Windows Server systems often host some of the most critical workloads in an organization, including Active Directory, file servers, web applications, databases, and business-critical services.

Because these systems are frequent targets for attackers, security teams need continuous visibility into system activity, user behavior, configuration changes, and potential threats. This is where the Wazuh Agent comes in.

What Is the Wazuh Agent?

The Wazuh Agent is a lightweight endpoint monitoring component that runs on servers, workstations, cloud instances, and virtual machines.

Once installed, it securely communicates with the Wazuh Manager, collecting and forwarding security telemetry in near real-time.

The agent provides capabilities such as log collection, file integrity monitoring (FIM), security configuration assessment (SCA), malware detection, vulnerability monitoring, system inventory collection, and active response.

According to the official Wazuh documentation, the agent is designed to monitor endpoints with minimal performance impact while providing comprehensive visibility into security events across the environment.

Why Install a Wazuh Agent on Windows Server?

Installing a Wazuh Agent on Windows Server enables organizations to collect valuable security and operational data directly from their servers.

This includes:

• Windows Event Logs (Security, System, and Application logs)
• User authentication and logon activity
• File and registry changes
• Security policy violations
• Malware and suspicious process activity
• System inventory and configuration information
• Compliance and auditing data

For security operations teams, endpoint visibility is a foundational requirement.

Research on endpoint security monitoring consistently shows that host-based agents play a critical role in detecting malicious activity by monitoring processes, registry changes, network activity, and system events in real time.

In practice, many security engineers deploy Wazuh agents on Windows domain controllers, application servers, and file servers to improve threat detection and incident response capabilities.

Community discussions within the Wazuh ecosystem frequently highlight Windows Event Log collection and Sysmon integration as key use cases for Windows deployments.

If you’re still evaluating whether Wazuh is the right platform for your environment, you may also find our comparisons useful:

• Wazuh vs OSSEC
• Wazuh vs OpenEDR
• Wazuh vs SentinelOne
• Security Onion vs Wazuh

What You’ll Learn in This Guide

In this step-by-step tutorial, you’ll learn how to:

• Download the Wazuh Agent for Windows Server
• Install the agent using the graphical installer or command line
• Connect the agent to your Wazuh Manager
• Verify successful enrollment
• Confirm that logs are being received in the Wazuh Dashboard
• Troubleshoot common installation and connectivity issues

By the end of this guide, you’ll have a fully operational Wazuh Agent sending security telemetry from your Windows Server to your Wazuh deployment.

Supported Windows Server Versions

At the time of writing, the Wazuh Agent supports modern Windows Server operating systems, including:

• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025
• Other supported Windows operating systems

The official Wazuh documentation confirms support for Windows Server 2022 and modern Windows releases, while Microsoft continues to provide long-term support for Windows Server 2019, 2022, and newer versions.

Before starting the installation process, ensure you have administrative privileges on the Windows Server and access to a running Wazuh Manager that will receive and analyze the agent’s security data.

Additional Resources

For further reading, consider reviewing:

• Wazuh Agent Documentation
• Wazuh Installation Guide
• Microsoft Windows Server Security Best Practices

These resources provide additional technical details on agent deployment, server hardening, and security monitoring strategies.

What Is the Wazuh Agent?

The Wazuh Agent is a lightweight endpoint monitoring component that runs on Windows, Linux, macOS, cloud instances, virtual machines, and containers.

Its primary purpose is to collect security telemetry from monitored systems and securely send that data to the Wazuh Manager for analysis and alerting.

Unlike traditional antivirus solutions that focus primarily on malware prevention, the Wazuh Agent provides broad security visibility across the entire endpoint.

It monitors logs, tracks file changes, assesses system configurations, detects vulnerabilities, and helps security teams identify suspicious activity before it becomes a serious incident.

According to the official Wazuh documentation, the agent is one of the core components of the Wazuh platform and is responsible for collecting endpoint data and forwarding it through an encrypted communication channel to the Wazuh Server for processing.

Organizations commonly deploy Wazuh Agents on:

• Windows Servers
• Domain Controllers
• SQL Servers
• IIS Web Servers
• File Servers
• Linux Servers
• Cloud Workloads
• Employee Workstations

If you’re familiar with OSSEC, you’ll notice that Wazuh extends many of the capabilities originally introduced by OSSEC while adding SIEM, XDR, vulnerability detection, and cloud-native security functionality.

Overview of the Wazuh Architecture

The Wazuh platform consists of four primary components:

1. Wazuh Agent
2. Wazuh Server (Manager)
3. Wazuh Indexer
4. Wazuh Dashboard

The agent is installed directly on monitored endpoints such as Windows Servers.

It continuously collects logs, security events, inventory information, and configuration data.

The Wazuh Server receives this information, analyzes it using decoders and detection rules, and generates alerts when suspicious activity is detected.

The analyzed data is then stored in the Wazuh Indexer, allowing security teams to search, visualize, and investigate events through the Wazuh Dashboard.

This architecture allows organizations to centrally monitor hundreds or even thousands of endpoints from a single management console.

How the Agent Communicates with the Wazuh Manager

Communication between the Wazuh Agent and Wazuh Manager is encrypted and authenticated by default.

After installation, the agent enrolls with the Wazuh Manager and receives a unique authentication key.

Once enrolled, the agent establishes a secure connection and continuously sends security events to the manager for analysis.

The communication process typically follows these steps:

1. Agent installation on the Windows Server
2. Agent enrollment with the Wazuh Manager
3. Authentication key exchange
4. Secure communication channel establishment
5. Continuous transmission of security events

By default, Wazuh uses AES encryption to protect communications between agents and the server.

