Modern organizations rely heavily on Linux servers, cloud workloads, containers, and virtual machines to run critical applications and services.
While Linux is widely regarded as a secure operating system, it is still a common target for attackers seeking unauthorized access, privilege escalation opportunities, or sensitive data.
To effectively monitor and protect Linux environments, security teams need visibility into endpoint activity across their infrastructure.
Wazuh provides this visibility through its lightweight endpoint agent, allowing organizations to collect logs, detect threats, monitor file changes, identify vulnerabilities, and enforce security policies from a centralized platform.
What Are Linux Endpoints in Wazuh?
In Wazuh, a Linux endpoint refers to any Linux-based system running the Wazuh agent.
These endpoints can include:
- Physical Linux servers
- Virtual machines
- Cloud instances
- Container hosts
- Application servers
- Database servers
- Development and testing systems
Once the Wazuh agent is installed, the endpoint continuously collects security-related data and sends it to the Wazuh manager for analysis and correlation.
Why Endpoint Visibility Is Critical for Security Monitoring
Many cyberattacks begin at the endpoint level.
Attackers often attempt to gain access through compromised credentials, vulnerable software, misconfigured services, or malicious files installed directly on servers.
Without endpoint visibility, security teams may miss important indicators of compromise such as:
- Unauthorized login attempts
- Privilege escalation activities
- Malware execution
- Unexpected file modifications
- Vulnerable software packages
- Suspicious system configuration changes
According to the annual Data Breach Investigations Report published by Verizon, compromised systems and credentials continue to play a major role in security breaches across organizations of all sizes.
By monitoring Linux endpoints in real time, organizations can detect threats earlier and reduce incident response times.
Benefits of Adding Linux Systems to Wazuh
Adding Linux endpoints to Wazuh provides several important security and operational benefits:
- Centralized visibility across all Linux assets
- Real-time security monitoring and alerting
- File Integrity Monitoring (FIM) capabilities
- Vulnerability detection and asset inventory
- Security configuration assessment
- Rootkit and malware detection
- Compliance monitoring and reporting
- Improved incident investigation capabilities
These capabilities allow security teams to monitor thousands of Linux systems from a single dashboard while maintaining consistent security policies across the environment.
What You Will Learn in This Guide
In this guide, you will learn:
- How the Wazuh agent architecture works
- Requirements for onboarding Linux systems
- How to install the Wazuh agent on various Linux distributions
- How to register Linux endpoints with the Wazuh manager
- How to verify successful communication
- How to validate log collection and threat detection features
- Common troubleshooting steps for Linux agent deployments
By the end of this tutorial, you will have a fully monitored Linux endpoint reporting security events to your Wazuh environment.
Understanding the Wazuh Agent Architecture
Before adding Linux endpoints to Wazuh, it is important to understand how the Wazuh agent communicates with the platform and what security functions it performs on monitored systems.
What Is the Wazuh Agent?
The Wazuh agent is a lightweight software component installed directly on monitored endpoints.
Its primary purpose is to collect security-related data and securely transmit that information to the Wazuh manager for analysis.
The agent continuously gathers information from the operating system, applications, log files, and security monitoring modules without requiring administrators to manually collect data from individual systems.
Role of the Agent in Endpoint Monitoring
The Wazuh agent acts as the primary source of endpoint telemetry.
It provides visibility into activities occurring directly on Linux systems, including:
- User authentication events
- System log entries
- File modifications
- Software inventory changes
- Security policy violations
- Malware indicators
- Vulnerability information
This endpoint-level visibility enables Wazuh to identify suspicious activity that may not be visible through network monitoring alone.
Communication Between Agent and Manager
The Wazuh agent communicates securely with the Wazuh manager using encrypted channels.
The process typically follows these steps:
- The Linux endpoint enrolls with the Wazuh manager.
- Authentication keys are exchanged.
- The agent establishes secure communication.
- Security data is transmitted continuously.
- The manager analyzes and correlates incoming events.
- Alerts are generated when suspicious activity is detected.
The manager then forwards processed events to the indexer and dashboard, where administrators can investigate alerts and monitor endpoint activity.
Supported Linux Distributions
Wazuh supports most major Linux distributions, including:
- Ubuntu
- Debian
- Rocky Linux
- AlmaLinux
- Red Hat Enterprise Linux (RHEL)
- CentOS
- Oracle Linux
- Amazon Linux
- SUSE Linux Enterprise Server
Before deployment, verify compatibility with your specific operating system version using the official Wazuh documentation.
How Linux Endpoints Integrate with Wazuh
Once installed, the Linux agent enables several core Wazuh security capabilities.
Log Collection
The agent collects and forwards security logs from sources such as:
- Syslog
- Authentication logs
- Application logs
- Auditd logs
- Custom log files
These logs are analyzed by the Wazuh manager to identify suspicious activity and generate alerts.
File Integrity Monitoring (FIM)
Wazuh continuously monitors critical files and directories for unauthorized modifications.
When a monitored file is created, modified, renamed, or deleted, Wazuh generates an alert that can be investigated immediately.
See our How to Configure File Integrity Monitoring (FIM) in Wazuh guide.
Vulnerability Detection
The Wazuh agent inventories installed software packages and reports them to the manager.
Wazuh then compares installed software versions against known vulnerability databases to identify systems that require patching.
Wazuh Vulnerability Detection Not Working? Here’s How to Fix It
Security Configuration Assessment
Wazuh evaluates Linux systems against security benchmarks and best practices.
Examples include:
- Password policy validation
- SSH configuration auditing
- Service hardening verification
- CIS benchmark assessments
These assessments help identify security weaknesses before they can be exploited.
Rootkit and Malware Detection
The Wazuh agent includes rootcheck functionality that helps identify:
- Hidden processes
- Suspicious kernel modules
- Rootkit indicators
- Unauthorized system modifications
Combined with threat intelligence integrations and custom detection rules, this capability strengthens endpoint threat detection.
See our How to Create Custom Detection Rules in Wazuh (With Examples) guide for more information.
Prerequisites
Before installing the Wazuh agent on Linux endpoints, verify that both your Wazuh infrastructure and target systems meet the necessary requirements.
Wazuh Server Requirements
The Wazuh manager must be fully operational before agents can be enrolled.
Wazuh Manager Installed and Running
Confirm that your Wazuh manager service is active and functioning properly.
On the Wazuh server:
sudo systemctl status wazuh-manager
The service should display an active running status before proceeding with endpoint onboarding.
Access to the Wazuh Dashboard
You should have administrative access to the Wazuh dashboard to:
- Manage agents
- Verify enrollment
- Monitor endpoint activity
- Review alerts
- Validate data collection
Dashboard access simplifies deployment verification and troubleshooting.
Required Network Connectivity
The Linux endpoint must be able to communicate with the Wazuh manager over the network.
Verify that:
- DNS resolution works correctly
- Routing is configured properly
- Firewalls allow required traffic
- Network security devices are not blocking communication
Linux Endpoint Requirements
Supported Linux Operating Systems
Ensure the endpoint is running a supported Linux distribution such as:
- Ubuntu
- Debian
- Rocky Linux
- AlmaLinux
- RHEL
- CentOS
- Oracle Linux
- Amazon Linux
- SUSE Linux
Root or Sudo Access
Agent installation requires elevated privileges.
Verify that you have either:
- Root access
- Sudo privileges
Most installation and configuration commands require administrative permissions.
Internet or Repository Access
The endpoint should have access to:
- Wazuh package repositories
- Internal package mirrors
- Download locations for installation packages
If internet access is restricted, you may need to deploy the agent using offline installation packages.
Firewall Configuration Considerations
Review both host-based and network firewalls before deployment.
Security controls such as:
- iptables
- nftables
- firewalld
- Cloud security groups
must allow communication between the Linux endpoint and the Wazuh manager.
Verify Connectivity Before Installation
Performing connectivity checks beforehand can prevent enrollment failures later.
Testing DNS Resolution
Verify that the endpoint can resolve the Wazuh manager hostname:
nslookup wazuh-manager.example.com
Or:
dig wazuh-manager.example.com
Successful DNS resolution confirms the endpoint can locate the manager.
Testing Network Communication
Verify basic network connectivity:
ping WAZUH_MANAGER_IP
You can also test TCP connectivity:
nc -zv WAZUH_MANAGER_IP 1514
Successful connections indicate that traffic can reach the manager.
Required Ports for Agent-Manager Communication
The following ports are commonly required:
| Port | Protocol | Purpose |
|---|---|---|
| 1514 | TCP/UDP | Agent event communication |
| 1515 | TCP | Agent enrollment and registration |
| 55000 | TCP | Wazuh API access (optional) |
If these ports are blocked by a firewall, agent enrollment and communication may fail.
For troubleshooting connectivity-related issues after installation, see:
Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work
For additional deployment guidance, consult the official Wazuh installation documentation.
Official Wazuh installation documentation: https://documentation.wazuh.com/current/user-manual/agents/index.html
Methods for Adding Linux Endpoints to Wazuh
There are several ways to deploy Linux endpoints into a Wazuh environment.
The best method depends on the size of your environment, the level of automation required, and your organization’s operational processes.
Method 1: Deploying Linux Agents Through the Wazuh Dashboard
The Wazuh dashboard provides a built-in deployment wizard that simplifies agent installation and enrollment.
Administrators can generate installation commands directly from the dashboard and deploy agents without manually creating configuration files.
Advantages of Dashboard-Based Deployment
Benefits of using the dashboard deployment method include:
- Simplified installation process
- Automatic generation of installation commands
- Reduced configuration errors
- Faster onboarding for new administrators
- Easy agent registration and enrollment
The deployment wizard automatically generates commands that include the manager address and enrollment parameters, minimizing manual configuration.
When to Use This Method
Dashboard-based deployment is ideal for:
- Small and medium-sized environments
- Individual server deployments
- Test environments
- Organizations new to Wazuh
- Administrators who prefer graphical interfaces
For organizations deploying a limited number of Linux endpoints, this is typically the easiest and fastest approach.
Method 2: Manual Agent Installation
Manual installation involves downloading the Wazuh agent package, installing it directly on the Linux endpoint, and configuring communication settings manually.
This approach provides greater flexibility and control over the deployment process.
Advantages of Manual Installation
Manual deployment offers several benefits:
- Greater control over configuration
- Suitable for restricted environments
- Works in air-gapped networks
- Easier integration with custom installation procedures
- Useful for troubleshooting deployment issues
Administrators can customize settings before the agent begins communicating with the manager.
Suitable Use Cases
Manual installation is commonly used for:
- Production servers
- Highly regulated environments
- Offline installations
- Security-sensitive systems
- Custom deployment workflows
Organizations with strict change management processes often prefer this deployment method.
Method 3: Automated Deployment at Scale
Large organizations often need to deploy hundreds or thousands of Linux endpoints.
In these situations, automation becomes essential.
Using Configuration Management Tools
Popular automation tools used with Wazuh include:
- Ansible
- Puppet
- Chef
- SaltStack
- Terraform (for cloud provisioning workflows)
These tools can automatically:
- Install the Wazuh agent
- Configure manager connectivity
- Register agents
- Apply security policies
- Update existing deployments
Enterprise Deployment Scenarios
Automation is recommended for:
- Large enterprise environments
- Cloud-native deployments
- Hybrid infrastructure
- Container host monitoring
- Continuous infrastructure provisioning
According to guidance from the Center for Internet Security, automated configuration management significantly improves consistency and reduces configuration drift across managed systems.
Automated deployment also simplifies future upgrades.
See our How to Upgrade a Wazuh Agent guide if you are having issues with the Wazuh agent.
Step 1: Register a New Linux Agent in Wazuh
Before a Linux endpoint can begin sending security events, it must be registered with the Wazuh manager.
Registration establishes trust between the endpoint and the manager and allows secure communication.
Create an Agent from the Dashboard
The easiest way to register a Linux endpoint is through the Wazuh dashboard.
Navigate to the Agents Section
Log in to the Wazuh dashboard and navigate to:
Wazuh Dashboard → Agents
From the Agents page, click:
Deploy New Agent
The deployment wizard will guide you through the registration process.
Generate Installation Commands
The deployment wizard automatically creates installation commands tailored to your environment.
You will be asked to specify:
- Operating system
- Wazuh manager address
- Agent group (optional)
- Enrollment settings
After completing the wizard, copy the generated command and run it on the Linux endpoint.
Select the Linux Operating System
Choose the appropriate operating system from the available options, such as:
- Ubuntu
- Debian
- Rocky Linux
- AlmaLinux
- RHEL
- CentOS
- Amazon Linux
Selecting the correct operating system ensures that the appropriate installation package is generated.
Register the Agent Using CLI
Organizations that prefer command-line administration can register Linux agents directly from the terminal.
Using agent-auth
The agent-auth utility allows endpoints to authenticate with the Wazuh manager.
Example:
sudo /var/ossec/bin/agent-auth -m MANAGER_IP
After successful authentication, the manager generates and stores the agent key.
Creating Agents Manually from the Manager
Administrators can also create agents directly on the manager using:
sudo /var/ossec/bin/manage_agents
This utility allows you to:
- Add agents
- Remove agents
- Extract agent keys
- Import agent keys
Manual registration is particularly useful in environments where automated enrollment is disabled.
For environments experiencing enrollment issues, see:
Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
For additional enrollment documentation:
https://documentation.wazuh.com/current/user-manual/agents/agent-enrollment/index.html
Step 3: Configure the Linux Agent
After installing the Wazuh agent, the next step is configuring it to communicate with the Wazuh manager and collect the security data you want to monitor.
While the default configuration is sufficient for many deployments, understanding the agent configuration file allows you to customize monitoring behavior, improve visibility, and optimize performance.
Understanding the Agent Configuration File
The Wazuh agent configuration is stored in an XML-based file called ossec.conf.
This file controls how the agent:
- Connects to the Wazuh manager
- Collects logs
- Monitors files and directories
- Performs vulnerability detection
- Executes security assessments
- Generates and forwards events
Most Linux agent customization is performed through this configuration file.
Location of ossec.conf
On Linux systems, the primary configuration file is located at:
/var/ossec/etc/ossec.conf
View the current configuration:
sudo cat /var/ossec/etc/ossec.conf
Edit the configuration:
sudo nano /var/ossec/etc/ossec.conf
Always create a backup before making changes:
sudo cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bak
Key Configuration Sections
Several sections within ossec.conf are commonly modified when onboarding Linux endpoints.
These include:
| Configuration Section | Purpose |
|---|---|
<client> | Manager connectivity settings |
<localfile> | Log collection configuration |
<syscheck> | File Integrity Monitoring |
<rootcheck> | Rootkit detection |
<sca> | Security Configuration Assessment |
<labels> | Asset tagging and grouping |
Understanding these sections will make future customization significantly easier.
Configure Manager Connectivity
The most important configuration task is ensuring the agent can communicate with the Wazuh manager.
Server Address Settings
Within the <client> section, specify the Wazuh manager address:
<client>
<server>
<address>192.168.1.100</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
</client>
Replace the IP address with your actual Wazuh manager hostname or IP.
Example using a hostname:
<address>wazuh-manager.example.com</address>
Using DNS names instead of hardcoded IP addresses can simplify future infrastructure changes.
Communication Protocol Settings
Wazuh supports both TCP and UDP communication.
Example TCP configuration:
<protocol>tcp</protocol>
TCP is generally recommended because it provides:
- Reliable message delivery
- Better event integrity
- Improved communication stability
- Reduced risk of dropped events
Most modern Wazuh deployments use TCP for agent communication.
Customize Agent Settings
Beyond manager connectivity, administrators can customize how Linux endpoints appear and behave within Wazuh.
Agent Name
The agent name identifies the endpoint within the Wazuh dashboard.
By default, Wazuh uses the system hostname.
Verify the hostname:
hostname
Using descriptive hostnames makes endpoint management easier, especially in large environments.
Examples:
web-server-01
database-prod-02
ubuntu-dev-01
Agent Grouping
Agent groups allow administrators to apply common configurations and rules to multiple endpoints.
Examples of useful groups include:
- Linux Servers
- Production Servers
- Development Systems
- Web Servers
- Database Servers
- Cloud Workloads
Groups simplify administration by allowing centralized policy management.
For example, all production Linux servers can inherit the same monitoring policies and detection rules.
Local Log Collection
One of the primary functions of the Linux agent is collecting logs.
Wazuh can monitor:
- Authentication logs
- Syslog
- Application logs
- Auditd logs
- Custom log files
Example authentication log monitoring:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
For RHEL-based distributions:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
Custom application logs can also be monitored:
<localfile>
<log_format>syslog</log_format>
<location>/opt/application/logs/app.log</location>
</localfile>
Proper log collection is essential for effective threat detection and incident response.
Monitoring Directories
The Syscheck module enables File Integrity Monitoring (FIM) by tracking changes to important files and directories.
Example configuration:
<syscheck>
<directories check_all="yes">/etc</directories>
<directories check_all="yes">/usr/bin</directories>
<directories check_all="yes">/var/www</directories>
</syscheck>
Common Linux directories worth monitoring include:
/etc/usr/bin/usr/sbin/var/www/home- Application configuration directories
When a monitored file is modified, Wazuh generates an alert that can be investigated by security teams.
For a complete walkthrough of FIM configuration, see:
Internal Link: How to Configure File Integrity Monitoring (FIM) in Wazuh
Best Practices for Linux Agent Configuration
When configuring Linux agents, consider the following recommendations:
- Use hostnames rather than IP addresses when possible.
- Group agents based on role and environment.
- Monitor only critical directories to reduce noise.
- Regularly review collected logs.
- Enable File Integrity Monitoring on sensitive files.
- Test configuration changes before deploying to production.
- Keep agents updated with the latest Wazuh releases.
According to guidance from the Center for Internet Security, continuous monitoring of system logs and critical file changes is a foundational security control for detecting unauthorized activity and maintaining system integrity.
Once the configuration is complete, the next step is starting the Wazuh agent service and ensuring it launches automatically when the Linux system boots.
Step 4: Start and Enable the Agent Service
After configuring the Wazuh agent, the next step is starting the service and ensuring it automatically launches whenever the Linux system boots.
Start the Wazuh Agent
The Wazuh agent runs as a system service on Linux systems. Once started, it begins collecting security data and communicating with the Wazuh manager.
Systemd Commands
Most modern Linux distributions use systemd for service management.
Start the agent using:
sudo systemctl start wazuh-agent
If you recently modified the configuration, reload systemd before starting the service:
sudo systemctl daemon-reload
sudo systemctl start wazuh-agent
The agent should begin communicating with the manager immediately after startup.
Service Verification
Verify that the service started successfully:
sudo systemctl status wazuh-agent
A healthy service should display output similar to:
Active: active (running)
You can also verify the process directly:
ps aux | grep wazuh
If the service fails to start, review the logs for configuration errors or connectivity issues.
Enable Automatic Startup
To ensure continuous monitoring, configure the Wazuh agent to start automatically during system boot.
Configure Startup on Boot
Enable the service:
sudo systemctl enable wazuh-agent
Expected output:
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service
This ensures the agent starts automatically after system reboots.
Verify Service Status
Confirm that automatic startup is enabled:
sudo systemctl is-enabled wazuh-agent
Expected output:
enabled
You can also verify both startup configuration and runtime status:
sudo systemctl status wazuh-agent
At this stage, the Linux endpoint should be actively communicating with the Wazuh manager.
For environments managing large numbers of agents, keeping services enabled across all endpoints helps maintain consistent monitoring coverage and reduces the risk of blind spots following system restarts.
See our How to Upgrade a Wazuh Agent guide.
Step 5: Verify the Linux Endpoint Is Connected
After starting the Wazuh agent, you should verify that the endpoint is successfully connected to the Wazuh manager and actively transmitting data.
This validation step confirms that installation, enrollment, configuration, and network connectivity are all functioning correctly.
Check Agent Status from the Endpoint
The first verification step should be performed directly on the Linux system.
Service Status Commands
Confirm that the service remains active:
sudo systemctl status wazuh-agent
You can also verify the process:
sudo pgrep wazuh-agentd
Or:
ps -ef | grep wazuh
The agent process should be visible and running without errors.
Reviewing Agent Logs
The agent log file contains detailed information about enrollment, connectivity, and event transmission.
View recent log entries:
sudo tail -f /var/ossec/logs/ossec.log
Successful communication often produces entries similar to:
Connected to server
Agent started successfully
Watch for warning messages related to:
- Authentication failures
- DNS resolution problems
- Connection timeouts
- Certificate errors
- Manager communication failures
For troubleshooting certificate-related issues, see:
Internal Link: How to Fix Wazuh Certificate Errors
Verify Agent Registration in Wazuh Dashboard
The Wazuh dashboard provides the easiest way to confirm that the endpoint has successfully enrolled.
Navigate to:
Wazuh Dashboard → Agents
Confirm Active Connection
Locate the newly added Linux endpoint.
Verify that:
- Status shows Active
- Last keepalive time is recent
- Agent version is displayed
- Operating system information is present
An active status indicates successful communication between the endpoint and the manager.
Review Endpoint Information
Select the endpoint to review additional details such as:
- Hostname
- IP address
- Agent ID
- Operating system version
- Agent version
- Group membership
Verifying this information helps confirm that the correct endpoint was enrolled.
Validate Communication with the Manager
A healthy connection requires more than successful registration. The endpoint should continuously exchange data with the manager.
Check Heartbeat Status
Wazuh agents periodically send keepalive messages to confirm availability.
From the dashboard, verify:
- Recent heartbeat activity
- No disconnected status
- Consistent communication timestamps
If heartbeat messages stop appearing, investigate network connectivity and firewall settings.
Confirm Event Transmission
Generate a simple test event to verify data collection.
For example:
sudo su -
Or intentionally trigger a failed SSH login attempt.
Then review the dashboard for newly generated alerts.
Successful alert generation confirms:
- Log collection is working
- Agent communication is operational
- Event processing is functioning properly
- Alert generation is working correctly
According to guidance from the National Institute of Standards and Technology, validating monitoring controls after deployment is a critical step in ensuring security visibility and maintaining effective detection capabilities.
If the endpoint does not appear active, review connectivity settings and consult:
our Wazuh Agent Not Connecting to Manager? 12 Proven Fixes guide.
Configuring Linux Security Monitoring Features
Once the Linux endpoint is connected to Wazuh, you can begin enabling advanced monitoring capabilities to improve visibility and strengthen your security posture.
These features transform the endpoint from a simple log source into a comprehensive security monitoring sensor.
Enable Log Monitoring
Log monitoring is one of the most important Wazuh capabilities because it provides visibility into authentication events, application activity, system changes, and potential attack indicators.
Authentication Logs
Authentication logs help detect:
- Failed login attempts
- Brute-force attacks
- Privilege escalation activity
- Unauthorized account access
Ubuntu and Debian systems typically use:
/var/log/auth.log
RHEL-based systems typically use:
/var/log/secure
Example configuration:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
System Logs
System logs provide visibility into operating system events.
Example:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
Monitoring system logs can help identify:
- Service failures
- Kernel events
- Configuration changes
- Suspicious system activity
Application Logs
Many organizations monitor custom application logs.
Example:
<localfile>
<log_format>syslog</log_format>
<location>/opt/application/logs/application.log</location>
</localfile>
Application log monitoring improves detection capabilities by correlating security events with application behavior.
Configure File Integrity Monitoring (FIM)
File Integrity Monitoring detects unauthorized modifications to important files and directories.
Monitor Critical Directories
Example configuration:
<syscheck>
<directories check_all="yes">/etc</directories>
<directories check_all="yes">/usr/bin</directories>
<directories check_all="yes">/var/www</directories>
</syscheck>
Common directories to monitor include:
/etc/usr/bin/usr/sbin/var/www/home
Detect Unauthorized Changes
Wazuh generates alerts whenever monitored files are:
- Created
- Modified
- Deleted
- Renamed
This helps security teams quickly identify unauthorized configuration changes and potential compromise attempts.
See our How to Configure File Integrity Monitoring (FIM) in Wazuh guide.
Enable Vulnerability Detection
Vulnerability detection allows Wazuh to identify software packages that contain known security vulnerabilities.
Package Inventory Collection
The agent continuously inventories installed packages and software versions.
Examples include:
- Operating system packages
- Installed services
- Third-party software
- Security tools
Vulnerability Scanning Workflow
The general process is:
- Collect package inventory.
- Send inventory to the manager.
- Compare packages against vulnerability feeds.
- Generate alerts for vulnerable software.
- Track remediation progress.
This provides ongoing visibility into endpoint security risks.
See our Wazuh Vulnerability Detection Not Working? Here’s How to Fix It guide.
Configure Security Configuration Assessment
Security Configuration Assessment (SCA) evaluates Linux systems against security best practices.
CIS Benchmark Monitoring
Wazuh includes policies based on recommendations from the Center for Internet Security.
Examples include:
- Password policy validation
- SSH hardening checks
- Service configuration reviews
- User account auditing
Compliance Reporting
SCA results can be used to support compliance initiatives such as:
- PCI DSS
- HIPAA
- NIST Cybersecurity Framework
- CIS Controls
Reports help identify configuration weaknesses and track remediation efforts over time.
Enable Rootkit Detection
Rootkit detection provides another layer of endpoint protection.
Rootcheck Functionality
Wazuh’s Rootcheck module searches for indicators associated with:
- Rootkits
- Hidden files
- Hidden processes
- Suspicious ports
- Unauthorized system modifications
These checks help identify advanced threats that may attempt to evade traditional detection methods.
Scheduled Scans
Rootcheck scans run automatically on a scheduled basis.
Administrators can customize scan frequency and monitoring scope within the agent configuration file.
Regular scans improve the likelihood of detecting stealthy threats before they can establish long-term persistence.
To further strengthen endpoint detection capabilities, consider creating custom detection logic tailored to your environment.
You can view our How to Create Custom Detection Rules in Wazuh (With Examples) guide.
Organizations seeking additional threat intelligence enrichment can also integrate external intelligence feeds.
Our How to Integrate Wazuh with VirusTotal for Threat Intelligence guide will help with that.
Organizing Linux Endpoints with Agent Groups
As your Wazuh deployment grows, managing Linux endpoints individually becomes increasingly difficult.
Agent groups provide a scalable way to organize endpoints, apply consistent configurations, and simplify administration across large environments.
Whether you manage dozens or thousands of Linux systems, agent groups can significantly reduce management overhead.
Why Use Agent Groups?
Agent groups allow administrators to logically organize endpoints based on their role, location, operating system, or business function.
Instead of configuring each endpoint individually, settings can be applied to an entire group.
Simplified Management
Without agent groups, administrators must manage agents one at a time.
With groups, you can:
- Apply configurations to multiple endpoints simultaneously
- Manage large environments more efficiently
- Reduce administrative effort
- Standardize monitoring across systems
- Simplify onboarding of new servers
For example, all Ubuntu web servers can belong to a single group that shares the same monitoring configuration.
Consistent Policies
Agent groups help enforce consistent security policies.
Examples include:
- Common File Integrity Monitoring settings
- Shared log collection rules
- Standardized Security Configuration Assessment policies
- Consistent alerting behavior
- Uniform vulnerability detection settings
This helps prevent configuration drift and improves visibility across the environment.
Creating Agent Groups
Creating groups is a straightforward process within the Wazuh dashboard.
Group Creation Process
Navigate to:
Wazuh Dashboard → Agents → Groups
Create a new group and provide a descriptive name.
Examples:
Linux-Servers
Production-Servers
Ubuntu-Hosts
Web-Servers
Database-Servers
Cloud-Instances
Choose naming conventions that are easy for administrators to understand and maintain.
Assigning Linux Endpoints
Once a group is created, agents can be assigned individually or in bulk.
Common grouping strategies include:
- Operating system type
- Environment (Production, Development, Testing)
- Geographic location
- Business unit
- Server role
A Linux endpoint can typically be reassigned if organizational requirements change.
Applying Group-Based Configurations
The primary benefit of groups is centralized configuration management.
Centralized Management
Administrators can manage policies from a single location rather than modifying individual endpoints.
Examples include:
- Log monitoring rules
- FIM policies
- Rootcheck settings
- SCA policies
- Agent labels
This significantly reduces administrative workload.
Configuration Inheritance
Agents inherit settings from their assigned groups.
This means:
- New endpoints receive predefined configurations automatically.
- Policy updates can be deployed centrally.
- Configuration consistency improves across the environment.
- Security controls become easier to maintain.
Organizations with large Linux fleets often rely heavily on groups to ensure standardized monitoring and security controls across all endpoints.
According to guidance from the National Institute of Standards and Technology, standardized security configurations are a key component of effective system management and risk reduction.
Proper use of agent groups becomes increasingly important as your Wazuh deployment scales.
Troubleshooting Linux Agent Installation Issues
Even with a straightforward deployment process, Linux agent installations can occasionally encounter issues related to connectivity, registration, configuration, or operating system compatibility.
The following troubleshooting steps address the most common problems administrators encounter when adding Linux endpoints to Wazuh.
Agent Not Appearing in the Dashboard
One of the most common issues occurs when the agent installs successfully but never appears within the Wazuh dashboard.
Registration Issues
Verify that the endpoint completed the enrollment process successfully.
Review the agent log:
sudo tail -f /var/ossec/logs/ossec.log
Look for enrollment-related messages such as:
Agent key received
Agent successfully added
If enrollment failed, repeat the registration process.
Connectivity Problems
Verify connectivity to the Wazuh manager:
ping MANAGER_IP
Test communication ports:
nc -zv MANAGER_IP 1514
nc -zv MANAGER_IP 1515
Failure indicates a network communication issue that must be resolved before enrollment can succeed.
Firewall Restrictions
Review firewall configurations on:
- Linux endpoint
- Wazuh manager
- Network firewalls
- Cloud security groups
Required communication ports must remain accessible.
Agent Shows as Disconnected
Sometimes agents appear in the dashboard but display a disconnected status.
Network Troubleshooting
Verify connectivity between the endpoint and manager.
Check:
- Routing
- DNS resolution
- Firewall rules
- VPN connectivity
- Network security appliances
Intermittent network interruptions can cause agents to appear disconnected.
Service Verification
Confirm that the Wazuh agent service is running:
sudo systemctl status wazuh-agent
Restart the service if necessary:
sudo systemctl restart wazuh-agent
Certificate and Key Issues
Enrollment keys or certificates can occasionally become corrupted or invalid.
Symptoms may include:
- Authentication failures
- Connection refusals
- Enrollment errors
If certificates are involved in your deployment, review:
Internal Link: How to Fix Wazuh Certificate Errors
Manager Connection Errors
Connection failures are often caused by configuration issues.
Incorrect Manager IP Address
Verify the manager address configured within:
/var/ossec/etc/ossec.conf
Example:
<address>192.168.1.100</address>
An incorrect IP address or hostname will prevent communication.
DNS Resolution Failures
If using hostnames, verify DNS functionality:
nslookup wazuh-manager.example.com
Or:
dig wazuh-manager.example.com
The endpoint must successfully resolve the manager hostname.
Port Communication Issues
Confirm access to required ports:
| Port | Protocol | Purpose |
|---|---|---|
| 1514 | TCP/UDP | Agent communication |
| 1515 | TCP | Agent enrollment |
Blocked ports are a frequent cause of connection failures.
Installation Package Errors
Package installation failures are generally operating system or repository related.
Repository Configuration Problems
Verify repository configuration files.
For Debian-based systems:
cat /etc/apt/sources.list.d/wazuh.list
For RPM-based systems:
cat /etc/yum.repos.d/wazuh.repo
Ensure repository URLs are valid and accessible.
Dependency Issues
Missing dependencies may prevent successful installation.
Update package repositories:
sudo apt update
Or:
sudo yum update
Install any missing requirements before retrying installation.
Unsupported Distribution Versions
Older Linux distributions may not be supported by current Wazuh releases.
Verify compatibility against the official support matrix.
Log Collection Not Working
Sometimes agents connect successfully but fail to collect logs.
Incorrect Log Paths
Verify that configured log locations actually exist.
Examples:
/var/log/auth.log
/var/log/secure
Incorrect paths prevent data collection.
Permission Issues
Ensure the Wazuh agent has permission to read monitored logs.
Example:
ls -la /var/log/auth.log
Review file ownership and permissions as needed.
Configuration Errors
Validate custom configuration changes within:
/var/ossec/etc/ossec.conf
XML syntax errors can prevent monitoring modules from functioning properly.
For a more comprehensive troubleshooting guide, see:
Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work
Best Practices for Managing Linux Endpoints in Wazuh
Following a consistent management strategy helps improve visibility, reduce operational overhead, and maintain a secure Wazuh deployment as your environment grows.
Use Agent Groups for Large Environments
Agent groups provide centralized management and simplify administration.
Benefits include:
- Consistent monitoring policies
- Faster onboarding
- Easier configuration management
- Reduced configuration drift
- Improved scalability
Organizing endpoints by role, operating system, or environment can significantly improve operational efficiency.
Keep Agents Updated
Regular updates provide:
- Security patches
- Performance improvements
- New monitoring features
- Bug fixes
- Improved compatibility
Develop a routine update process and test upgrades in non-production environments before broad deployment.
For upgrade guidance, see:
Monitor Agent Health Regularly
Regularly review:
- Agent connectivity status
- Heartbeat activity
- Resource utilization
- Error logs
- Monitoring coverage
Early detection of communication issues helps prevent visibility gaps.
Many organizations implement dashboards and alerts specifically for agent health monitoring.
Enable Only Necessary Monitoring Features
While Wazuh offers extensive monitoring capabilities, enabling every feature on every endpoint is not always necessary.
Focus on:
- Authentication logs
- Critical application logs
- File Integrity Monitoring
- Vulnerability detection
- Security Configuration Assessment
Reducing unnecessary monitoring can improve performance and reduce alert fatigue.
Secure Agent-to-Manager Communications
Protecting communication channels is critical.
Recommended practices include:
- Using encrypted communications
- Restricting network access
- Protecting enrollment credentials
- Regularly rotating certificates when applicable
- Limiting manager exposure to trusted networks
The Cybersecurity and Infrastructure Security Agency recommends securing administrative communications and limiting exposure of critical management systems to reduce attack surface.
Test Configurations Before Production Deployment
Before rolling out changes to production endpoints:
- Test on a small group of systems
- Validate log collection
- Verify alert generation
- Confirm performance impact
- Review false positives
A phased deployment approach reduces operational risk and minimizes disruptions.
Following these best practices will help ensure your Linux endpoints remain properly monitored, consistently configured, and capable of providing the visibility needed for effective threat detection and incident response within Wazuh.
Frequently Asked Questions
Question: How Do I Add an Ubuntu Server to Wazuh?
Adding an Ubuntu server to Wazuh involves four main steps:
- Register the agent from the Wazuh dashboard or manager.
- Install the Wazuh agent package on Ubuntu.
- Configure the manager IP address in
ossec.conf. - Start and enable the Wazuh agent service.
Once the agent successfully connects to the manager, the Ubuntu server will appear in the Wazuh dashboard and begin sending security telemetry.
Ubuntu is one of the most commonly deployed Linux distributions in Wazuh environments and is fully supported by the platform.
Question: Can Wazuh Monitor Linux Systems Without an Agent?
Wazuh is primarily designed as an agent-based security monitoring platform.
The Wazuh agent provides capabilities such as:
- Log collection
- File Integrity Monitoring (FIM)
- Vulnerability detection
- Security Configuration Assessment
- Rootkit detection
While some log sources can be forwarded remotely through Syslog or other mechanisms, agentless monitoring does not provide the same level of visibility as a fully installed Wazuh agent.
For comprehensive Linux security monitoring, agent deployment is strongly recommended.
Question: What Ports Are Required for Linux Agents?
Linux agents typically require the following ports:
| Port | Protocol | Purpose |
|---|---|---|
| 1514 | TCP/UDP | Agent-to-manager communication |
| 1515 | TCP | Agent enrollment and registration |
| 55000 | TCP | Wazuh API access (optional) |
If firewalls block these ports, agents may fail to enroll or communicate with the Wazuh manager.
Always verify firewall and network security group configurations before troubleshooting more complex issues.
Question: How Do I Update a Wazuh Linux Agent?
Keeping agents updated is important for maintaining security, stability, and compatibility.
The general process involves:
- Updating package repositories.
- Installing the latest Wazuh agent package.
- Restarting the agent service.
- Verifying successful communication.
Organizations should test updates in a non-production environment before deploying them broadly.
Question: Why Is My Linux Agent Showing as Disconnected?
Several issues can cause an agent to appear disconnected.
Common causes include:
- Network connectivity failures
- Incorrect manager configuration
- DNS resolution problems
- Firewall restrictions
- Expired certificates
- Corrupted agent keys
- Stopped agent services
Start troubleshooting by checking:
sudo systemctl status wazuh-agent
Then review:
sudo tail -f /var/ossec/logs/ossec.log
The agent logs often provide the fastest path to identifying the root cause.
Related guides:
Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work
How to Fix Wazuh Certificate Errors
Question: Can I Manage Thousands of Linux Endpoints with Wazuh?
Yes. Wazuh is designed to support large-scale deployments.
Organizations commonly use Wazuh to monitor:
- Thousands of Linux servers
- Cloud workloads
- Virtual machines
- Container hosts
- Hybrid environments
To manage large deployments effectively, administrators should:
- Use agent groups
- Implement deployment automation
- Standardize configurations
- Monitor agent health
- Scale Wazuh infrastructure appropriately
According to the official Wazuh architecture guidance, distributed deployments can be scaled using multiple managers, indexers, and clustered components to support enterprise environments.
For large deployments, proper backend scaling is equally important.
Related guides:
How to Build a Wazuh Indexer Cluster
Conclusion
Adding Linux endpoints to Wazuh is one of the most important steps in building a comprehensive security monitoring program.
Without endpoint visibility, organizations can miss critical indicators of compromise, unauthorized system changes, and vulnerability exposures that often originate directly on servers and workstations.
Recap of the Linux Endpoint Onboarding Process
Throughout this guide, we covered the complete Linux agent deployment workflow, including:
- Understanding the Wazuh agent architecture
- Verifying deployment prerequisites
- Registering Linux agents
- Installing the Wazuh agent
- Configuring manager connectivity
- Starting and enabling the agent service
- Verifying successful communication
- Enabling advanced monitoring capabilities
- Organizing endpoints with agent groups
- Troubleshooting common deployment issues
Following these steps ensures that Linux systems are properly integrated into your Wazuh environment and actively contributing security telemetry.
Importance of Continuous Endpoint Monitoring
Installing an agent is only the beginning.
Continuous endpoint monitoring allows security teams to:
- Detect suspicious activity in real time
- Identify unauthorized file changes
- Monitor authentication events
- Discover vulnerable software
- Assess security configurations
- Investigate incidents more effectively
Research from the SANS Institute consistently highlights endpoint visibility as a foundational component of modern threat detection and incident response programs.
Organizations that continuously monitor endpoints are generally better positioned to detect attacks before they escalate into significant security incidents.
Next Steps for Enhancing Linux Security with Wazuh
Once Linux endpoints are successfully onboarded, consider expanding your monitoring capabilities by:
- Creating custom detection rules
- Enabling advanced File Integrity Monitoring
- Integrating threat intelligence feeds
- Monitoring firewall activity
- Improving vulnerability management processes
- Building compliance monitoring dashboards
These enhancements can significantly increase the effectiveness of your Wazuh deployment.
Additional Wazuh Features to Explore After Agent Deployment
To further strengthen your security monitoring program, explore these additional Wazuh capabilities:
- How to Create Custom Detection Rules in Wazuh (With Examples)
- How to Configure File Integrity Monitoring (FIM) in Wazuh
- How to Integrate Wazuh with VirusTotal for Threat Intelligence
- How to Detect Ransomware Activity Using Wazuh
- How to Collect Firewall Logs in Wazuh
- How to Monitor Kubernetes Using Wazuh
As your environment grows, you can continue expanding Wazuh by integrating additional security tools, automating deployments, and scaling your infrastructure to support larger workloads.
With properly configured Linux endpoints feeding data into the platform, Wazuh becomes a powerful centralized solution for threat detection, vulnerability management, compliance monitoring, and security operations.
Be First to Comment