Wazuh Part 2 - Installing Wazuh and Configuring The Server
Wazuh Part 2 - Installing Wazuh and Configuring The Server
Search
Listen Share
In the first part, I delve into a brief introduction about Wazuh, its components and
capabilities as an open source security monitoring platform that provides threat
detection, integrity monitoring, incident response and compliance.
In this second part of my Wazuh series, I will be installing Wazuh and its
components, configuring the server, and taking a tour of the dashboard interface.
Introduction
There are a few methods on how to install Wazuh, but the workflow is the same. The
installation method may depend on the purpose or size of the environment that
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 1/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
For efficiency and practicality, I will be installing the server, indexer, and the
dashboard on the same host, or as what they call it as “all-in-one” installation.
Hence, my reference for installing Wazuh is the Quickstart page of their website.
Quickstart
This guide will install the Wazuh central components, on the same host, with the
help of an installation assistant. For other methods of installing Wazuh, you may
refer to the Installation guide page for more details and other installation options.
This installation will install Wazuh in just a few minutes.
Requirements
Following are the requirements needed to install Wazuh.
Hardware
This requirement is highly dependable on the number of protected endpoints and
cloud workloads. This number can help estimate how much data will be analyzed
and how many security alerts will be stored and indexed.
In this quickstart installation, this setup usually is enough for monitoring up to 100
endpoints and for 90 days of queryable/indexed alert data. The table below shows
the recommended hardware for a quickstart deployment:
Operating system
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 2/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Browser compatibility
Supported browsers:
Chrome 95 or later
Firefox 93 or later
Other Chromium-based browsers might also work. Note: Internet Explorer 11 is not
supported.
Installing Wazuh
I re-purposed my Ubuntu server machine in my previous Snort lab. I also
uninstalled Snort in this machine due to incompatibility issues with Wazuh. All my
machines in this project have NAT and host-only interfaces, though I believe that the
latter is not required.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 3/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
From the image, it can be seen that the installation assistant initially added the
Wazuh repository then generated the configuration files. After which, it proceeded
to install the core components.
It also shows where to access the web interface, and the credentials to be used.
To print the the credentials for all the Wazuh indexer and Wazuh API users, run the
following command. The passwords are contained in the wazuh-passwords.txt file
inside wazuh-install-files.tar .
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 4/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Uninstall the Wazuh central components can be done so by running the Wazuh
installation assistant using the option -u or --uninstall .
Accessing the web interface for the first time will display a warning message saying
that the certificate was not issued by a trusted authority. Click on “Advanced” and
then “Accept the Risk and Continue” so that the certificate used by Wazuh will be
exempted.
The web interface can be accessed with https://IP address . In this example, I used
the local host, but it can also be accessed using the NAT IP addresses or host-only.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 5/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Once I accepted the risk, I am now presented with the login page. The credentials
are again found in the output of the first command used for installing Wazuh.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 6/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Within each modules are sub-modules, which relate to some of its capabilities like
Integrity Monitoring, Policy Monitoring, Security configuration Assessment, and
Vulnerability Detection.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 7/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 8/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 9/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Threat Detection and Response module continuously monitor the environment for
signs of weaknesses that may be exploited by attackers. The MTRE ATT&CK
framework is integrated to enhance Wazuh’s ability to detect, analyze and respond
to sophisticated cyber threats and attacks. If the server is configured to monitor
containers like Docker, which at this point is not, a Docker Listener sub-module will
appear here.
MITRE ATT&CK outlines the various tactics, techniques, and procedures used by
adversaries during the different stages of a cyberattack.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 10/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
The Management directory is the control center for administrating and operating a
Wazuh installation. It is a section dedicated to configuring and managing various
components of the Wazuh platform. It provides tools and settings to ensure that
Wazuh is properly configured, integrated, and aligned with an organization’s
security needs.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 11/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
The Agents directory is where the resources needed for the deployment,
configuration and management of Wazuh agents across an infrastructure are
located. It is also used to monitor events and behavior of endpoints for analysis,
detection, and response.
Tools have two components: API console and Rulese Test. API console allows
interacting with the Wazuh manager from a web browser API to manage and
monitor the installation programmatically. The console provides a command line
interface to make API calls without writing code. Ruleset Test allows testing Wazuh
rules before applying them into production.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 12/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
The Settings folder contains configurations, logs and data for core backend
processes, modules and services that make up a Wazuh installation. It provides
centralized control over system-level components.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 13/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
I created two groups in my server, a windows group, and an ubuntu group. Grouping
agents this way allows me to tailor monitoring and policies specifically to Windows
or Linux endpoints in the future.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 14/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Two new groups are now added aside from the default group.
There are six configuration settings that can be configured in this folder, they are
main configurations, alerts and output management, auditing and policy
monitoring, system threats and incident response, log data analysis, and cloud
security monitoring. The following are some settings that can be configured here:
email notifications,
external integrations,
API configuration,
rules and decoders used by Wazuh for parsing logs and detecting security
events.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 15/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
I enabled Wazuh archives. Wazuh archives are the files that the Wazuh server
creates to store logs, alerts, and other security data from monitored devices.
They store everything that the Wazuh server receives, whether it’s a security
event that triggers a rule or not.
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 16/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 17/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 18/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 19/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 20/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
For the changes to take effect, save and restart the manager. This may take a minute
or so.
The Wazuh server is now configured, although I will be going back to edit the
configuration as required in the hands-on later. The only thing that is missing are
the agents so that exploring Wazuh’s Capabilities can begin.
Conclusion
In this second part of my Wazuh series, I installed Wazuh and got the core
components on Ubuntu server up and running. I took a tour of the dashboard
interface to understand how to navigate and monitor the system. I also configured
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 21/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
some key capabilities of Wazuh like file integrity monitoring, active response, and
vulnerability scanning to enhance security and detection.
With the foundation laid, I am now ready to deploy agents and see these capabilities
in action. Wazuh is now set up and waiting to start ingesting and analyzing data
from endpoints.
In part 3, I will be creating a Windows VM and dive into deploying and managing
agents across both Ubuntu and Windows devices; ready for exploring the
capabilities of Wazuh.
References
Wazuh Documentation
HackerSploit
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 22/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Follow
Written by igor_sec
138 Followers
igor_sec
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 23/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
igor_sec
igor_sec
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 24/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
igor_sec
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 25/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
Abdelhadi ilyes
18
igor_sec
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 26/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
55
Lists
Self-Improvement 101
20 stories · 1093 saves
mr.smashy in CodeX
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 27/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
STASIS
94
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 28/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium
TheCyberChef
10 1
Justin Mangaoang
12 2
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 29/29