Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Wazuh Agent Docker Image with Auto-Registration on Wazuh Server
The Wazuh Agent, encapsulated within a Docker image, comes equipped with an automatic registration feature for seamless integration with the Wazuh server. This versatile implementation is designed to function not only as a standalone Docker container but also as a Kubernetes DaemonSet.
Key Features:
-
Containerization: The Wazuh Agent is encapsulated within a Docker image, promoting portability and ease of deployment across various environments.
-
Auto-Registration: The agent is configured to automatically register with the Wazuh server, streamlining the onboarding process and eliminating manual intervention.
-
Standalone Deployment: The Docker container can be deployed as a standalone entity, offering flexibility for environments that do not utilize orchestration tools.
-
Kubernetes Compatibility: Integrated as a Kubernetes DaemonSet, the Wazuh Agent seamlessly scales across nodes within a Kubernetes cluster, ensuring comprehensive security coverage.
Note: Always refer to the official documentation for detailed configuration options and additional customization possibilities.
This implementation offers a seamless and adaptable solution for incorporating Wazuh security monitoring into both standalone and orchestrated environments.
Wazuh agent v4.3.10 will reach its end of life (EOL) and the cessation of support on February 1, 2024.
Commencing on February 1, 2024, the main branch will incorporate the latest code.
Exercise caution, as potential bugs may exist in this branch. It is crucial to migrate all your deployments to Docker image tags listed below for reference.
| GitHub branch/tag | Wazuh Agent version | EOL | Docker image tag |
|---|---|---|---|
| main | v4.7.2-1 | LTS | latest |
| v4.7.2-1 | v4.7.2-1 | LTS | 4.7.1 |
| v4.7.1-1 | v4.7.1-1 | LTS | 4.7.1 |
| v4.6.0-1 | v4.6.0-1 | LTS | 4.6.0 |
| v4.5.4-1 | v4.5.4-1 | LTS | 4.5.4 |
| v4.4.5-1 | v4.4.5-1 | LTS | 4.4.5 |
| Repository Name | Description | Pull command |
|---|---|---|
| https://hub.docker.com/r/opennix/wazuh-agent | Wazuh agent based on Minideb | docker pull opennix/wazuh-agent |
| https://hub.docker.com/r/opennix/wazuh-agent-amazonlinux | Wazuh agent based on Amazon Linux version 2023.3.20231218.0 | docker pull opennix/wazuh-agent-amazonlinux |
| https://hub.docker.com/r/opennix/wazuh-agent-ubuntu | Wazuh agent based on Ubuntu 24.04 | docker pull opennix/wazuh-agent-ubuntu |
register_agent.py - Auto register docker based agent
cleanup_agents.py - Cleanup disconnected or never connected agents older than N days
deregister_agent.py - De-registration of agent
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
JOIN_MANAGER_PROTOCOL |
string |
Http or https protocol for Wazuh restapi connection | https |
Yes |
JOIN_MANAGER_MASTER_HOST |
string |
Ip address or Domain name of Wazuh server using for restapi calls | None |
Yes |
JOIN_MANAGER_WORKER_HOST |
string |
Ip address or Domain name of Wazuh worker for agent connection, if using ALL in One installation the same value as for JOIN_MANAGER_MASTER_HOST |
None |
Yes |
JOIN_MANAGER_USER |
string |
Username for Wazuh API autorization | None |
Yes |
JOIN_MANAGER_PASSWORD |
string |
Password for Wazuh API autorization | None |
Yes |
JOIN_MANAGER_API_PORT |
string |
Port where the Wazuh API listened | 55000 |
Yes |
JOIN_MANAGER_PORT |
string |
Wazuh server port for communication between agent and server | 1514 |
Yes |
NODE_NAME |
string |
Node name if not present image will use HOSTNAME system variable |
None |
No |
VIRUS_TOTAL_KEY |
string |
Api key for VirusTotal integration | None |
No |
WAZUH_GROUPS |
string |
Group(s) name comma separated for auto adding agent, | default |
No |
WAZUH_WAIT_TIME |
string |
Sleep for N second | 10 |
No |
The Simplest way of running the container
docker run --rm opennix/wazuh-agent:latestGenerate certificates
docker compose -f tests/single-node/generate-indexer-certs.yml run --rm generatorRun
docker compose up -dWill run Wazuh cluster in single node mode and 3 agents
make
help Help for usage
build-minideb Build Wazuh Agent minideb based
build-amazon-linux Build Wazuh Agent amazon linux based
build-ubuntu Build Wazuh Agent ubuntu linux based
docker-run Run Wazuh Agent docker image minideb based
docker-push-minideb Push Wazuh Agent docker image minideb based
docker-push-amazon-linux Push Wazuh Agent docker image amazon linux based
docker-push-ubuntu Push Wazuh Agent docker image ubuntu linux based
run-local Run docker compose stack with all agents on board
docker run -d --name wazuh -v /:/rootfs:ro --net host --hostname ${HOSTNAME} \
-e JOIN_MANAGER_MASTER_HOST=172.17.0.1 -e JOIN_MANAGER_WORKER_HOST=172.17.0.1 \
-e JOIN_PASSWORD=test123 -e JOIN_MANAGER_USER=user \
-v /etc/os-release:/etc/os-release -v /var/run/docker.sock:/var/run/docker.sock \
opennix/wazuh-agent
Setup environments in wazuh-daemon-sets.yaml like above.
Example:
env:
- name: JOIN_MANAGER_MASTER_HOST
value: "wazuh.wazuh.svc.cluster.local"
- name: JOIN_MANAGER_WORKER_HOST
value: "wazuh-workers.wazuh.svc.cluster.local"
- name: JOIN_MANAGER_PROTOCOL
value: "https"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: JOIN_MANAGER_USER
valueFrom:
secretKeyRef:
name: wazuh-api-cred
key: username
- name: JOIN_MANAGER_PASSWORD
valueFrom:
secretKeyRef:
name: wazuh-api-cred
key: password
- name: JOIN_MANAGER_API_PORT
value: "55000"
- name: JOIN_MANAGER_PORT
value: "1514"
And apply template kubectl -f wazuh-daemon-sets.yaml
DaemonSet will deploy to wazuh namespace.
Building default image agent based on Minideb with default Agent version 4.3.10-1
docker build . -t wazuh-agent:latestBuilding agent image based on Amazon Linux with default Agent version 4.3.10-1
docker build -f images/Dockerfile.amazonlinux . -t wazuh-agent:latestBuilding agent image based on Ubuntu 24.04 with default Agent version 4.3.10-1
docker build -f images/Dockerfile.ubuntu . -t wazuh-agent:latestBuild agent image with custom agent version
docker build -f path-to-docker-file . -t wazuh-agent:<tag> --build-arg AGENT_VERSION=<wazuh-agent-version>For example build minideb with Wazuh agent version 4.4.5-1
docker build . -t wazuh-agent:latest --build-arg AGENT_VERSION=4.4.5-1
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
