Wazuh is an open source security platform that offers Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) capabilities to organizations. It provides security to IT infrastructure through real-time monitoring, threat detection, log analysis, vulnerability detection, and automated incident response. By collecting and analyzing security data from endpoints, Wazuh enables organizations to detect and respond swiftly to security threats and incidents. Deploying Wazuh agents can be a bit challenging in organizations with many endpoints; therefore, using IT management software is advised.
This blog post demonstrates deploying the Wazuh agent to multiple Windows endpoints using ManageEngine. ManageEngine is an IT management software that automates software distribution and system management, ensuring consistent device configurations. It enhances efficiency and security compliance by centralizing IT operations and saving time and resources.
Infrastructure
We set up the following infrastructure to demonstrate the deployment of the Wazuh agent to two Windows endpoints.
- A pre-built, ready-to-use Wazuh OVA 4.8.0 that hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the virtual machine (VM).
- A Windows server with ManageEngine Endpoint Central installed. Download ManageEngine Endpoint Central and follow the installation guide to set it up on this endpoint.
- Two Windows 10 endpoints onboarded on the ManageEngine Endpoint Central. Follow this guide to install the ManageEngine agent on Windows endpoints. These two Windows 10 endpoints will be the targets for deploying the Wazuh agent.
Configuring the Wazuh agent deployment package on ManageEngine
Perform the following steps to create a software deployment package on ManageEngine.
1. Download the Wazuh Windows agent Microsoft installer (MSI) package.
2. Open ManageEngine Endpoint Central on your browser https://<WINDOWS_IP_ADDRESS>:8383
.
- Replace
<Windows_IP_ADDRESS>
with IP the address of the Windows server. - Navigate to Software Deployment > Packages. Click Add Package and select Windows.
3. Create the Wazuh deployment package as shown in the image below.
- Enter the Package Name. For example Wazuh Agent Package.
- Select EXE/APPX/MSIEXEC/MSU as the Package Type.
- Select Non-Commercial as the License Type.
- Upload the Wazuh agent installation (MSI) file downloaded in Step 1 from your local computer.
4. Copy and paste the installation command below in the Installation Command with Switches/Arguments textbox:
msiexec /i wazuh-agent-4.8.0-1.msi /q WAZUH_MANAGER="<WAZUH_MANAGER_IP>" WAZUH_AGENT_GROUP="default"
Replace <WAZUH_MANAGER_IP>
with the IP address of the Wazuh manager.
In the installation command, we set the WAZUH_AGENT_GROUP
variable to default
, this will add the Wazuh agent to the default agent group. You can modify this variable depending on your requirements.
5. Click on Post-Deployment Activities and add Custom Script.
- Select Custom Script, then choose Command Line.
- Insert the command
NET START WazuhSvc
in the command textbox. This command starts the Wazuh agent service after deployment. - Click on Save & Continue to save the configurations.
6. Click on Add Package to create the package.
Deploying the Wazuh agent package to the endpoints
1. Navigate to the Software Deployment page, and select the Wazuh agent deployment package created in the previous steps. Click on Install/Uninstall Software and select Computer Configuration.
2. Provide the following details as shown in the image below.
- Enter the Name of the deployment. For example,
Wazuh Agent Deployment
. - Select Install as the Operation Type.
- Select System User under the Configure Install/Uninstall options dropdown to install the Wazuh agent with system privileges on the target system.
3. Next, we configure the deployment policy and select the target system.
- Select Deploy anytime at the earliest on the Deployment Settings.
- Select the group of Windows computers you want to install the Wazuh agent under Define Target. By default, the Local Office group contains all computers not assigned to a specific group. You can create a custom group to fit your deployment requirements.
- Scroll to the bottom of the page and click on Deploy Immediately.
After clicking on Deploy Immediately, the Wazuh agent will be installed on the selected group of systems. You can track the progress of the Wazuh agent deployment on the View Configuration page as shown in the image below.
Validating the deployment of Wazuh agents
Navigate to Server management > Endpoint Summary on the Wazuh dashboard to view the newly enrolled agents.
Conclusion
In this blog post, we showed how to prepare the Wazuh agent package to be deployed at scale to Windows endpoints in enterprise environments using ManageEngine. ManageEngine provides a scalable solution that facilitates efficient and automated mass deployment of Wazuh agents to endpoints within your IT infrastructure. You can also explore other options for Wazuh agent deployment, such as using GPO and PDQ.
Wazuh has over 20 million annual downloads and extensively supports users through a constantly growing open source community. You can join our community of professionals and users if you have any questions on this blog post or Wazuh in general.