This helps ensure that sensitive security data remains protected while traversing the network.

Key Capabilities

One of the reasons Wazuh has become popular among security teams is the broad set of security monitoring capabilities provided by a single agent.

Log Collection

Log collection is the foundation of Wazuh’s monitoring capabilities.

The agent collects logs from multiple Windows sources, including:

• Windows Event Viewer
• Security Logs
• Application Logs
• System Logs
• PowerShell Logs
• Sysmon Logs
• Custom Application Logs

These logs are forwarded to the Wazuh Manager where they are analyzed against thousands of built-in detection rules.

Many organizations integrate Microsoft’s Sysmon tool with Wazuh to gain deeper visibility into process creation, network connections, registry changes, and other endpoint activities.

File Integrity Monitoring (FIM)

File Integrity Monitoring (FIM) helps detect unauthorized modifications to important files and directories.

The Wazuh Agent continuously monitors selected files and alerts security teams when:

• Files are created
• Files are modified
• Files are deleted
• Permissions are changed
• Registry keys are altered

This capability is particularly valuable on Windows Servers hosting critical applications, web services, and sensitive business data.

FIM functionality is one of the core features inherited and expanded from OSSEC.

Security Configuration Assessment (SCA)

Security Configuration Assessment (SCA) enables automated auditing of security settings against industry best practices.

The Wazuh Agent evaluates Windows Server configurations against predefined policies and benchmarks, helping administrators identify:

• Weak security settings
• Missing hardening controls
• Compliance violations
• Configuration drift

This capability can help organizations align with standards such as:

• CIS Benchmarks
• PCI DSS
• NIST Cybersecurity Framework

Instead of manually reviewing dozens of security settings, administrators receive automated compliance reports directly within Wazuh.

Malware and Threat Detection

The Wazuh Agent helps detect suspicious behavior associated with malware, ransomware, and attacker activity.

Detection methods include:

• Rule-based event correlation
• Suspicious process monitoring
• Persistence detection
• Registry monitoring
• File integrity monitoring
• Threat intelligence integrations

When combined with endpoint visibility tools and SIEM functionality, Wazuh can provide many of the capabilities organizations traditionally purchase from commercial security platforms.

Vulnerability Detection

Wazuh includes built-in vulnerability detection capabilities that help identify known software vulnerabilities affecting monitored systems.

The platform continuously inventories installed software and compares it against vulnerability intelligence feeds to identify:

• Missing security patches
• Known CVEs
• High-risk software
• Vulnerable applications

This allows administrators to prioritize remediation efforts based on severity and exposure.

Vulnerability management is one of the major differentiators between Wazuh and traditional HIDS platforms such as OSSEC.

Prerequisites

Before installing a Wazuh Agent on Windows Server, verify that the following requirements are met.

Meeting these prerequisites beforehand will help avoid the most common enrollment and connectivity issues.

A Running Wazuh Server/Manager

The Wazuh Agent cannot function independently.

Before deployment, you must have a working Wazuh environment that includes:

• Wazuh Manager
• Wazuh Indexer
• Wazuh Dashboard

The manager is responsible for receiving, analyzing, and correlating security events from agents throughout your environment.

If you have not yet deployed a Wazuh server, complete that setup before proceeding with agent installation.

Administrator Access to Windows Server

You must have local administrator privileges on the Windows Server.

Administrative access is required to:

• Install the Wazuh Agent service
• Modify system settings
• Register the agent with the manager
• Configure monitoring modules
• Start and stop services

Without administrator permissions, the installation process will fail or the agent may not function correctly.

Network Connectivity Between the Agent and Manager

The Windows Server must be able to communicate with the Wazuh Manager across the network.

Before installation, verify:

• DNS resolution is working
• Routing is configured correctly
• Firewalls permit required traffic
• No security appliances are blocking communication

Connectivity issues are among the most common causes of failed agent enrollment according to both Wazuh documentation and community troubleshooting discussions.

Required Firewall Ports

By default, the following ports must be accessible between the Windows Server and the Wazuh Manager:

These ports can be customized, but most deployments use the default configuration.

If your organization uses Windows Defender Firewall, third-party firewalls, or network security appliances, ensure these ports are allowed before continuing.

System Requirements

The Wazuh Agent has relatively modest resource requirements and can run efficiently on most modern Windows Server installations.

Supported operating systems include:

• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

You should also ensure:

• The latest Windows updates are installed
• Adequate disk space is available
• Stable network connectivity exists
• Antivirus software is not blocking the Wazuh service

For the latest compatibility information, consult the official Wazuh documentation.

Once these prerequisites are satisfied, you’re ready to download and install the Wazuh Agent on your Windows Server.

Step 1: Obtain the Wazuh Agent Installation Command

The easiest way to install a Wazuh Agent on Windows Server is to generate a pre-configured installation command directly from the Wazuh Dashboard.

This method automatically embeds your Wazuh Manager information and significantly reduces the chances of configuration errors.

Instead of manually configuring the agent after installation, Wazuh can generate a command that automatically registers the endpoint with your deployment.

Access the Wazuh Dashboard

Log in to your Wazuh Dashboard using an account with administrative privileges.

Once logged in, you’ll have access to agent management, security monitoring, dashboards, rules, and deployment tools.

Navigate to Deploy New Agent

From the left navigation menu:

Agents → Deploy New Agent

The deployment wizard allows you to generate customized installation commands for various operating systems.

This feature is especially useful when deploying agents across large Windows Server environments because it automatically configures enrollment settings.

Select Windows as the Operating System

In the deployment wizard, select:

• Operating System: Windows
• Wazuh Server Address: Your Wazuh Manager hostname or IP address
• Agent Group: Optional

The wizard will automatically generate a command tailored to your environment.

Specify the Wazuh Manager Address

Enter the hostname or IP address of your Wazuh Manager.

For example:

192.168.1.100

or

wazuh.company.local

The agent will use this address to communicate with the Wazuh Manager after installation.

Before proceeding, verify that the Windows Server can reach the manager over the network and that the required ports discussed earlier are open.

Select an Agent Group (Optional)

Wazuh Agent Groups allow you to apply different configurations to different systems.

For example, you might create separate groups for:

• Domain Controllers
• File Servers
• Database Servers
• Web Servers
• Development Systems

Grouping agents helps simplify management and allows security policies to be applied consistently across similar systems.

Generate the Installation Command

After entering the required information, click Generate.

Wazuh will create a command similar to:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.x.x-1.msi -OutFile ${env:tmp}\wazuh-agent.msi; msiexec.exe /i ${env:tmp}\wazuh-agent.msi /q WAZUH_MANAGER='192.168.1.100'

Keep this command available because you’ll use it during installation in the next step.

The generated command is often the fastest and most reliable deployment method recommended in the official Wazuh installation documentation .

Step 2: Download the Wazuh Agent on Windows Server

Once you’ve generated the installation command, the next step is downloading the Wazuh Agent installer onto your Windows Server.

Wazuh distributes agent packages through its official package repository, ensuring you receive verified and up-to-date releases.

Downloading from the Wazuh Repository

The recommended approach is downloading the installer directly from the official Wazuh Packages Repository.

The latest Windows agent packages can be found through the official installation documentation.

Using official packages helps ensure:

• Authentic software
• Latest security updates
• Compatibility with supported Wazuh versions
• Access to vendor support documentation

Avoid downloading Wazuh packages from third-party websites whenever possible.

Using PowerShell to Download the Installer

Most administrators prefer using PowerShell because it simplifies automation and remote deployment.

Open PowerShell as Administrator and run:

Invoke-WebRequest `
-Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.x.x-1.msi `
-OutFile $env:TEMP\wazuh-agent.msi

The installer will be downloaded to your temporary directory.

For enterprise deployments, this command can be incorporated into automation platforms such as:

• Group Policy
• Microsoft Endpoint Configuration Manager (SCCM)
• PowerShell Remoting
• Windows Admin Center

Verifying the Installer Download

Before installing the agent, verify that the file downloaded successfully.

You can confirm this by navigating to the download location:

Get-Item $env:TEMP\wazuh-agent.msi

You should see the MSI package listed.

For additional security, many administrators validate the package hash using PowerShell:

Get-FileHash $env:TEMP\wazuh-agent.msi

Comparing hashes against official release information helps ensure the package has not been corrupted during download.

This is a common security best practice recommended by Microsoft for software deployment and package verification.

Step 3: Install the Wazuh Agent

After downloading the installer, you’re ready to install the Wazuh Agent and connect the Windows Server to your Wazuh deployment.

There are two common installation methods:

1. Graphical MSI installation
2. PowerShell-based silent installation

Most system administrators prefer PowerShell because it is easier to automate across multiple servers.

Running the MSI Installer

To perform a graphical installation:

1. Navigate to the downloaded MSI package.
2. Double-click the installer.
3. Follow the installation wizard.
4. Accept the license agreement.
5. Complete the installation.

After installation, you’ll still need to configure the agent to communicate with the Wazuh Manager.

This approach works well for small environments or one-off deployments.

Installing Through PowerShell

For automated deployments, use PowerShell and the Windows Installer utility.

Example:

msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="192.168.1.100"

The /q flag performs a silent installation without displaying the graphical setup wizard.

This method is ideal for:

• Large-scale deployments
• Automated provisioning
• Infrastructure-as-Code workflows
• Remote server management

Example Installation Command

A more complete example may look like:

msiexec.exe /i wazuh-agent.msi /q `
WAZUH_MANAGER="192.168.1.100" `
WAZUH_AGENT_GROUP="windows-servers" `
WAZUH_AGENT_NAME="WEB-SERVER-01"

This command installs the agent and automatically configures several important settings.

Understanding Installation Parameters

Wazuh provides several installation parameters that allow administrators to customize agent enrollment during deployment.

WAZUH_MANAGER

The WAZUH_MANAGER parameter specifies the hostname or IP address of the Wazuh Manager.

Example:

WAZUH_MANAGER="192.168.1.100"

Without this setting, the agent won’t know where to send security events.

WAZUH_AGENT_GROUP

The WAZUH_AGENT_GROUP parameter automatically assigns the endpoint to a specific agent group.

Example:

WAZUH_AGENT_GROUP="windows-servers"

Groups help organize large deployments and apply centralized configurations.

Organizations frequently create separate groups for:

• Domain Controllers
• File Servers
• SQL Servers
• IIS Servers

Agent grouping is particularly useful when managing hundreds or thousands of monitored systems.

WAZUH_REGISTRATION_SERVER

The WAZUH_REGISTRATION_SERVER parameter specifies the server responsible for agent enrollment.

Example:

WAZUH_REGISTRATION_SERVER="192.168.1.100"

In most environments, this will be the same server as the Wazuh Manager.

This parameter becomes more important in distributed or clustered deployments

WAZUH_AGENT_NAME

The WAZUH_AGENT_NAME parameter allows you to specify a custom agent name.

Example:

WAZUH_AGENT_NAME="WEB-SERVER-01"

Using descriptive agent names makes it much easier to identify systems within the Wazuh Dashboard, especially in large environments.

A common naming convention might include:

• Server role
• Hostname
• Environment
• Location

Examples:

WEB-PROD-01
DB-PROD-01
DC-NYC-01
FILE-SERVER-02

Following a consistent naming strategy improves asset visibility and simplifies investigations when security alerts are generated.

Once installation is complete, the next step is verifying that the agent has successfully enrolled and is communicating with the Wazuh Manager.

Step 4: Start the Wazuh Agent Service

After installation is complete, the Wazuh Agent service must be running before the server can communicate with the Wazuh Manager.

In many cases, the service starts automatically after installation.

However, it’s always a good idea to verify that the service is running properly.

Starting the Service Manually

To start the service manually:

1. Press Windows + R
2. Type:

services.msc

3. Press Enter.
4. Locate Wazuh Agent in the Services console.
5. Right-click the service.
6. Select Start.

Once started, Windows will launch the agent and begin collecting endpoint telemetry.

Starting Through PowerShell

Most administrators prefer PowerShell because it allows for automation and remote management.

Run the following command:

Start-Service Wazuh

If the service starts successfully, no output will be displayed.

To configure the service to start automatically after reboots:

Set-Service -Name Wazuh -StartupType Automatic

This ensures the agent remains active after server restarts.

Microsoft provides additional guidance on Windows service management through PowerShell.

Verifying the Service Status

You can verify that the service is running using:

Get-Service Wazuh

Expected output:

Status   Name     DisplayName
------   ----     -----------
Running  Wazuh    Wazuh Agent

The Running status indicates that the agent service is operational.

Alternatively, you can verify the service status through the Windows Services console.

Confirming Successful Startup

A running service does not necessarily mean the agent is communicating successfully with the Wazuh Manager.

To confirm successful startup:

1. Verify the Wazuh service status is Running.
2. Check the agent log file.
3. Confirm network connectivity to the manager.
4. Verify enrollment within the Wazuh Dashboard.

The Wazuh Agent log file is typically located at:

C:\Program Files (x86)\ossec-agent\ossec.log

Reviewing this file can help identify:

• Enrollment failures
• Connectivity problems
• Authentication issues
• Configuration errors

The official Wazuh troubleshooting guide provides additional details on diagnosing agent startup issues.

Step 5: Verify Agent Registration

Once the agent service is running, the final step is verifying that the Windows Server has successfully registered with the Wazuh Manager.

This confirms that security telemetry is flowing correctly and that the endpoint is being monitored.

Checking the Wazuh Dashboard

Log in to the Wazuh Dashboard.

Navigate to:

Agents

The Agents page displays all registered endpoints currently connected to your Wazuh environment.

This view provides information such as:

• Agent name
• Operating system
• Agent ID
• Last keepalive
• Connection status
• Assigned groups

Confirming the Agent Appears in the Agents List

Locate the Windows Server you just installed.

You can search by:

• Hostname
• Agent name
• Agent ID

If registration was successful, the endpoint should appear within a few moments of startup.

Verify that:

• The hostname is correct.
• The operating system is listed correctly.
• The assigned group is accurate.
• The status shows as Active.

If the endpoint does not appear, review:

• Firewall settings
• Agent logs
• Manager logs
• Network connectivity

Understanding Agent Status Indicators

The Wazuh Dashboard displays several agent health states.

Understanding these indicators helps administrators quickly identify connectivity issues.

Active

Active indicates that the agent is successfully communicating with the Wazuh Manager.

Characteristics of an Active agent:

• Sending security events
• Receiving configuration updates
• Appearing in dashboards and reports
• Generating alerts normally

This is the expected state for healthy endpoints.

Disconnected

Disconnected means the agent was previously connected but has stopped communicating.

Common causes include:

• Server shutdown
• Network outages
• Firewall changes
• Wazuh service failure
• Enrollment issues

If an agent remains disconnected for an extended period, administrators should investigate immediately.

Never Connected

Never Connected indicates that the agent registration exists but the endpoint has never successfully communicated with the manager.

Common causes include:

• Incorrect manager address
• Firewall blocking ports 1514 or 1515
• Agent service not running
• Enrollment failures
• DNS resolution problems

When troubleshooting a Never Connected status, reviewing the agent log file is usually the best starting point.

Once your Windows Server appears as Active, the installation process is complete and your endpoint is officially being monitored by the Wazuh platform.

At this point, you can begin leveraging features such as File Integrity Monitoring, Vulnerability Detection, Security Configuration Assessment, and SIEM-based threat detection capabilities.

These advanced capabilities are some of the reasons organizations choose Wazuh over traditional host-based monitoring solutions such as OSSEC and commercial endpoint platforms.

Step 6: Validate Log Collection

Successfully installing and registering a Wazuh Agent is only part of the deployment process.

To ensure your Windows Server is being monitored correctly, you should verify that logs are actively being collected and transmitted to the Wazuh Manager.

This validation step confirms that security events generated on the server are visible within the Wazuh Dashboard and available for threat detection, compliance monitoring, and incident investigation.

Generating Test Events on Windows Server

One of the easiest ways to validate log collection is by generating a few test events.

Common options include:

• Logging in and out of the server
• Creating a failed login attempt
• Starting and stopping a Windows service
• Creating a test file in a monitored directory
• Running PowerShell commands

For example, intentionally entering an incorrect password several times will generate Windows Security Event IDs that should appear in Wazuh shortly afterward.

You can also generate PowerShell activity logs, which are commonly monitored by security teams because attackers frequently abuse PowerShell during post-exploitation activities.

Microsoft provides detailed information about PowerShell logging.

Viewing Logs in the Wazuh Dashboard

After generating test events:

1. Open the Wazuh DashboardNavigate to:

Threat Hunting

or

Security Events

3. Search for the hostname of your Windows Server.
4. Filter recent events.

You should begin seeing activity generated by the agent.

The Threat Hunting interface allows administrators to search and investigate logs collected from monitored endpoints in real time.

Confirming Windows Event Log Ingestion

One of the primary responsibilities of the Wazuh Agent is collecting Windows Event Logs.

To verify successful ingestion:

1. Generate a test login event.
2. Open the Wazuh Dashboard.
3. Search for the hostname.
4. Filter by Windows Security events.

Common Windows event sources include:

• Security
• System
• Application
• PowerShell
• Sysmon

Many organizations deploy Microsoft Sysmon alongside Wazuh because it provides significantly more endpoint visibility than native Windows logs alone.

If you’re interested in endpoint visibility and threat detection capabilities, see our comparison of Wazuh vs OpenEDR.

Verifying Endpoint Visibility

Finally, verify that the endpoint appears throughout the Wazuh platform.

Navigate to:

Endpoints

or

Agents

and confirm that:

• The server appears in inventory reports.
• Recent events are being collected.
• Security alerts are being generated.
• Vulnerability scans are running.
• File Integrity Monitoring data is being updated.

A healthy endpoint should continuously generate telemetry and maintain an Active status within the dashboard.

Once these checks are complete, you can be confident that the Wazuh Agent is functioning correctly.

Understanding the Wazuh Agent Configuration File

After installation, most agent behavior is controlled through the Wazuh configuration file.

Understanding this file is important because it determines:

• Which logs are collected
• Which directories are monitored
• How the agent communicates with the manager
• Which active response actions are enabled
• Which security policies are enforced

Most advanced Wazuh customization involves modifying this configuration.

Location of ossec.conf

The primary Wazuh Agent configuration file is:

C:\Program Files (x86)\ossec-agent\ossec.conf

This XML-based file controls nearly every aspect of agent behavior.

The official Wazuh configuration reference provides a complete breakdown of available settings.

Before making changes, it’s recommended to create a backup copy of the configuration file.

Important Configuration Sections

The ossec.conf file contains multiple sections, each responsible for a different aspect of agent operation.

Client Settings

The <client> section controls communication between the agent and the Wazuh Manager.

Typical settings include:

• Manager address
• Enrollment information
• Agent identity
• Communication parameters

Example:

<client>
  <server>
    <address>192.168.1.100</address>
  </server>
</client>

These settings determine where the agent sends collected security events.

Log Collection

The <localfile> section defines which logs the agent should monitor.

Examples include:

• Windows Security Logs
• Application Logs
• System Logs
• PowerShell Logs
• Custom Application Logs

Example:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
</localfile>

Log collection is one of Wazuh’s most important capabilities and is a major reason many organizations choose Wazuh over traditional host-based monitoring tools such as OSSEC.

File Integrity Monitoring

The <syscheck> section controls File Integrity Monitoring (FIM).

This module detects:

• File creation
• File modification
• File deletion
• Registry changes
• Permission changes

Example:

<syscheck>
  <directories check_all="yes">
    C:\ImportantData
  </directories>
</syscheck>

FIM is particularly valuable for protecting critical Windows Server workloads.

More information about File Integrity Monitoring is available in the official documentation.

Active Response

The <active-response> section controls automated response actions.

Examples include:

• Blocking malicious IP addresses
• Terminating suspicious processes
• Executing remediation scripts
• Isolating compromised endpoints

Example:

<active-response>
  <command>firewall-drop</command>
</active-response>

Active Response enables organizations to move beyond detection and automatically contain threats.

This functionality often overlaps with capabilities found in commercial endpoint detection products.

Best Practices for Configuration Management

When managing Wazuh Agent configurations, consider the following best practices:

Use Agent Groups

Rather than configuring agents individually, use Agent Groups to centrally manage settings across similar systems.

Examples:

• Domain Controllers
• SQL Servers
• File Servers
• Web Servers

Backup Configuration Files

Always create backups before making changes.

This makes it easy to roll back if a configuration issue occurs.

Test Changes Before Production Deployment

Validate configuration changes on a test system before deploying them to production servers.

This reduces the risk of:

• Log collection failures
• Performance issues
• Alerting problems

Standardize Monitoring Policies

Create consistent monitoring standards across all Windows Servers.

This improves visibility, compliance reporting, and incident response effectiveness.

Installing a Wazuh Agent on Windows Server Using PowerShell

While the graphical installer works well for individual servers, most organizations prefer PowerShell-based deployments because they are faster, more scalable, and easier to automate.

PowerShell allows administrators to deploy Wazuh across dozens or even thousands of Windows Servers with minimal effort.

Fully Automated Installation Method

The Wazuh deployment wizard can generate a complete installation command that downloads, installs, configures, and enrolls the agent automatically.

This approach eliminates many of the manual steps involved in traditional deployments.

The official Windows installation guide provides updated examples for each Wazuh release.

Sample PowerShell Installation Command

The following example downloads and installs the agent silently:

Invoke-WebRequest `
-Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.x.x-1.msi `
-OutFile $env:TEMP\wazuh-agent.msi

msiexec.exe /i $env:TEMP\wazuh-agent.msi /q `
WAZUH_MANAGER="192.168.1.100" `
WAZUH_AGENT_GROUP="windows-servers" `
WAZUH_AGENT_NAME="WEB-PROD-01"

Start-Service Wazuh

This command:

1. Downloads the installer.
2. Installs the agent silently.
3. Configures enrollment settings.
4. Starts the Wazuh service.

Benefits of Scripted Deployments

PowerShell deployments offer several advantages over manual installation.

Faster Deployment

A single script can install agents on dozens of servers simultaneously.

Consistent Configuration

Every server receives identical settings, reducing configuration drift.

Easier Maintenance

Administrators can update deployment scripts as infrastructure evolves.

Better Scalability

Scripted installations are essential in enterprise environments where hundreds or thousands of endpoints require monitoring.

These deployment practices align with Microsoft’s broader Windows automation strategy using PowerShell.

Deployment Across Multiple Servers

PowerShell becomes even more powerful when combined with enterprise management tools such as:

• Microsoft Configuration Manager (SCCM)
• Group Policy
• PowerShell Remoting
• Windows Admin Center
• Azure Automation

These tools allow organizations to automate deployments, enforce standardized configurations, and rapidly onboard new Windows Servers into the Wazuh environment.

Installing Wazuh Agents at Scale

Installing a single Wazuh Agent on a Windows Server is relatively straightforward.

However, enterprise environments often contain dozens, hundreds, or even thousands of servers that require monitoring.

In these environments, manual installations quickly become impractical.

Fortunately, Windows administrators have several options for deploying Wazuh Agents at scale while maintaining consistency and minimizing operational overhead.

Group-Based Deployment

One of the first steps in scaling a Wazuh deployment is implementing Agent Groups.

Agent Groups allow administrators to organize endpoints based on their function, environment, or security requirements.

Examples include:

• Domain Controllers
• SQL Servers
• File Servers
• IIS Servers
• Production Servers
• Development Systems

Instead of managing each server individually, administrators can apply centralized configurations to an entire group.

Benefits include:

• Consistent configurations
• Simplified management
• Faster policy deployment
• Reduced administrative effort

Agent Groups become increasingly important as deployments grow beyond a handful of endpoints.

Using Active Directory Group Policy

Organizations with on-premises Active Directory environments often use Group Policy Software Installation (GPSI) to deploy software automatically.

Microsoft Group Policy allows administrators to:

• Deploy MSI packages
• Configure startup scripts
• Enforce security settings
• Manage large server fleets

A common approach is:

1. Store the Wazuh MSI installer on a network share.
2. Create a Group Policy Object (GPO).
3. Configure software deployment settings.
4. Link the GPO to the appropriate Organizational Unit (OU).

When servers restart, the Wazuh Agent is automatically installed.

This approach works particularly well for:

• Domain Controllers
• File Servers
• Application Servers
• Internal infrastructure systems

Using PowerShell Remoting

PowerShell Remoting provides another powerful deployment mechanism.

Administrators can remotely execute installation commands across multiple servers simultaneously.

Example workflow:

1. Create a deployment script.
2. Define target servers.
3. Execute the installation remotely.
4. Verify successful enrollment.

Benefits include:

• No user interaction required
• Rapid deployment
• Flexible automation
• Easy integration into existing scripts

PowerShell Remoting is particularly useful for organizations already using Infrastructure-as-Code practices.

Using Microsoft Endpoint Configuration Manager (SCCM)

Microsoft Endpoint Configuration Manager (formerly SCCM) is one of the most widely used enterprise software deployment platforms.

With SCCM, administrators can:

• Deploy Wazuh Agents automatically
• Schedule deployments
• Track installation status
• Generate compliance reports
• Roll out updates

Advantages include:

• Centralized management
• Detailed reporting
• Automated deployments
• Enterprise scalability

Large organizations frequently use SCCM as their primary endpoint software distribution platform.

Using Intune for Cloud-Managed Environments

Organizations embracing cloud-first management often use Microsoft Intune.

Intune allows administrators to deploy Wazuh Agents to:

• Azure-hosted servers
• Hybrid environments
• Remote-managed endpoints
• Cloud-native infrastructure

Benefits include:

• Internet-based management
• No VPN dependency
• Centralized policy enforcement
• Modern device management capabilities

For organizations transitioning away from traditional Active Directory, Intune often becomes the preferred deployment mechanism.

Common Installation Issues and Troubleshooting

Even when following the installation process carefully, administrators occasionally encounter issues.

Most Wazuh Agent installation problems fall into a few common categories.

Agent Not Appearing in Wazuh Dashboard

One of the most common complaints is that the agent does not appear in the Wazuh Dashboard.

Possible causes include:

• Enrollment failure
• Network connectivity problems
• Incorrect manager address
• Firewall restrictions
• Agent service not running

Begin by verifying:

• The Wazuh service is running
• The server can reach the Wazuh Manager
• Required ports are open

Agent Registration Failures

Registration failures typically occur when the agent cannot successfully enroll with the Wazuh Manager.

Common causes include:

• Incorrect enrollment server
• Invalid manager address
• Authentication issues
• Enrollment service unavailable

Check both:

• Agent logs
• Wazuh Manager logs

for enrollment-related error messages.

The official Wazuh troubleshooting documentation provides detailed enrollment troubleshooting procedures.

Firewall Blocking Communication

Firewall issues are among the most frequent causes of agent connectivity problems.

Verify that:

• Port 1514/TCP is open
• Port 1515/TCP is open
• Network firewalls permit traffic
• Windows Defender Firewall is configured properly

Microsoft Windows Defender Firewall documentation provides guidance for managing firewall rules.

DNS Resolution Issues

Many deployments use hostnames rather than IP addresses.

