September 7, 2024
Modules

Installing Wazuh agents on Windows endpoints

Getting Started

Uninstall a Wazuh agent

Wazuh agent enrollment

Enrollment via agent configuration

Enrollment via manager API

Requesting the key

Getting Started

The agent runs on the endpoint you want to monitor and communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel. Monitor your Windows systems with Wazuh, from Windows XP to the latest available versions including Windows 11 and Windows Server 2022.

Note

To perform the installation, administrator privileges are required.

  • To start the installation process, download the Windows installer.

  • Select the installation method you want to follow: command line interface (CLI) or graphical user interface (GUI).

GUI

To install the Wazuh agent on your system, run the Windows installer and follow the steps in the installation wizard. If you are not sure how to answer some of the prompts, use the default answers. Once installed, the agent uses a GUI for configuration, opening the log file, and starting or stopping the service.

The installation process is now complete, and the Wazuh agent is successfully installed on your Windows endpoint. The next step is to register and configure the agent to communicate with the Wazuh server. To perform this action, see the Wazuh agent enrollment section.

By default, all agent files are stored in C:\Program Files (x86)\ossec-agent after the installation.

Uninstall a Wazuh agent

To uninstall the agent, the original Windows installer file is required to perform the unattended process:

msiexec.exe /x wazuh-agent-4.5.2-1.msi /qn

The Wazuh agent is now completely removed from your Windows endpoint.

Wazuh agent enrollment

Agent enrollment is the process of registering Wazuh agents as authorized members of the Wazuh solution. Agent enrollment allows:

  • The Wazuh manager to register agents and generate unique keys for them.

  • The use of the key to encrypt communication between the agent and the manager.

  • Validation of the identity of the agents communicating with the manager.

Please note that, when following our Installation guide, it is recommended to use environment variables to automatically configure the Wazuh agent. This allows the agent to enroll and connect to the Wazuh manager. This documentation provides additional information on the different enrollment options.

Enrollment methods

There are two options for enrolling agents with the Wazuh manager.

  1. Enrollment via agent configuration: Once the IP address of the manager has been set, the agent will be able to automatically request the key and import it. This is the recommended enrollment method.

Enrollment via agent configuration

In this option, the agent is automatically enrolled after the Wazuh manager IP address has been configured. Please note that, when using Additional security options, other settings might need to be configured.

Using environment variables during the agent installation process.

You can deploy a new agent following the instructions in the Wazuh dashboard. Go to Wazuh > Agents, and click on Deploy new agent.

Then the Wazuh dashboard will show you the steps to deploy a new agent.

  1. Enrollment via manager API: The user requests the key from the manager API and then manually imports it to the agent.

Enrollment via manager API

The Wazuh manager API allows users to make an agent enrollment request to the Wazuh manager. This request returns a unique key for the agent, which must be manually imported to the agent.

How it works

The flow of an agent being enrolled via API is as follows:

  1. The user sends an API request with the manager API credentials to generate an authorization token (a JSON Web Token).

  2. The user sends an API request with the authorization token to the Wazuh manager. This request enrolls the agent and gets the agent key.

  3. On the agent endpoint, the user imports the key to the agent.

  4. The user configures the Wazuh manager IP address on the agent.

  5. The user restarts the agent and then the connection to the manager is established.

In this document, you will find the following information:

Requesting the key

The agent key can be requested from any system that has connectivity with the manager API. It can also be done from the Wazuh web user interface or from a browser by connecting directly to the API service. The default API port is 55000/TCP. The host making the enrollment request must have connectivity to the manager via this port or any other port that the API has been configured to listen on.

From Linux/Unix and macOS

  1. Proceed to generate a JWT for authenticating to the manager API by making a curl request. The default manager API credentials are wazuh:wazuh.
TOKEN=$(curl -u <user>:<password> -k -X POST "https://<MANAGER_IP>:55000/security/user/authenticate?raw=true")

Run the command echo $TOKEN to confirm that the token was successfully generated. You should get an output like this:

