Wazuh Agent on Host OS

albrecd · May 4, 2025, 5:05pm

Problem/Justification

Requesting support for Wazuh Agent security monitoring software installed on the host OS.

Linux agent install instructions via apt: Deploying Wazuh agents on Linux endpoints - Wazuh agent

Impact

The Wazuh agent allows more robust security monitoring than forwarded syslog messages alone, and additionally allows compliance and vulnerability monitoring.

Unlikely to cause negative impact.

User Story

The Wazuh agent requires minimal (if any) user interaction following installation. The primary means of interaction would be through modifying the agent configuration file (typically at path /var/ossec/etc/ossec.conf). Full app support may include options to modify this configuration via the Apps UI, though this would not necessarily be required for MVP.

The Wazuh agent runs as a background service, and forwards messages to a separate Wazuh server on network port 1514, so limited access to the host network would be required.

ABain · May 5, 2025, 1:12pm

please raise and issue on the apps repo to request addition of an app

albrecd · May 5, 2025, 1:41pm

Moving request there, thanks!

albrecd · May 5, 2025, 2:11pm

I was referred back here to request as a host OS feature.

LarsR · May 5, 2025, 2:16pm

you could try to deploy it via custom app with the compose file from their github

github.com/pyToshka/docker-wazuh-agent

docker-compose.yml

main

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.9'  # optional since Compose v1.27.0
services:
  wazuh-minideb-agent:
    build:
      context: .
      dockerfile: ./Dockerfile
      args:
        AGENT_VERSION: ${AGENT_VERSION:-4.3.10-1}
    image: wazuh-agent-minideb:${AGENT_VERSION:-4.3.10-1}
    volumes:
       - ./register_agent.py:/var/ossec/register_agent.py
    hostname: wazuh-agent-minideb
    deploy:
      replicas: ${LOCAL_DEV:-1}
    restart: always
    environment:
      - JOIN_MANAGER_MASTER_HOST=wazuh.manager
      - JOIN_MANAGER_WORKER_HOST=wazuh.manager
      - JOIN_MANAGER_USER=wazuh-wui

This file has been truncated. show original

albrecd · May 5, 2025, 3:36pm

I’ll give that a try, but I don’t believe the Wazuh docker deployment can monitor the host OS. I think it’s more intended to be an all in one agent/server container.

Gamix · May 13, 2025, 6:01pm

Did you manage to deploy Wazuh as a container on Truenas Scale? If yes, does it monitor the whole machine or only the container?

albrecd · May 13, 2025, 9:02pm

Sorry haven’t gotten to it yet - hopefully later this week or early next. I’ll post here with those answers once I have.

albrecd · May 14, 2025, 11:00pm

TLDR: No, it does not seem that it is currently possible for the Wazuh Agent container to monitor the host system.

I was able to install the Wazuh Agent image from dockerhub: https://hub.docker.com/r/opennix/wazuh-agent. Installation is fairly straightforward - note that the environment variables listed in the dockerhub readme as Required but with default value None must be provided when configuring the installation, including the API username/password for the Wazuh indexer.

Unfortunately the installed agent is only forwarding events generated within the container (tested by manually generating logs in /var/log/syslog on both the host and inside the container). This is the case both with privileged and standard installations.

I don’t think this is currently possible, but rather than installing the Wazuh Agent on the host OS an alternative way to monitor the host may be adding the log directory as a read-only bind mount via the storage install configuration, then updating the Wazuh config to monitor the log files in this directory rather than the internal log directory. It seems like it is currently only possible to bind mount locations under the /mnt root, and this would require mounting /var/log, though there may already be a way to mount within the system root that I am unaware of?