library

Deploying Wazuh Agent on Windows

Written by

info@goodiswp.com

in

What is the Wazuh Agent?

The Wazuh agent is a lightweight software component, multi-platform, that runs on the endpoints that users want to monitor. It communicates with the Wazuh server, sending data in real-time through an encrypted and authenticated channel.

Get Enes Ismaili’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

It requires 35 MB of RAM on average and is supported on the most popular operating systems.

Wazuh Agent Capabilities

Wazuh agent modules offer various security tasks that can be enabled or disabled based on your needs:

  • Log Collector: Collects OS and application logs, supports multi-line formats, and enriches JSON events
  • Command Execution: Runs authorized commands periodically (e.g., disk space, last logged-in users) and reports output
  • File Integrity Monitoring (FIM): Tracks changes in files (created, deleted, modified) and stores metadata on file state
  • Security Configuration Assessment (SCA): Assesses system configurations based on CIS benchmarks, with customizable checks
  • System Inventory: Scans and collects data on OS, processes, applications, and open ports, stored in local databases
  • Malware Detection: Detects anomalies, rootkits, hidden processes, files, and ports using non-signature-based methods
  • Active Response: Executes automated actions (e.g., block connections, stop processes) when threats are detected
  • Container Security Monitoring: Monitors Docker containers for changes to images, configurations, and privileged modes
  • Cloud Security Monitoring: Monitors cloud environments (AWS, Azure, GCP) for infrastructure changes and collects cloud logs

Prerequisites

Before deploying the Wazuh agent, ensure you have:

  • A running Wazuh server/manager (covered in our previous installation guide)
  • Administrator privileges on the Windows Server 2022 machine
  • Network connectivity between the endpoint and Wazuh server
  • PowerShell 3.0 or greater
  • Ports 1514 and 1515 accessible from the endpoint to the Wazuh server

Deployment Methods

We will deploy the Wazuh Agent on Windows Server 2022 through the Wazuh Dashboard. If you are deploying to a high number of endpoints, it might be easier using automation tools such as Puppet, Chef, SCCM, or Ansible.

Step-by-Step Deployment Process

Step 1: Access the Wazuh Dashboard

First, open your Wazuh Dashboard and log in. You can access the agent deployment in two ways:

  1. Direct method: Click on “Deploy new agent” from the main dashboard
  2. Menu method: Navigate through the main menu → Agents management → Summary → Deploy new agent

Step 2: Configure Agent Settings

You’ll now see the agent deployment configuration page with several options:

Select the Package

Choose Windows as the operating system and select MSI 32/64 bits as the package type.

Server Address

Enter the IP address of your Wazuh server (in this example: 192.168.132.143).

  • Check “Remember server address” if you want to use this for future deployments

Agent Name (Optional)

You can assign a custom agent name or leave it blank. If left blank, Wazuh will use the hostname as the agent name.

Agent Groups

Select “Default” or create a custom group based on your organizational needs.

Step 3: Copy the Installation Command

After configuring the settings, you’ll see a PowerShell command generated based on your configuration:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.12.0-1.msi -OutFile $env:tmp\wazuh-agent.msi&&exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER="192.168.132.143"

Important Requirements:

  • You need administrator privileges to perform this installation
  • PowerShell 3.0 or greater is required
  • Run this command in a Windows PowerShell terminal

Step 4: Execute the Installation

On your Windows Server 2022 machine:

  1. Open PowerShell as Administrator: Search for “PowerShell” in the Start menu, right-click, and select “Run as administrator”

2. Paste and Execute: Copy the command from the Wazuh dashboard and paste it into the PowerShell window

3. Wait for Download and Installation: The command will download the Wazuh agent MSI file and install it automatically. This process may take a few minutes.

Step 5: Start the Wazuh Service

After installation, start the Wazuh service using:

NET START WazuhSvc

You should see confirmation that the Wazuh service has started successfully.

Step 6: Verify Agent Registration

Return to the Wazuh Dashboard and navigate to Agents management → Summary. You should now see your Windows Server endpoint listed as an active agent.

The dashboard will show:

  • Agent Status: Active
  • Operating System: Microsoft Windows Server 2022
  • Agent Name: The hostname or custom name you specified
  • IP Address: The endpoint’s IP address
  • Version: Wazuh agent version (4.12.0)

Verification Steps

To ensure the agent is working correctly:

  1. Check Service Status: Verify the Wazuh service is running:
Get-Service WazuhSvc

2. Review Agent Logs: Check the agent log file at:

C:\Program Files (x86)\ossec-agent\logs\ossec.log

3. Test Connectivity: The dashboard should show the agent as “Active” with a green status indicator

Troubleshooting Common Issues

Agent Not Connecting

  • Verify network connectivity between the endpoint and Wazuh server
  • Check firewall rules (ports 1514 and 1515)
  • Ensure the server IP address is correct in the configuration

Service Won’t Start

  • Run PowerShell as Administrator
  • Check Windows Event Logs for service-related errors
  • Verify the installation completed successfully

Installation Fails

  • Ensure you have administrator privileges
  • Check internet connectivity for downloading the MSI file
  • Verify PowerShell version (3.0 or greater required)

Next Steps

Now that your Windows Server 2022 agent is successfully deployed and active, you can:

  • Configure specific monitoring rules for your Windows environment
  • Enable File Integrity Monitoring for critical system files
  • Set up custom log collection for Windows Event Logs
  • Configure active response for automated threat mitigation
  • Create custom dashboards for Windows-specific security metrics

Best Practices

  • Regular Updates: Keep agents updated to the latest version
  • Resource Monitoring: Monitor agent resource usage, especially in production environments
  • Group Management: Use agent groups to apply specific configurations to different server types
  • Backup Configuration: Maintain backups of agent configurations for disaster recovery

Conclusion

You have successfully deployed and configured a Wazuh agent on Windows Server 2022. The agent is now actively monitoring your endpoint and sending security data to your Wazuh server in real-time, providing comprehensive visibility into your Windows infrastructure.

This guide covers Wazuh agent version 4.12. Always check the official Wazuh documentation for the latest version and features.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts