats!

And just like that, you’ve got a Wazuh server and agents sniffing out threats across your network. Was it smoother than that time Windows Update didn’t break everything? Maybe.

Now, go explore the Security Events tab, set up a Slack alert for failed logins, and bask in the glory of actually knowing what’s happening on your network. 😎

Need help? The Wazuh Discord is full of folks who’ve cried over YAML configs—just like you. Happy monitoring! 🚨

Short Cut Install

Download and run the Wazuh installation assistant

    curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

    Once the assistant finishes the installation, the output shows the access credentials and a message that confirms that the installation was successful.

    INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS>
    User: admin
    Password: <ADMIN_PASSWORD>
INFO: Installation finished.

    Note

    You can find the passwords for all the Wazuh indexer and Wazuh API users in the wazuh-passwords.txt file inside wazuh-install-files.tar. To print them, run the following command:

    sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
    Tags: , , , ,