Skip to content

Agent installation

Installers are downloaded from the Sources & Integrations > Agents menu. Each agent is automatically preconfigured to connect to the currently logged account with no manual configuration required.

Agent installer can be global (in case of a typical deployment) or per-group (in case of an MSSP setup).

Full installation documentation from Wazuh can be found here.

After installation the agent is automatically enrolled and starts sending events immediately.

Windows installation

After you download the agent package, either run the self-exctracting exe or unzip the archive. Then run the install-agent.bat file.

Linux and MacOS installation

The Linux and MacOS downloads are simple shell scripts that you should copy to the target machine and then execute:

> sudo chmod +x install-agent.sh
> sudo ./install-agent.sh

Firewall restrictions

In order for an agenet to work, it needs to first register with the LogSentinel SIEM server and then to be allowed to send data. These two activities happen on two different ports, which must be allowed through firewalls:

  • Registration: ossec.logsentinel.com:2512
  • Logging: ossec.logsentinel.com:2513

Note that for on-premise installations these ports are configurable and may change.

Changing hostname

In case the hostname of an endpoint changes and you need to register it with the new name, open PowerShell as administrator and run the following command (where the organizationId or groupId can be taken from API credentials):

PS C:\Program Files (x86)\ossec-agent> .\agent-auth.exe -m ossec.logsentinel.com -p 2512 -P <organizationId|groupId>

For Linux and MacOS the command is the same, using the /var/ossec/bin/agent-auth