How to configure the Wazuh agent and start the services:
About Wazuh:
Wazuh is an open-source security monitoring platform that enables businesses to quickly identify and address security risks and incidents. It was created to offer features for security information and event management (SIEM), intrusion detection, and vulnerability detection.
Step 1: Log in to the Wazuh server (Refer to the below URL to configure Wazuh server on a Linux machine)
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
Step 2: Once signed in, click Deploy Agent , choose the OS, and provide the agent name.
Step 3: Type the Server address(192.168.xx.x)
Step 4: Give the agent name you wish to see in the Wazuh dashboard in the optional settings.(Here PC0001)
Step 5: Once you have provided this information, please use the ps1 script below to install and enroll the Wazuh agent.
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.4.5-1.msi -OutFile ${env:tmp}\wazuh-agent.msi; msiexec.exe /i ${env:tmp}\wazuh-agent.msi /q WAZUH_MANAGER='192.168.xxx.xx' WAZUH_REGISTRATION_SERVER='192.168.xxx.xx' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='PC0001'
Step 6: Paste and execute this command in the administrator mode of the PowerShell script.
Step 7: Restart the services by
NET START WazuhSvc
Step 8: Restart the PC and refresh the Wazuh server. I'm hoping that the PC001 agent has been shown.
Step 9: If not, make sure to check the C:\Program Files (x86)\ossec-agent\win32ui.exe to see if it is running or stopped.
If it's stopped, see the authentication key is empty and then import it by using the PowerShell command below.
#& 'C:\Program Files (x86)\ossec-agent\agent-auth.exe' -m 192.168.xx.x(Server ip here)
This command imports the key.
Step 10: To enable the services, click Manage to start.
Remove the added agent:
Use the following command in the Wazuh server terminal to remove the added agent.
#sudo /var/ossec/bin/manage_agents
In order to delete the wazuh agent from the server, select the necessary wazuh id.
Note: If any modifications have been done, make sure to restart the services.
#sudo systemctl restart wazuh-manager