SIEM Deployment

Step-by-Step

With Ali Ali

 SIEM Implementation
Wazuh Step By Step #G1

 Install Wazuh step by step (Indexer, Server, Dashboard)

o OS: Ubuntu
o VPS IP: 172.29.10.48
o Agent: Windows 11, IP: 172.29.10.211 – 240
 Installing the Wazuh Indexer
•Certificates creation:
1.We download the wazuh-certs-tool.sh script and the config.yml configuration
file using the following commands:

#curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh

#curl -sO https://packages.wazuh.com/4.7/config.yml
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

2. We edit ./config.yml file using Vim and replace IP values of the Wazuh server,
Wazuh indexer, and Wazuh dashboard with the IP address of our machine
(172.29.10.48):

#Vim config.yml
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

3. We run ./wazuh-certs-tool.sh to create the certificates:
#bash ./wazuh-certs-tool.sh -A

4. We compress the certificates files

#tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . rm -rf ./wazuh-certificates
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

3. We run ./wazuh-certs-tool.sh to create the certificates:
#bash ./wazuh-certs-tool.sh -A

4. We compress the certificates files

#tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . rm -rf ./wazuh-certificates
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

•Nodes Installation:
1. We install package dependencies:
#apt-get install debconf adduser procps

2. We add the Wazuh repository using the following commands

• we install the following packages:
#apt-get install gnupg apt-transport-https
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

•Nodes Installation:
• We install the GPG key:
#curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-
default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --
import && chmod 644 /usr/share/keyrings/wazuh.gpg
• We add the repository:
#echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg]
https://packages.wazuh.com/4.x/apt/ stable main" | tee -a
/etc/apt/sources.list.d/wazuh.list
• We update the packages information:
#apt-get update
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

•Nodes Installation:
3. We install the Wazuh indexer:
#apt-get -y install wazuh-indexer
We did not configure the Wazuh indexer (/etc/wazuh- indexer/opensearch.yml file)
•
because we did not change the default name of the indexer
• We deploy the certificates using the following commands with replacing <indexer-
node-name> with the name of the Wazuh indexer node (node-1) that we are defined
in config.yml
#NODE_NAME=node-1
#mkdir /etc/wazuh-indexer/certs
#tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem
./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
#mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem

#mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key

#chmod 500 /etc/wazuh-indexer/certs
#chmod 400 /etc/wazuh-indexer/certs/*
#chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

•Nodes Installation:
4. We start the service:
#systemctl daemon-reload
#systemctl enable wazuh-indexer
#systemctl start wazuh-indexer
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

•Cluster initialization
1. We run the Wazuh indexer indexer-security-init.sh script
# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

•Cluster initialization
2. We test the cluster installation:
#curl -k -u admin:admin https://172.29.10.48:9200
SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Indexer

•Cluster initialization
•We check if the single-node cluster working correctly:
#curl -k -u admin:admin https:// 172.29.10.48:9200/_cat/nodes?v
 Installing the Wazuh Manager
• Wazuh server node installation:
1. We install the Wazuh manager:
#apt-get -y install wazuh-manager
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
Then we enable and start the Wazuh
manager service then we verify the Wazuh
manager status:

#systemctl daemon-reload
#systemctl enable wazuh-manager
#systemctl start wazuh-manager
#systemctl status wazuh-manager
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
2. We install Filebeat
#apt-get -y install filebeat
SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
3. We download and configure Filebeat
• We download the preconfigured Filebeat configuration file and create a Filebeat
keystore
#curl -so /etc/filebeat/filebeat.yml
https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml
#filebeat keystore create
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
3. We download and configure Filebeat
• We add admin:admin as a username and password to the secrets keystore
#echo admin | filebeat keystore add username --stdin --force
#echo admin | filebeat keystore add password --stdin --force

• We try to download the alerts template for the Wazuh indexer

#curl -so /etc/filebeat/wazuh-template.json
https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/
elasticsearch/7.x/wazuh-template.json
But we could not download the file because we are blocked from accessing this link; Therefore,
we downloaded the file using a proxy server outside the server we are working on, and then we
copied its content into the file that we created with the required name and in the required path
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
3. We download and configure Filebeat
#cd /etc/filebeat/
#vim wazuh-template.json

After we create the file we run the following command

#chmod go+r /etc/filebeat/wazuh-template.json
SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
4. We install the Wazuh module for Filebeat
#curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar
-xvz -C /usr/share/filebeat/module
5. We deploy the certificates using the following commands with replacing <server-node-
name> with the same one used in config.yml (wazuh-1):

#NODE_NAME=node-1
#mkdir /etc/filebeat/certs
#tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/
./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
#mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
#mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-
key.pem
#chmod 500 /etc/filebeat/certs
#chmod 400 /etc/filebeat/certs/*
#chown -R root:root /etc/filebeat/certs
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
6. We start the service and verify that Filebeat is successfully installed
#systemctl daemon-reload
#systemctl enable filebeat
#systemctl start filebeat
#filebeat test output
We found this error:

Then we remember to edit the

/etc/filebeat/filebeat.yml configuration
file and replace the value of hosts with
the ip of our machine (172.29.10.48)

#Vim /etc/filebeat/filebeat.yml
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Manager

• Wazuh server node installation:
6. We start the service and verify that Filebeat is successfully installed
#systemctl daemon-reload
#systemctl enable filebeat
#systemctl start filebeat
#filebeat test output
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Dashboard

1. We install package dependencies
#apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

2. We install the Wazuh dashboard:

3. We deploy certificates using the following commands with replacing <dashboard-node-name>
with the same one used in config.yml (dashboard)
 SIEM Implementation
Wazuh Step By Step #G1

 Installing the Wazuh Dashboard

#NODE_NAME=<dashboard-node-#name> mkdir
/etc/wazuh-dashboard/certs
#tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem
./$NODE_NAME-key.pem ./root-ca.pem

#mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.

#mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashb
#chmod 500 /etc/wazuh-dashboard/certs
#chmod 400 /etc/wazuh-dashboard/certs/*
#chown -R wazuh-dashboard:wazuh-dashboard /etc/Wazuh dashboard/certs

4. We start the Wazuh dashboard service:

#systemctl daemon-reload
#systemctl enable wazuh-dashboard
#systemctl start wazuh-dashboard
 SIEM Implementation
Wazuh Step By Step #G1

 We access the Wazuh web interface with our credentials

URL: https://172.29.10.48
Username: admin
Password: admin

 But we faced the following problem

 To solve this issue we searched for index pattern and found it in the file
/etc/filebeat/wazuh-template.json
 So we add the missing title [wazuh-alerts-*] to the wazuh-template.json
It’s NOT BUSINESS, It’s Very PERSONAL
Questions

Ali Ali