Hello, friends so welcome back to another article in this article we are going to take a look at how to install Wazuh agent on Windows systems. The installation process is pretty straight forward and easy.
If you haven’t read about what Wazuh is and what are the features that you get with Wazuh do read these article too:
- TOP 5 Open-Source SIEM Solutions
- How to Setup Wazuh Open Source SIEM Virtual Machine
- Wazuh Open Source SIEM Overview
This will give you a better understanding of with Wazuh is and you can use it in your environment.
There are two different methods that can be used in order to install Wazuh agent on your system one if to install it from Source code and compile it on your system then install the package and the second one is to use pre-build package that is provided by Wazuh and install it using that.
Using the pre-build package is the way to go as you don’t need to configure and setup all the tools that are required to compile the package in the first place.
The thing you need to take in the note is that as the agent will be collecting all the system logs and then send them to the Wazuh server it needs to be run as administrator so make sure that you are logged in as an administrator in order to install the agent on the system.
Install Wazuh Agent on Windows:
The first step to install the Wazuh agent on a Windows machine is to download the Windows installer from the packages list. Once this is downloaded, you can install it using the command line or following the GUI steps:
Using the command line, you can choose installation or deployment:
To install the Windows agent from the command line, run the installer using the following command (the /q argument is used for unattended installations)
You can automate the agent registration and configuration using variables. It is necessary to define at least the variable ADDRESS and AUTHD_SERVER. The agent will use those values to register and assign a Wazuh manager for forwarding events.
This is really helpfull when you are deploying agents on a lot of systems you can just provide the IP address of the Wazuh server and the agent will automatically send out the request to the server and register itself otherwise if you follow the GUI installation you will need to go to the manager and manually register your agent using Wazuh API and use the Authentication key and enter it into the agent in order to connect.
wazuh-agent-3.12.2-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2"
.\wazuh-agent-3.12.2-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2"
Deployment variables for Windows
For an agent to be fully deployed and connected to the Wazuh server it needs to be installed, registered and configured. To make the process simple, the installers can use variables that allow the configuration provisioning.
Below you can find a table describing the variables used by Wazuh installers on Windows, and a few examples on how to use them.
|APPLICATIONFOLDER||Sets the installation path. Default C:\Program Files (x86)\ossec-agent.|
|WAZUH_MANAGER||Specifies the managers IP address or hostname. This option also accepts a list of IPs or hostnames separated by semicolons.|
|WAZUH_MANAGER_PORT||Specifies the managers connection port.|
|WAZUH_PROTOCOL||Sets the communication protocol between the manager and the agent. Accepts UDP and TCP. Default is UDP.|
|WAZUH_REGISTRATION_SERVER||Specifies the Authd IP address.|
|WAZUH_REGISTRATION_PORT||Specifies the Authd connection port.|
|WAZUH_REGISTRATION_PASSWORD||Sets the Authd password.|
|WAZUH_KEEP_ALIVE_INTERVAL||Sets the time between manager checks.|
|WAZUH_TIME_RECONNECT||Sets the time in seconds until a reconnection attempt.|
|WAZUH_REGISTRATION_CA||Specifies the certificate of authority path.|
|WAZUH_REGISTRATION_CERTIFICATE||Specifies the certificate path.|
|WAZUH_REGISTRATION_KEY||Specifies the key path.|
|WAZUH_AGENT_NAME||Designates the agent’s name. By default will be the computer name.|
|WAZUH_AGENT_GROUP||Assigns the agent to one or more existing groups (separated by commas).|
|/l installer.log||Generates a log of the installation process.|
|/l*v installer.log||Generates a log of the installation process, including verbose messages.|
Below there are some examples to install and register a Windows agent.
Registration with password
wazuh-agent-3.12.2-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" WAZUH_AGENT_NAME="W2012"
Registration with a password and assigning a group:
wazuh-agent-3.12.2-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" WAZUH_AGENT_GROUP="my-group"
Wazuh agents use two different protocols to communicate to the Wazuh server you can use TCP or UDP so you can also specify the protocol that the agent must use in order to communicate to the server:
Registration with protocol:
wazuh-agent-3.12.2-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="W2016" WAZUH_PROTOCOL="TCP"
Wazuh Deployment Script:
I have also written a Powershell script that you can you in order install the agents on your systems and as the installer uses system deployment variables to easy the deployment steps you can simply use the Powershell script to deploy the agents on your active directory environment easily.
Using the GUI:
To install the Windows agent from the GUI, run the downloaded file and follow the steps in the installation wizard. If you are not sure how to respond to some of the prompts, simply use the default answers.
Once installed, the agent uses a graphical user interface for configuration, opening the log file or starting and stopping the service.
By default, all agent files will be found in:
C:\Program Files (x86)\ossec-agent.
Now that the agent is installed, the next step is to register and configure it to communicate with the manager. For more information about this process, please visit the document: user manual.
To uninstall the agent, the original MSI file will be needed to perform the unattended process:
msiexec.exe /x wazuh-agent-3.12.2-1.msi /qn