docs: warn that wazuh-agent conflicts with wazuh-manager on same host#9512
Open
ferr079 wants to merge 1 commit intowazuh:mainfrom
Open
docs: warn that wazuh-agent conflicts with wazuh-manager on same host#9512ferr079 wants to merge 1 commit intowazuh:mainfrom
ferr079 wants to merge 1 commit intowazuh:mainfrom
Conversation
Installing wazuh-agent on a host running wazuh-manager silently removes the manager via Conflicts/Replaces package metadata. Add a warning admonition on the Linux agent install page and suggest explicit exclusion when using configuration management tools like Ansible. Signed-off-by: Stephane <stephane@pixelium.win>
ferr079
added a commit
to ferr079/pixelium-site
that referenced
this pull request
Apr 23, 2026
… README refresh Ground truth via GitHub API: Stéphane shipped 4 contributions on 2026-04-22, all currently 'open' / awaiting review (none merged yet). Previous /contributions page only listed 1 and claimed 'merged' — both wrong. Changes: - /contributions (EN+FR): now lists the 4 real contributions · ublue-os/homebrew-experimental-tap#309 (PR, claude-code-linux cask) — first of the day · requarks/wiki#7986 (discussion, render IS NULL bug report) · grafana/alloy#6108 (PR, Promtail docs migration guide) · wazuh/wazuh-documentation#9512 (PR, warn about wazuh-agent postinst) - Status field: 'merged' → 'open' (honest; none merged upstream yet) - 'merged' date field → 'shipped' field semantically (day submitted) - /making-of/v3: 'first OSS PR accepted' → 'four OSS contributions shipped in one day' - Homepage OSS brick (EN+FR): contextualized PR #309 as 'first of four that day' - README.md: full refresh — 55 services (was 36), 4 PVE (was 3), 13 pages (was 8), SessionImprint, TopologyMap, DynNum, data pipelines documented Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Adds a
.. warning::admonition to Deploying Wazuh agents on Linux endpoints explaining that installing the Wazuh agent on a host that already runs the Wazuh manager is destructive.Why
The
wazuh-agentandwazuh-managerDebian/RPM packages share/var/ossec/and carry a mutualConflicts/Replacesrelationship. When an operator — often through configuration management — runsapt-get install wazuh-agenton the manager host, the manager is uninstalled silently (exit code 0, no stderr) and the SIEM goes offline along with all the agents connected to it.The current install page makes no mention of this. New operators (especially those who use Ansible
deploy_wazuh_agentsplaybooks and forget to exclude the manager from the target pattern) discover the problem only once alerts stop flowing, sometimes many hours later.Real-world context
This happened in a production-adjacent homelab earlier today: an Ansible run without the proper
!managerexclusion installedwazuh-agent=4.14.4-1on the manager host at 00:38, which triggeredRemove: wazuh-manager:amd64 (4.14.4-1). The SIEM was silently offline for ~17 hours before detection. The manager's/var/ossec/etc/ossec.confandclient.keyswere preserved by the postrm as.savefiles, but the/var/ossec/runtime was wiped. Recovery required reinstalling the manager package and restoring the.savefiles by hand.A single warning on this install page would have made this failure mode visible to anyone reading the guide before running
apt-get install wazuh-agentin their automation.Change
One
.. warning::admonition inserted right after the existing root-privileges.. note::, before the "Add the Wazuh repository" section. It:Conflicts/Replacesbehavior.hosts:and--limit).Checklist
.. warning::/.. note::).main(5.x docs branch).