If DNS is misconfigured, agents may fail to locate the Wazuh Manager.

Verify DNS functionality using:

nslookup wazuh.company.local

or

Resolve-DnsName wazuh.company.local

Ensure the hostname resolves correctly before troubleshooting other components.

Service Startup Failures

Sometimes the Wazuh service fails to start after installation.

Potential causes include:

• Corrupted installation
• Invalid configuration
• Missing dependencies
• Antivirus interference

Verify service status:

Get-Service Wazuh

Review Windows Event Viewer for additional diagnostic information.

Microsoft Event Viewer documentation can help identify service-related errors.

Certificate and Authentication Problems

Secure communication between agents and the manager depends on proper authentication.

Potential issues include:

• Invalid certificates
• Enrollment key mismatches
• Incorrect registration settings
• Misconfigured manager settings

Authentication problems often appear in the agent logs and enrollment logs.

Carefully review any connection-related error messages.

Reviewing Wazuh Agent Logs

The Wazuh Agent log file is often the fastest way to identify installation issues.

Default location:

C:\Program Files (x86)\ossec-agent\ossec.log

Common errors found in the logs include:

• Connection failures
• Registration issues
• Authentication errors
• Configuration problems
• Network timeouts

The official Wazuh logging documentation explains the meaning of common log entries and troubleshooting steps.

Security Best Practices After Installation

Installing the Wazuh Agent is only the beginning.

To maximize visibility and security coverage, administrators should implement additional monitoring and hardening measures.

Enable File Integrity Monitoring

File Integrity Monitoring (FIM) helps detect:

• Unauthorized file modifications
• Deleted files
• Registry changes
• Permission changes

FIM is particularly important for:

• Domain Controllers
• Web Servers
• Database Servers
• Critical business applications

Many organizations consider FIM one of the most valuable Wazuh capabilities.

Configure Security Configuration Assessment

Security Configuration Assessment (SCA) automatically audits systems against security best practices.

SCA can help identify:

• Weak configurations
• Missing hardening controls
• Compliance violations
• Configuration drift

Frameworks commonly assessed include:

• CIS Benchmarks
• PCI DSS
• NIST Cybersecurity Framework

Assign Agents to Appropriate Groups

Agent Groups improve scalability and simplify management.

Examples:

• Domain Controllers
• SQL Servers
• File Servers
• Development Systems

Proper grouping ensures the right monitoring policies are applied to the right systems.

Keep Agents Updated

New Wazuh releases frequently include:

• Security fixes
• Performance improvements
• Bug fixes
• New detection capabilities

Monitor the official Wazuh Release Notes and maintain a regular update process.

Monitor Agent Health Regularly

Agent visibility is only useful if the agent remains operational.

Administrators should routinely monitor:

• Agent status
• Connectivity
• Event volume
• Configuration compliance
• Enrollment health

Proactive monitoring helps prevent blind spots in your security program.

Wazuh Agent vs Agentless Monitoring

Organizations evaluating Wazuh often ask whether agents are truly necessary.

While agentless monitoring exists, agent-based monitoring remains the preferred approach for most Windows Server environments.

Benefits of Agent-Based Monitoring

The Wazuh Agent provides deep endpoint visibility that would otherwise be difficult or impossible to obtain.

Benefits include:

• Real-time log collection
• File Integrity Monitoring
• Security Configuration Assessment
• Vulnerability Detection
• Active Response
• Process monitoring
• Registry monitoring

Because monitoring occurs directly on the endpoint, data collection is generally more comprehensive and reliable.

Many of these capabilities differentiate Wazuh from traditional vulnerability scanners such as OpenVAS and Nessus.

When Agentless Monitoring Makes Sense

Agentless monitoring can be useful in certain situations:

• Legacy systems
• Highly restricted environments
• Third-party managed infrastructure
• Temporary assessments

Benefits include:

• No software installation
• Lower endpoint footprint
• Faster initial deployment

However, agentless approaches often provide significantly less visibility than agent-based monitoring.

Why Most Windows Server Deployments Use Agents

For production Windows Server environments, agent-based monitoring is generally considered the industry standard.

Security teams require access to:

• Windows Event Logs
• Registry activity
• Process creation events
• User activity
• File changes
• System inventory

The Wazuh Agent provides this visibility directly from the endpoint.

Organizations evaluating alternatives often compare Wazuh’s endpoint-centric approach against products such as OpenEDR, SentinelOne , and Security Onion.

For most organizations, deploying agents on critical Windows Servers provides the highest level of visibility, detection coverage, and operational control.

Frequently Asked Questions

Question: Can I Install a Wazuh Agent on Windows Server Core?

Yes.

The Wazuh Agent supports Windows Server Core deployments, making it a good choice for organizations that prefer minimal Windows installations for security and performance reasons.

Because Windows Server Core lacks a graphical interface, administrators typically install and manage the agent using:

• PowerShell
• Command Prompt
• Remote administration tools
• Automated deployment platforms

The installation process is nearly identical to a standard Windows Server deployment, except that all management tasks are performed from the command line.

For the latest platform compatibility information, review the official Wazuh Windows Agent documentation.

Question: Does the Wazuh Agent Impact Server Performance?

In most environments, the Wazuh Agent has a minimal performance impact.

The agent was designed to be lightweight and efficient while continuously collecting security telemetry from monitored endpoints.

The actual resource usage depends on factors such as:

• Number of monitored files
• Volume of collected logs
• Enabled modules
• File Integrity Monitoring scope
• Active Response configurations

For example, monitoring a few critical directories with File Integrity Monitoring typically generates very little overhead, while monitoring millions of files may increase CPU and disk utilization.

