Setting up the Wazuh agent on Rocky Linux 8 is a straightforward process crucial for extending your security monitoring capabilities. The agent acts as an endpoint security sensor, collecting data like logs, file integrity changes, and security alerts directly from the Rocky Linux system and forwarding them to your central Wazuh server for analysis.
This guide will walk you through the necessary steps to get the agent up and running smoothly on your Rocky Linux 8 environment.
Prerequisites
Before you begin, ensure you have:
- A functioning Wazuh server (either a single-node or multi-node cluster).
- The IP address or hostname of your Wazuh server.
- Root privileges or the ability to use sudo on the Rocky Linux 8 system where you will install the agent.
- Internet connectivity on the Rocky Linux system to download the agent package.
Installation Steps
Follow these steps carefully to install and configure the Wazuh agent:
Step 1: Import the Wazuh Repository GPG Key
First, you need to import the official Wazuh GPG key. This key is used to verify the authenticity and integrity of the packages you will download from the Wazuh repository.
Open a terminal on your Rocky Linux 8 system and run the following command:
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
This command downloads the key and adds it to your system’s list of trusted keys for package management.
Step 2: Add the Wazuh Agent Repository
Next, you need to add the Wazuh agent repository to your system’s repository list. This tells your package manager (dnf or yum) where to find the Wazuh agent package.
Create a new repository file using your preferred text editor (like vi or nano). We’ll use nano in this example:
sudo nano /etc/yum.repos.d/wazuh.repo
Paste the following configuration into the file:
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/4.x/yum/
type=rpm
Save the file and exit the editor (Ctrl + X, then Y, then Enter for nano). This configuration points to the Wazuh repository for version 4.x packages and uses the GPG key imported earlier to verify them.
Step 3: Install the Wazuh Agent Package
Now that the repository is added, you can install the Wazuh agent package using dnf (or yum on older systems, though dnf is preferred on Rocky Linux 8).
Update your package lists and install the agent by running:
sudo dnf update
sudo dnf install wazuh-agent
Confirm the installation when prompted by typing y and pressing Enter. The package manager will download the agent and its dependencies and install them on your system.
Step 4: Configure the Agent to Connect to the Server
After installation, you must configure the agent to know which Wazuh server it should connect to. Edit the agent’s main configuration file:
sudo nano /var/ossec/etc/ossec.conf
Inside this file, find the <client> section. You need to modify the <server> tag to include the IP address or hostname of your Wazuh manager.
Look for a line similar to this:
<server>
<address>MANAGER_IP</address>
<port>1514</port>
<protocol>udp</protocol>
</server>
Replace MANAGER_IP with the actual IP address or hostname of your Wazuh server. If your server uses a different port or protocol, adjust those values accordingly, but the default 1514 and udp are common.
Save the changes and exit the editor.
Step 5: Enable and Start the Wazuh Agent Service
With the agent installed and configured, you can now enable and start the service. Enabling ensures the agent starts automatically every time the system boots.
Run these commands to manage the service:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
The daemon-reload command reloads the systemd manager configuration, recognizing the new service file. enable creates the necessary symlinks for autostart, and start begins the agent process.
Step 6: Verify Agent Status and Connection
Finally, verify that the agent is running and successfully connecting to your Wazuh server.
Check the agent’s service status:
sudo systemctl status wazuh-agent
You should see output indicating the service is active (running).
To further verify the connection and communication, you can check the agent’s logs:
sudo tail /var/ossec/logs/ossec.log
Look for lines indicating a successful connection to the manager. You might see messages about agent key exchange or successful registration.
You can also check your Wazuh server’s web interface. After a short time, the newly installed Rocky Linux agent should appear in the list of agents.
Conclusion
You have successfully installed and configured the Wazuh agent on your Rocky Linux 8 system. The agent is now actively monitoring the endpoint and sending security data to your Wazuh server for analysis and alerting. This is a fundamental step in enhancing the security posture of your Rocky Linux environment. Remember to manage your agents centrally via the Wazuh dashboard for updates and configuration changes.
Source: https://kifarunix.com/install-wazuh-agent-on-rocky-linux-8/
