Skip to main content
< All Topics

Agent Onboarding on Linux with Bash

Posted
Updated
Byotto.lukacs

Objective

This simple Bash script—which I assembled—, helps deploy Wazuh agents on Linux systems. The process installs, enables, and starts the auditd daemon, installs the Wazuh agent based on the system’s distribution and architecture, and sets two useful labels for the agent: tenant and environment.

Note: This script is not idempotent, but it is suitable for a small number of installations. For fast, idempotent large-scale deployments, an Ansible-based onboarding solution should be used, which I am currently working on.

Usage

Create the script file and make it executable:

sudo chmod +x onboarding.sh

Command example

sudo ./onboarding.sh --agentdist deb --agentversion "4.14.3-1" --agentarch amd64 --tenant "ComanyA" --environment "prod"

Several arguments are required for deployment, and all of them must be provided:

Parameters

SyntaxValueDescription
--agentdistdeb or rpmThe target system’s Linux distribution
--agentversionStringThe agent version including the package release (e.g., “4.14.3-1”). It is recommended to match the manager version.
--agentarchamd64 or aarch64The target system’s CPU architecture
--tenantStringTenant label for the agent
--environmentStringEnvironment label for the agent (e.g., prod, dev)

Script

Create a new .sh file with this code and run it as described above.

#!/bin/bash

# VARIABLES
AGENT_DIST=""
AGENT_VERSION=""
AGENT_ARCH=""
TENANT=""
ENVIRONMENT=""

# PARAMETER PARSING
while [[ "$#" -gt 0 ]]; do
    case $1 in
        --agentdist)
            AGENT_DIST="$2"
            shift 2
            ;;
        --agentversion)
            AGENT_VERSION="$2"
            shift 2
            ;;
        --agentarch)
            AGENT_ARCH="$2"
            shift 2
            ;;
        --tenant)
            TENANT="$2"
            shift 2
            ;;
        --environment)
            ENVIRONMENT="$2"
            shift 2
            ;;
        *)
            echo "Error: Unknown parameter: $1"
            exit 1
            ;;
    esac
done

# REQUIRED PARAM CHECK
if [[ -z "$AGENT_DIST" || -z "$AGENT_VERSION" || -z "$AGENT_ARCH" || -z "$TENANT" || -z "$ENVIRONMENT" ]]; then
    echo "Usage:"
    echo "$0 --agentdist <deb|rpm> --agentversion <string> --agentarch <amd64|aarch64> --tenant <string> --environment <string>"
    exit 1
fi

# VALUE VALIDATION

# agentdist
if [[ "$AGENT_DIST" != "deb" && "$AGENT_DIST" != "rpm" ]]; then
    echo "Error: --agentdist must be 'deb' or 'rpm'"
    exit 1
fi

# agentarch
if [[ "$AGENT_ARCH" != "amd64" && "$AGENT_ARCH" != "aarch64" ]]; then
    echo "Error: --agentarch must be 'amd64' or 'aarch64'"
    exit 1
fi

# INSTALL AUDITD
case "$AGENT_DIST" in
    deb)
        sudo apt-get update -y
        sudo apt-get install -y auditd audispd-plugins
        ;;
    rpm)
        sudo dnf install -y audit
        ;;
    *)
        echo "Warning: Unknown major distribution"
        ;;
esac

sudo systemctl enable auditd
sudo systemctl start auditd

# INSTALL AGENT
if [[ "$AGENT_ARCH" == "amd64" && "$AGENT_DIST" == "deb" ]]; then
    wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_${AGENT_VERSION}_amd64.deb \
    && sudo WAZUH_MANAGER='siem.ottolukacs.com' dpkg -i ./wazuh-agent_${AGENT_VERSION}_amd64.deb
elif [[ "$AGENT_ARCH" == "aarch64" && "$AGENT_DIST" == "deb" ]]; then
    wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_${AGENT_VERSION}_arm64.deb \
    && sudo WAZUH_MANAGER='siem.ottolukacs.com' dpkg -i ./wazuh-agent_${AGENT_VERSION}_arm64.deb
elif [[ "$AGENT_ARCH" == "amd64" && "$AGENT_DIST" == "rpm" ]]; then
    curl -o wazuh-agent-4.14.3-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-${AGENT_VERSION}.x86_64.rpm \
    && sudo WAZUH_MANAGER='siem.ottolukacs.com' rpm -ihv wazuh-agent-${AGENT_VERSION}.x86_64.rpm
elif [[ "$AGENT_ARCH" == "aarch64" && "$AGENT_DIST" == "rpm" ]]; then
    curl -o wazuh-agent-4.14.3-1.aarch64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-${AGENT_VERSION}.aarch64.rpm \
    && sudo WAZUH_MANAGER='siem.ottolukacs.com' rpm -ihv wazuh-agent-${AGENT_VERSION}.aarch64.rpm
else
    echo "Unsupported combination"
    exit 1
fi

# ADD AGENT LABELS
sudo sed -i "/<\/ossec_config>/i \
  <labels>\n\
    <label key=\"tenant\">$TENANT</label>\n\
    <label key=\"environment\">$ENVIRONMENT</label>\n\
  </labels>" /var/ossec/etc/ossec.conf

# START AGENT
sudo systemctl enable wazuh-agent
sudo systemctl restart wazuh-agent

echo "End of the script."

Result

As shown, the agent is successfully registered.
The labels are also properly configured.

Agent Onboarding on Linux with Bash
by u/ottolukacs in u_ottolukacs

Table of Contents