Output

eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjQzMDExMjQ0LCJleHAiOjE2NDMwMTIxNDQsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.Ad6zOZvx0BEV7K0J6s3pIXAXTWB-zdVfxaX2fotLfZMQkiYPMkwDaQHUFiOInsWJ_7KZV3y2BbhEs9-kBqlJAMvMAD0NDBPhEQ2qBd_iutZ7QWZECd6eYfIP83xGqH9iqS7uMI6fXOKr3w4aFV13Q6qsHSUQ1A-1LgDnnDGGaqF5ITYo
  1. Request the key and agent ID. Replace <agent_name> with the desired agent name. 
curl -k -X POST -d '{"name":"<agent_name>"}' "https://<MANAGER_IP>:55000/agents?pretty=true" -H "Content-Type:application/json" -H "Authorization: Bearer $TOKEN"

The output with the key looks like this:

 {
        "error": 0,
        "data": {
            "id": "001",
            "key": "MDAxIE5ld0FnZW50IDEwLjAuMC44IDM0MGQ1NjNkODQyNjcxMWIyYzUzZTE1MGIzYjEyYWVlMTU1ODgxMzVhNDE3MWQ1Y2IzZDY4M2Y0YjA0ZWVjYzM=",
        },
    }

From Windows

The following steps serve as a guide on how to send agent enrollment requests from a Windows system via the Wazuh manager API:

  1. Open PowerShell with administrative privileges. If the manager API is running over HTTPS and it is using a self-signed certificate, the function below has to be executed in PowerShell.

function Ignore-SelfSignedCerts {
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class PolicyCert : ICertificatePolicy {
public PolicyCert() {}
public bool CheckValidationResult(
ServicePoint sPoint, X509Certificate cert,
WebRequest wRequest, int certProb) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = new-object PolicyCert
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
}

Ignore-SelfSignedCerts

  • Note that the function above exists only in the PowerShell instance it is executed in.

  • To generate the JWT, the default credentials are wazuh:wazuh

    First, encode the credentials as base64 and assign it to the variable $base64AuthInfo.

$base64AuthInfo=[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f “<API_username>”, “<API_password>”)))

Then, make a request for the JWT.

Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method POST -Uri https://<MANAGER_IP>:55000/security/user/authenticate | Select-Object -Expand Content

The output looks like this:

{"data":{"token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjM5NjQ2Nzg0LCJleHAiOjE2Mzk2NDc2ODQsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.ASonc7xinw6u4JUoUlkJ_52FvJz8ECPiI3ObDr-SOO0fWRfWq-uTnA432UnCDK86ypRG5fAY6paQkX3vjrXrvBFvADyCnNNCZ-eNzaUoEq5f38wCfbC1bZhRsz61s2PRRt3YD2rfzRASbSJk140Vx-XP-IDnqlgMgmIyJxb2iU1ZL8R7"}, "error": 0}
  1. Create environment variables to hold the generated token and the agent variable.
  • Replace <token_generated> with the token generated in step 2.
$TOKEN = “<token_generated>”
  • Replace <agent_name> with the desired agent name.
$AgentName = @{"name"="<agent_name>"} | ConvertTo-Json

  • These environment variables will be used in subsequent requests made to the manager.

  • To request the key and agent ID, proceed to make a web request with the environment variables created. Replace <MANAGER_IP> with the Wazuh manager IP address or DNS name.

Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Bearer {0}" -f $TOKEN)} -Method POST -ContentType "application/json" -Uri https://<MANAGER_IP>:55000/agents -Body $AgentName

The output should look like this:

StatusCode        : 200
  StatusDescription : OK
  Content           : {"data": {"id": "020", "key": "MDIwIGFwaS13aW5kb3dzIGFueSA3OTJmZTcwZDJiYzNhYzRiY2ZjOTc0MzAyNGZmMTc0ODA3ZGE5YjJjZjViZGQ4OGI3MjkxMTEzMmEwZGU3OGQ2"},
                      "error": 0}
  RawContent        : HTTP/1.1 200 OK
                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                      X-Frame-Options: DENY
                      X-XSS-Protection: 1; mode=block
                      X-Content-Type-Options: nosniff
                      Content-Security-Policy: none...
  Forms             : {}
  Headers           : {[Strict-Transport-Security, max-age=63072000; includeSubdomains], [X-Frame-Options, DENY], [X-XSS-Protection, 1;
                      mode=block], [X-Content-Type-Options, nosniff]...}
  Images            : {}
  InputFields       : {}
  Links             : {}
  ParsedHtml        : System.__ComObject
  RawContentLength  : 158