This Ansible project aims to streamline the management of Wazuh agents across a distributed infrastructure. By automating the installation, maintenance, and removal of Wazuh agents, this project ensures secure and uniform host monitoring within the network.

Prerequisites

  • Ansible 2.9+ installed on the control machine.
  • SSH enabled on all target hosts.
  • Target hosts must be running Linux with apt (e.g., Debian, Ubuntu).
  • The variables file vars/vars.yml must be correctly configured with your environment’s details.

Configuration of vars/vars.yml File

Before running the playbooks, ensure the following variables are configured in the vars/vars.yml file:

yamlCopy code
wazuh_manager_ip: "MANAGER_IP_ADDRESS" # The IP address of your Wazuh manager
wazuh_agent_package: "wazuh-agent_4.7.3-1_amd64.deb" # The Wazuh agent package to install
wazuh_agent_repo: "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/" # URL of the repository containing the agent package
wazuh_agent_group: "default" # The Wazuh agent group to add the agent to
wazuh_manager_port: "55000" # The port on which the Wazuh manager is listening
wazuh_username: "USERNAME" # Username for authentication with the Wazuh manager
wazuh_password: "PASSWORD" # Password for authentication with the Wazuh manager
validate_certs: no # Whether or not to validate SSL certificates when connecting to the Wazuh manager

Replace MANAGER_IP_ADDRESS, USERNAME, and PASSWORD with your actual information.

Usage

To use the provided playbooks, follow these steps:

  1. Installing Wazuh Agents:

    ansible-playbook -i your_inventory install_wazuh_agent.yml

  2. Removing ‘Disconnected’ and ‘Never Connected’ Wazuh Agents:

    ansible-playbook -i your_inventory remove_disconnected_agents.yml

  3. Uninstalling Wazuh Agents:

    ansible-playbook -i your_inventory uninstall_wazuh_agent.yml

Playbooks

install_wazuh_agent.yml

Installs the Wazuh agent on target hosts, configures the IP address and group of the Wazuh manager, and then starts the agent service.

- name: Install Wazuh agent
  hosts: all
  become: yes
  vars_files:
    - ../vars/vars.yml

  tasks:
    - name: Check if Wazuh agent is already installed
      become: yes
      command: "systemctl status wazuh-agent"
      register: wazuh_installed
      ignore_errors: true

    - name: Download Wazuh agent installer
      get_url:
        url: "{{wazuh_agent_repo}}{{ wazuh_agent_package }}"
        dest: "/tmp/{{ wazuh_agent_package }}"
      when: wazuh_installed is failed
    
    - name: Install Wazuh agent with registration
      become: yes
      ansible.builtin.shell: |
        WAZUH_MANAGER={{ wazuh_manager_ip }}
        WAUZUH_AGENT_GROUP={{ wazuh_agent_group }}
        WAZUH_AGENT_NAME={{ inventory_hostname }}
        dpkg -i "/tmp/{{ wazuh_agent_package }}"        
      environment:
        WAZUH_MANAGER: "{{ wazuh_manager_ip }}"
        WAUZUH_AGENT_GROUP: "{{ wazuh_agent_group }}"
        WAZUH_AGENT_NAME: "{{ inventory_hostname }}"
      args:
        executable: /bin/bash
      when: wazuh_installed is failed

    - name: Update Wazuh Manager IP in ossec.conf
      ansible.builtin.lineinfile:
        path: /var/ossec/etc/ossec.conf
        regexp: '<address>.*</address>'
        line: '<address>{{ wazuh_manager_ip }}</address>'
        backrefs: yes
      become: yes
      when: wazuh_installed is failed

    
    - name: deamon-reload
      command: "systemctl daemon-reload"
      when: wazuh_installed is failed

    - name: Start Wazuh agent
      service:
        name: wazuh-agent
        state: started
        enabled: true
      when: wazuh_installed is failed
    
    - name: Status of Wazuh agent
      become: yes
      command: "systemctl status wazuh-agent"
      register: wazuh_status
    
    - name: Supprimer le paquet téléchargé de l'agent Wazuh
      ansible.builtin.file:
        path: /tmp/wazuh-agent_4.7.3-1_amd64.deb
        state: absent

uninstall_wazuh_agent.yml

Stops the Wazuh agent service, uninstalls the agent, and removes its directory, preparing the host for a clean reinstallation or to be removed from the monitored network.

---
- name: Uninstall Wazuh Agent
  hosts: all
  become: yes
  tasks:
    - name: Stop Wazuh Agent service
      ansible.builtin.systemd:
        name: wazuh-agent
        state: stopped

    - name: Uninstall Wazuh Agent package
      ansible.builtin.apt:
        name: wazuh-agent
        state: absent

    - name: deamon-reload
      command: "systemctl daemon-reload"

    - name: Remove Wazuh Agent directory
      ansible.builtin.file:
        path: /var/ossec
        state: absent

remove_disconnected_agents.yml

Removes Wazuh agents that are in a ‘Disconnected’ or ‘Never Connected’ state on the Wazuh manager, keeping the agent list clean.

---
- name: Remove Disconnected or Never Connected Agents
  hosts: all
  become: true
  tasks:
    - name: Get list of agents in 'Disconnected' or 'Never Connected' state
      ansible.builtin.shell: >
        /var/ossec/bin/agent_control -l | grep -E 'Never connected|Disconnected' | awk '{print $2}' | sed 's/,//g'        
      register: agents_output
      ignore_errors: yes

    - name: Display agents in 'Disconnected' or 'Never Connected' state
      ansible.builtin.debug:
        var: agents_output.stdout_lines

    - name: Remove agents in 'Disconnected' or 'Never Connected' state
      ansible.builtin.shell: >
        /var/ossec/bin/manage_agents -r {{ item }}        
      loop: "{{ agents_output.stdout_lines }}"
      when: agents_output.stdout != ""
      ignore_errors: yes

    - name: Restart Wazuh Manager
      ansible.builtin.systemd:
        name: wazuh-manager
        state: restarted
      when: agents_output.stdout != ""
      ignore_errors: yes

Conclusion

With these playbooks, you can easily manage Wazuh agents across your infrastructure, ensuring that all hosts are monitored and secure. By automating the installation, maintenance, and removal of Wazuh agents, you can save time and effort while maintaining a consistent security posture across your network.