Most organizations successfully run Wazuh Agents on:

• Domain Controllers
• SQL Servers
• Web Servers
• File Servers
• Application Servers

without noticeable performance degradation.

Wazuh provides tuning recommendations for optimizing agent performance in large environments.

Question: How Do I Upgrade the Wazuh Agent?

The recommended approach is upgrading agents to match your Wazuh deployment’s supported version.

The upgrade process typically involves:

1. Downloading the latest agent package.
2. Installing the updated MSI package.
3. Restarting the Wazuh service.
4. Verifying successful communication.

Organizations managing large deployments often automate upgrades through:

• Microsoft Endpoint Configuration Manager (SCCM)
• Microsoft Intune
• Group Policy
• PowerShell automation

Before performing upgrades, review the official Wazuh Release Notes for compatibility considerations and new features.

Question: Can One Wazuh Manager Handle Multiple Windows Servers?

Absolutely.

In fact, Wazuh is specifically designed to centrally manage large numbers of endpoints.

A single Wazuh Manager can monitor:

• Windows Servers
• Linux Servers
• macOS Systems
• Cloud Workloads
• Virtual Machines
• Containers

The exact number of supported agents depends on factors such as:

• Hardware resources
• Log volume
• Detection rules
• Retention requirements
• Indexing capacity

Larger deployments can also leverage Wazuh Clustering to improve scalability and high availability.

This centralized architecture is one reason many organizations choose Wazuh over standalone endpoint monitoring tools.

Question: How Do I Uninstall the Wazuh Agent?

There are several ways to uninstall the Wazuh Agent.

Using Apps & Features

1. Open Settings.
2. Navigate to:

Apps → Installed Apps

3. Locate Wazuh Agent.
4. Select Uninstall.

Control Panel

1. Open:

Programs and Features

2. Locate Wazuh Agent.
3. Click Uninstall.

Using PowerShell

You can also remove the agent silently:

msiexec.exe /x wazuh-agent.msi /q

After removal, the endpoint will stop sending events to the Wazuh Manager.

You may also wish to remove the corresponding agent entry from the Wazuh Dashboard to keep your environment organized.

Additional agent management information can be found in the official Wazuh Agent documentation.

Conclusion

Installing a Wazuh Agent on Windows Server is one of the most effective ways to gain visibility into endpoint activity, security events, system configurations, and potential threats across your infrastructure.

Whether you’re monitoring a single server or managing thousands of endpoints, the Wazuh Agent provides the data needed to support threat detection, compliance monitoring, incident response, and security operations.

Recap of the Installation Process

Throughout this guide, we covered the complete deployment workflow:

1. Preparing the required prerequisites.
2. Generating the deployment command from the Wazuh Dashboard.
3. Downloading the Windows Agent package.
4. Installing the Wazuh Agent.
5. Starting the Wazuh service.
6. Verifying agent enrollment.
7. Confirming log collection and endpoint visibility.
8. Reviewing agent configuration options.
9. Deploying agents at scale.
10. Troubleshooting common installation issues.

Following these steps helps ensure that your Windows Servers are properly enrolled and communicating with your Wazuh environment.

Key Benefits of Deploying Wazuh Agents on Windows Servers

Once installed, the Wazuh Agent provides a broad range of security monitoring capabilities.

Key benefits include:

• Centralized log collection
• Real-time security monitoring
• File Integrity Monitoring
• Vulnerability Detection
• Security Configuration Assessment
• Active Response capabilities
• Compliance reporting
• Threat detection and investigation

These features make Wazuh a compelling alternative to many commercial endpoint monitoring and security platforms.

Organizations also frequently compare its capabilities with traditional host intrusion detection systems such as OSSEC.

Next Steps: Configure Monitoring, FIM, and Vulnerability Detection

After successfully deploying the agent, consider enabling additional security capabilities.

Recommended next steps include:

Configure File Integrity Monitoring

Monitor critical directories, system files, and sensitive application data.

This helps detect unauthorized changes that may indicate compromise.

Enable Security Configuration Assessment

Assess your Windows Servers against recognized security frameworks such as:

• CIS Benchmarks
• NIST Cybersecurity Framework
• PCI DSS

Review Vulnerability Detection

Use Wazuh’s vulnerability detection capabilities to identify:

• Missing patches
• Known CVEs
• High-risk software
• Outdated packages

Enhance Endpoint Visibility

Many organizations integrate Microsoft Sysmon with Wazuh to improve process, network, and registry monitoring.

Recommendations for Managing Agents at Scale

As your deployment grows, adopting structured management practices becomes increasingly important.

Consider the following recommendations:

Use Agent Groups

Organize systems based on their function and security requirements.

Examples:

• Domain Controllers
• SQL Servers
• File Servers
• Web Servers

Agent Groups simplify configuration management and policy enforcement.

Automate Deployments

Leverage tools such as:

• Microsoft Endpoint Configuration Manager (SCCM)
• Microsoft Intune
• Group Policy
• PowerShell Remoting

Automation reduces administrative effort and ensures consistent deployments.

Monitor Agent Health

Regularly review:

• Agent status
• Connectivity
• Event volume
• Configuration compliance
• Update status

Proactive monitoring helps prevent blind spots in your security program.

Stay Current

Keep agents updated to benefit from:

• Security fixes
• Performance improvements
• New features
• Improved detection capabilities

By combining proper deployment, configuration, and ongoing management, you can build a highly scalable and effective Windows Server monitoring strategy with Wazuh.