Jump to content

User:MrHacker/Wazuh-agent

From ArchWiki

Related articles

Wazuh agent

Wazuh agent is a component of the Wazuh security and monitoring platform, providing intrusion detection, configuration assessment, vulnerability analysis, and active response. This package installs the client agent that connects an Arch Linux system to a Wazuh manager or cluster.

Description

The agent collects system information, monitors file integrity, detects misconfigurations, and sends events to the Wazuh server. It integrates with systemd and stores its configuration in /var/ossec/etc/ossec.conf.

Installation

The package is available in the Arch User Repository (AUR) as wazuh-agentAUR. 

bash
git clone https://aur.archlinux.org/wazuh-agent.git
cd wazuh-agent
makepkg -si

Alternatively, use an AUR helper such as yay: 

bash
yay -S wazuh-agent

Runtime dependencies

Optional:

Configuration

The main configuration file is located at /var/ossec/etc/ossec.conf.

Example minimal configuration to connect to a Wazuh server: 

/var/ossec/etc/ossec.conf
<client>
  <server>
    <address>WAZUH_SERVER_IP_OR_HOSTNAME</address>
  </server>
</client>

For detailed agent enrollment procedures, refer to the official Wazuh documentation.

Service management

The agent installs a systemd service named wazuh-agent.

To enable and start the service: 

bash
sudo systemctl enable --now wazuh-agent

To verify the status: 

bash
systemctl status wazuh-agent

To stop or restart: 

bash
sudo systemctl stop wazuh-agent
sudo systemctl restart wazuh-agent

Maintenance

  • Ensure compatibility between the agent and the Wazuh manager versions.
  • Check /var/ossec/logs/ossec.log for runtime errors.
  • The service runs as the wazuh:wazuh user and group. Fix permission issues with:
bash
sudo chown -R wazuh:wazuh /var/ossec
  • If installation errors occur, confirm that the user is created with the --system flag.

Upgrading

To update the agent via an AUR helper: 

bash
yay -Syu wazuh-agent

Or manually: 

bash
cd ~/wazuh-agent
git pull
makepkg -si

Known issues

  • **User not created correctly:** recreate the wazuh user as a system account if its UID is above 1000.
  • **Incorrect permissions on /var/ossec:** may prevent service startup.
  • **Unnecessary dependencies:** some inherited from the upstream RPM; subject to review in future PKGBUILD revisions.

See also

Note Editors should follow the guidelines in ArchWiki:Contributing and Help:Style before performing major edits or restructuring the article.
Retrieved from "https://wiki.archlinux.org/index.php?title=User:MrHacker/Wazuh-agent&oldid=851392"