In this article we will deploy the Wazuh (v4.5) SIEM to a single node in our lab environment.
What: Wazuh is an enterprise ready open-source Security Information Event Management and XDR solution that is rapidly gaining traction with organizations across the world. Check out Wazuh’s documentation site for a wealth of information https://documentation.wazuh.com/current/index.html.
Some of it’s capabilities are as follows:
- Security log analysis
- Alerting and notifications
- Threat hunting
- Behavioral analysis
- Automated response
- Cloud workload protection
- Threat Intelligence
- Compliance & reporting
- Reporting & Insights
- Vulnerability detection
- Security Configuration Assessment
- Regulatory Compliance
- Easy integration with third-party solutions
- Universal agent capable of being deployed to Windows, MacOS, and various Linux distributions
Lets get to the deployment!
Deploying Wazuh
Requirements:
The below requirements are taken directly from Wazuh’s quickstart guide found here https://documentation.wazuh.com/current/quickstart.html.
Wazuh is comprised of 3 different parts. The Indexer, Server, and Dashboard. Each component can be installed in separate servers. For this guide we will be deploying everything to a single node.
If you wish to install the components separately you can use the Wazuh Installation Assistant built into the regular install script. https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/installation-assistant.html
Note: If your organization is larger than what is stated in the requirements you can deploy multiple nodes in a cluster format. Additional nodes can be added easily allowing you to scale up as required.
It is also recommended to use the one of the following Operating Systems for your deployment.
Now, lets get to work deploying our SIEM!
The Meat and Potatoes
- The team at Wazuh makes deploying their solution incredibly easy. Run the following command on your server. This will download and run the installation script.
curl -sO https://packages.wazuh.com/4.5/wazuh-install.sh && sudo bash ./wazuh-install.sh -aNote: If you are installing Wazuh on an unsupported OS version such as Ubuntu 23.04 you can bypass the OS check using the “-i” argument. Do so at your own risk! See below:
curl -sO https://packages.wazuh.com/4.5/wazuh-install.sh && s│
udo bash ./wazuh-install.sh -a -i 2. Once the installation completes you will receive an output that contains your admin login credentials. Make sure you change these after your first login.
The default Wazuh Indexer and API users can also be printed via the following command:
sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txtYou are now ready to login for the first time!
3. In your preferred Web Browser, browser to the local IP address of your Wazuh server. Login using the admin credentials you were provided in the command output after completing the installation.
Note: Your browser will likely throw a certificate error. This is expected as we have not setup a certificate for the server. It is recommended to setup a certificate from a trusted authority. Use the following guide to deploy certificates to your Wazuh server(s). https://documentation.wazuh.com/current/user-manual/certificates.html
Configuration Changes
Upon logging in you will be faced with a similar screen minus the already deployed agents shown in the below screenshot. This screen shows the default modules.
Enabling additional Modules
- To enable additional modules select the drop down menu right beside the Wazuh logo and select “settings.”
2. From here select “modules.”
You will then be presented with a new page listing out all the available modules in the GUI.
Note: These can all also be configured via the ossec.conf file located at /var/ossec/etc/ossec.conf along with many other settings and customization’s.
One of the first things you should ensure you enable is the Vulnerability detector settings for the Operating Systems in your environment. Here is an example from the ossec.conf file in our lab environment.
<vulnerability-detector> │
<enabled>yes</enabled> │
<interval>5m</interval> │
<min_full_scan_interval>6h</min_full_scan_interval> │
<run_on_start>yes</run_on_start> │
│
<!-- Ubuntu OS vulnerabilities --> │
<provider name="canonical"> │
<enabled>yes</enabled> │
<os>trusty</os> │
<os>xenial</os> │
<os>bionic</os> │
<os>focal</os> │
<os>jammy</os> │
<update_interval>1h</update_interval> │
</provider> │
│
<!-- Debian OS vulnerabilities --> │
<provider name="debian"> │
<enabled>yes</enabled> │
<os>buster</os> │
<os>bullseye</os> │
<update_interval>1h</update_interval> │
</provider> Make sure you also enable File integrity monitoring within the ossec.conf file:
<!-- File integrity monitoring --> │
<syscheck> │
<disabled>yes</disabled> │
│
<!-- Frequency that syscheck is executed default every 12 hours --> │
<frequency>43200</frequency> │
│
<scan_on_start>yes</scan_on_start> │
│
<!-- Generate alert when new file detected --> │
<alert_new_files>yes</alert_new_files> │
│
<!-- Don't ignore files that change more than 'frequency' times --> │
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore> │There are so many configuration options you can modify. Experiment with each of them and see what works for you.
Deploying Agents to Endpoints
Deploying agents in Wazuh is, like most other aspects, super simple.
- Go back to the Wazuh dropdown menu and select “Agents”
2. From there select the “Deploy agent” button on the right of the UI
3. The destination screen will provide you with multiple options such as the Operating System, Wazuh server address, Group, and more.
4. Do the following:
- Select the operating system of the endpoints you wish to deploy the agent to
- Enter your Wazuh server address IP or FQDN
- Select the group, by default there is a “default” group
5. From there you will be provided with an enrollment command you can use on each of your endpoints. Note that this can be reused in a deployment script if you are using a remote management tool or other asset management platform.
Here is an example of a Debian based agent deployment command
curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.5.1-1_amd64.deb && sudo WAZUH_MANAGER='10.0.1.20' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent.debDepending on what OS you are deploying the agents to you may need to also include additional commands. Following the previous example, here is an example of what is required to be run on the endpoints post agent deployment. Again this will differ from OS to OS.
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent6. If you’ve done everything correctly your agent will show up in the Agents console:
7. Selecting an agent will take you to a page which provides you with additional information about the endpoint
You can view additional configuration options, MITRE events, Software and Hardware inventories, and other Security related events on the system.
Great! We have just deployed Wazuh, and installed our first agent on an endpoint!
Conclusion and future articles:
As you can see, Wazuh is incredibly easy to deploy and configure. In future articles we will be digging deeper into the following:
- Advanced ossec.conf file settings
- third-party integrations
- Active Response
- Threat Hunting
- Detection Engineering
- and more!
If you haven’t already checked out my article about deploying Shuffle SOAR, check it out here: https://stasis.dev/soar-deploying-shuffle-ad26173525d2
About the Author: STASIS is a Security professional with over 13 years in the Tech industry. He is passionate about security and finding ways to make teams more efficient. When not defending against threat actors he enjoys mentoring others, writing music and spending time with his loved ones.
