The Wazuh agent collects system events, file-integrity changes, log entries, and Docker container events from a monitored host and forwards them to the Wazuh Manager over TCP port 1514. Enrollment (registration) happens automatically over TCP port 1515 using the Manager’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt
Use this file to discover all available pages before exploring further.
authd service. Two deployment styles are supported: a containerised agent run via Docker Compose on any host with Docker installed, and a native dpkg-installed agent for Linux hosts where you prefer a system service.
Deployment Methods
- Docker Container Agent (Remote)
- Native Linux Agent
Prerequisites
- Docker Engine installed on the monitored host (not necessarily the same host as the Manager)
- The project repository cloned on the monitored host, or at minimum the
agent/directory and.envfile transferred to it - TCP ports 1514 and 1515 must be reachable from the monitored host to the Manager host
- The host Docker group GID (
DOCKER_GID) — needed so the container can read/var/run/docker.sock
docker-compose-agent.yml
The agent-only Compose file atagent/docker-compose-agent.yml is:The
- TZ=${TZ} entry appears under volumes in the source file — this is a misplacement in the Compose definition. Docker Compose silently ignores invalid volume entries of this form. If you need the container timezone to be set, move TZ: ${TZ} to the environment block instead.Required Environment Variables
Before deploying, ensure the following variables are set in your.env file (or exported in the shell):| Variable | Description |
|---|---|
AGENT_MANAGER_SERVER | IP address or FQDN of the Wazuh Manager host. The agent enrolls and ships events to this address on ports 1515 and 1514. |
DOCKER_GID | Numeric GID of the docker group on the monitored host. The agent container uses group_add to join this group and gain read access to /var/run/docker.sock. |
TZ | IANA timezone string (e.g. America/Bogota) for container timestamps. |
Deploy with wazuh-dev.sh
From the project root on the monitored host, run:DOCKER_GID with getent group docker | cut -d: -f3, validates the .env and agent/docker-compose-agent.yml files, then executes docker compose -f agent/docker-compose-agent.yml --env-file .env up -d.Deploy Manually
If you prefer to deploy without the helper script:<manager-ip> with the IP address or FQDN of your Wazuh Manager.Volume Mounts Explained
| Host Path | Container Path | Purpose |
|---|---|---|
./agent/conf/remote_ossec.conf | /var/ossec/etc/ossec.conf | Agent configuration — uses ${HOSTNAME} for dynamic agent name enrollment |
/var/run/docker.sock | /var/run/docker.sock (:ro) | Read-only Docker socket access for the docker-listener wodle |
/etc/os-release | /etc/os-release (:ro) | Host OS identification |
/var/log | /var/log | Host log directory monitored by the agent’s localfile rules |
/sys | /sys (:ro) | System information access for hardware inventory |
The agent runs with
privileged: true and the host Docker GID to allow the docker-listener wodle to access /var/run/docker.sock. This is required for Docker container event monitoring.Agent Configuration File
Twoossec.conf variants ship with the project, each intended for a different deployment scenario:
agent/conf/ossec.conf
For the co-located agent running alongside the server stack on the same Docker network. Connects to the Manager by its Docker service hostname
wazuh.manager. The enrollment block does not set an explicit <agent_name>, so the container hostname (controlled by LOCAL_AGENT_HOSTNAME in .env) is used automatically.agent/conf/remote_ossec.conf
For remote agents running on hosts outside the server Docker network. Uses
${HOSTNAME} as the <agent_name> in the enrollment block, which Docker expands to the container hostname at runtime — making each agent’s registered name unique.docker-listener wodle (interval 10 s, 5 attempts, runs on start), the syscollector inventory wodle (hardware, OS, network, packages, ports, processes, users, groups, services), syscheck file-integrity monitoring with realtime watches on /etc, /usr/bin, /usr/sbin, /bin, /sbin, and Docker/LXC-specific ignore rules, as well as a suite of active localfile monitors for disk usage, memory, running processes, and Docker container status.
Verifying Agent Registration
Once the agent is running and has enrolled, confirm registration through one of these methods: Wazuh Dashboard — navigate to the Agents section in the left sidebar. A newly enrolled agent appears within seconds and transitions fromPending to Active once it starts shipping events.
REST API — query the Manager’s API directly:
<password> with your API_PASSWORD value and <manager> with the Manager’s IP or FQDN. A successful response returns a JSON object listing all registered agents with their IDs, names, IP addresses, and connection status.
Agent logs — on a native Linux agent, check the agent’s own log for enrollment confirmation:
Connected to the server and the assigned agent ID.