Learn by Directing AI
All materials

wazuh-agent-config.md

Wazuh Agent Installation Guide

What Agents Do

Wazuh agents run inside containers and report system-level events to the Wazuh manager. This is different from the Alloy/Loki setup you already have. Alloy scrapes application logs from container stdout (passive collection). Wazuh agents report from inside the container: file integrity changes, process execution, privilege escalation attempts, authentication events, rootkit indicators (active collection).

The combination gives you two perspectives on the same system. Alloy/Loki sees what the application writes to its logs. Wazuh agents see what the operating system reports happening inside the container.

Installation Steps

Installing a Wazuh agent on a running container is a three-step process:

  1. Access the container -- use docker exec -it <container_name> bash to get a shell inside the target container.

  2. Install the agent -- download and install the Wazuh agent package. The agent needs to know the Wazuh manager's address (wazuh-manager on the Docker network). Direct AI to handle the installation commands for the container's base OS (Debian/Ubuntu for Python containers, Node.js Alpine or Debian for the tourism portal).

  3. Start the agent -- start the Wazuh agent service and verify it registers with the manager. Check the Wazuh dashboard to confirm the agent appears in the Agents list.

Agent Configuration

After installation, configure which log collection channels to enable for each container:

  • syscheck (file integrity monitoring) -- detects file changes inside the container. Useful for catching modifications to application code, configuration files, or uploaded content.
  • rootcheck (rootkit detection) -- checks for rootkit indicators. Less relevant in containers but establishes the baseline practice.
  • log collection -- configure the agent to forward application-specific logs to the Wazuh manager for analysis with Wazuh's built-in and custom rules.

Not all channels are equally useful for every container. The tourism portal (Node.js) has different logging patterns from the guide system (Python/Flask). Direct AI to configure agents appropriate to each container's role.

Verification

After installing agents on all three portal containers:

  1. Open the Wazuh dashboard at http://localhost:5601
  2. Navigate to Agents -- you should see three registered agents (one per portal container)
  3. Check that each agent is reporting events -- the event count should be increasing
  4. Compare what Wazuh shows for a container versus what Loki shows for the same time period