How to install Wazuh and Auditd on agent host - Printable Version +- DevOps Discussion Forum (https://forums.geekssolutions.io) +-- Forum: Cloud Computing (https://forums.geekssolutions.io/forumdisplay.php?fid=10) +--- Forum: DevOps (https://forums.geekssolutions.io/forumdisplay.php?fid=14) +--- Thread: How to install Wazuh and Auditd on agent host (/showthread.php?tid=15)

How to install Wazuh and Auditd on agent host - rishi - 04-07-2026 1) Install Wazuh agent prerequisites apt-get update && apt-get install -y curl gnupg apt-transport-https 2) Add Wazuh repository key curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor | tee /usr/share/keyrings/wazuh.gpg > /dev/null 3) Add Wazuh repository echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list apt-get update 4) Install Wazuh agent WAZUH_MANAGER="10.200.10.38" apt-get install -y wazuh-agent 5) Start and enable Wazuh agent systemctl daemon-reexec && systemctl enable wazuh-agent && systemctl start wazuh-agent && systemctl status wazuh-agent 6) Install auditd apt-get install -y auditd audispd-plugins 7) Start and enable auditd systemctl enable auditd && systemctl start auditd && systemctl status auditd 8) Verify audit log exists ls -l /var/log/audit/audit.log 9) Create audit rules file cat > /etc/audit/rules.d/wazuh.rules <<'EOF' -w /etc/localtime -p wa -k audit_time_rules -a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=audit_time_rules -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -w /etc/group -p wa -k usergroup_mod -w /etc/passwd -p wa -k usergroup_mod -w /etc/gshadow -p wa -k usergroup_mod -w /etc/shadow -p wa -k usergroup_mod -w /etc/security/opasswd -p wa -k usergroup_mod -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/useradd -F key=user_mgmt -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/userdel -F key=user_mgmt -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/usermod -F key=user_mgmt -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupadd -F key=user_mgmt -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupdel -F key=user_mgmt -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupmod -F key=user_mgmt -w /etc/issue.net -p wa -k netconfig -w /etc/issue -p wa -k netconfig -w /etc/hosts -p wa -k netconfig -w /etc/netplan -p wa -k netconfig -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=netconfig -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=netconfig -w /etc/apparmor -p wa -k MAC-policy -w /etc/selinux -p wa -k MAC-policy -w /var/log/tallylog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/faillog -p wa -k logins -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/run/utmp -p wa -k session -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -w /usr/sbin/rmmod -p x -k modules -a always,exit -F arch=b64 -S init_module,delete_module -F key=modules -w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d -p wa -k sudoers -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S unlink,rename,rmdir,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete EOF 10) Load audit rules augenrules --load 11) Verify audit rules are active auditctl -l 12) Back up Wazuh agent config cp -a /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bak.$(date +%F-%H%M%S) 13) Edit Wazuh config vim /var/ossec/etc/ossec.conf Add this block inside an <ossec_config> section: <localfile>  <log_format>audit</log_format>  <location>/var/log/audit/audit.log</location> </localfile> A safe place is near the other <localfile> entries. 14) Verify the audit block is present grep -nA3 -B3 '/var/log/audit/audit.log\|<log_format>audit</log_format>' /var/ossec/etc/ossec.conf 15) Restart Wazuh agent systemctl restart wazuh-agent && systemctl status wazuh-agent 16) Confirm Wazuh is reading audit log grep -i audit /var/ossec/logs/ossec.log | tail -n 20 You want to see: Analyzing file: '/var/log/audit/audit.log' 17) Optional validation Generate an audit event: cat /etc/shadow >/dev/null Check audit log: tail -n 20 /var/log/audit/audit.log Check Wazuh agent log again: grep -i audit /var/ossec/logs/ossec.log | tail -n 20 Minimal post-checks on every server systemctl is-active wazuh-agent && systemctl is-active auditd auditctl -l | head grep -i audit /var/ossec/logs/ossec.log | tail -n 5