0% found this document useful (0 votes)
170 views29 pages

Wazuh Part 2 - Installing Wazuh and Configuring The Server

Wazuh Part 2 - Installing Wazuh and Configuring the Server

Uploaded by

malwares
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
170 views29 pages

Wazuh Part 2 - Installing Wazuh and Configuring The Server

Wazuh Part 2 - Installing Wazuh and Configuring the Server

Uploaded by

malwares
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Open in app Sign up Sign in

Search

Wazuh | Part 2 : Installing Wazuh and


Configuring the Server
igor_sec · Follow
11 min read · Aug 14

Listen Share

Welcome to part 2 of my journey in exploring Wazuh to gain a semblance of real-life


experience in using an enterprise-grade security monitoring platform.

In the first part, I delve into a brief introduction about Wazuh, its components and
capabilities as an open source security monitoring platform that provides threat
detection, integrity monitoring, incident response and compliance.

In this second part of my Wazuh series, I will be installing Wazuh and its
components, configuring the server, and taking a tour of the dashboard interface.

Introduction
There are a few methods on how to install Wazuh, but the workflow is the same. The
installation method may depend on the purpose or size of the environment that
https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 1/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

need monitoring and protection. Whatever method is used, the installation


workflow below is followed.

For efficiency and practicality, I will be installing the server, indexer, and the
dashboard on the same host, or as what they call it as “all-in-one” installation.
Hence, my reference for installing Wazuh is the Quickstart page of their website.

Quickstart
This guide will install the Wazuh central components, on the same host, with the
help of an installation assistant. For other methods of installing Wazuh, you may
refer to the Installation guide page for more details and other installation options.
This installation will install Wazuh in just a few minutes.

Requirements
Following are the requirements needed to install Wazuh.

Hardware
This requirement is highly dependable on the number of protected endpoints and
cloud workloads. This number can help estimate how much data will be analyzed
and how many security alerts will be stored and indexed.

In this quickstart installation, this setup usually is enough for monitoring up to 100
endpoints and for 90 days of queryable/indexed alert data. The table below shows
the recommended hardware for a quickstart deployment:

For larger environments, see the Installation guide.

Operating system

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 2/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Wazuh central components can be installed on a 64-bit Linux operating system.


Recommended operating system versions:

Browser compatibility
Supported browsers:

Chrome 95 or later

Firefox 93 or later

Safari 13.7 or later

Other Chromium-based browsers might also work. Note: Internet Explorer 11 is not
supported.

Installing Wazuh
I re-purposed my Ubuntu server machine in my previous Snort lab. I also
uninstalled Snort in this machine due to incompatibility issues with Wazuh. All my
machines in this project have NAT and host-only interfaces, though I believe that the
latter is not required.

Creating and configuring my initial Ubuntu server can be found here.

To start off, I downloaded and started the Wazuh installation assistant.

sudo curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wa

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 3/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

From the image, it can be seen that the installation assistant initially added the
Wazuh repository then generated the configuration files. After which, it proceeded
to install the core components.

It also shows where to access the web interface, and the credentials to be used.

To print the the credentials for all the Wazuh indexer and Wazuh API users, run the
following command. The passwords are contained in the wazuh-passwords.txt file
inside wazuh-install-files.tar .

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.tx

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 4/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Uninstall the Wazuh central components can be done so by running the Wazuh
installation assistant using the option -u or --uninstall .

Accessing the web interface for the first time will display a warning message saying
that the certificate was not issued by a trusted authority. Click on “Advanced” and
then “Accept the Risk and Continue” so that the certificate used by Wazuh will be
exempted.

The web interface can be accessed with https://IP address . In this example, I used
the local host, but it can also be accessed using the NAT IP addresses or host-only.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 5/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Once I accepted the risk, I am now presented with the login page. The credentials
are again found in the output of the first command used for installing Wazuh.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 6/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Exploring the Dashboard


There are four main modules in the Modules directory. They are Security
Information Management, Auditing and Policy Monitoring, Threat detection and
response, and Regulatory Compliance

Within each modules are sub-modules, which relate to some of its capabilities like
Integrity Monitoring, Policy Monitoring, Security configuration Assessment, and
Vulnerability Detection.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 7/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

The Security Information Management module focuses on centralizing and


managing security-related data, events, and logs to provide a comprehensive view of
an organization’s security posture

Displays a summary of security events, highlighting their severity and status.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 8/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

The Integrity Monitoring sub-module is responsible for tracking changes to files


and system configurations to ensure their integrity and security. It’s an essential tool
for detecting unauthorized modifications and potential security breaches.

Auditing and Policy Monitoring module contains sub-modules for continuous


auditing and monitoring of agents for compliance with policies, controls, processes,
and procedures to detect anomalies and policy breaches.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 9/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Threat Detection and Response module continuously monitor the environment for
signs of weaknesses that may be exploited by attackers. The MTRE ATT&CK
framework is integrated to enhance Wazuh’s ability to detect, analyze and respond
to sophisticated cyber threats and attacks. If the server is configured to monitor
containers like Docker, which at this point is not, a Docker Listener sub-module will
appear here.

MITRE ATT&CK outlines the various tactics, techniques, and procedures used by
adversaries during the different stages of a cyberattack.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 10/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Regulatory Compliance module helps organizations meet compliance requirements


by providing audit trails, reporting, policy monitoring as per standards like PCI DSS,
HIPAA, GDPR, etc.

The Management directory is the control center for administrating and operating a
Wazuh installation. It is a section dedicated to configuring and managing various
components of the Wazuh platform. It provides tools and settings to ensure that
Wazuh is properly configured, integrated, and aligned with an organization’s
security needs.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 11/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

The Agents directory is where the resources needed for the deployment,
configuration and management of Wazuh agents across an infrastructure are
located. It is also used to monitor events and behavior of endpoints for analysis,
detection, and response.

Tools have two components: API console and Rulese Test. API console allows
interacting with the Wazuh manager from a web browser API to manage and
monitor the installation programmatically. The console provides a command line
interface to make API calls without writing code. Ruleset Test allows testing Wazuh
rules before applying them into production.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 12/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

These security components allow the Wazuh administrators to set up role-based


access control (RBAC) by creating user accounts, assigning them to roles, and
crafting authorization policies tailored to each role’s functions. This provides user
management, access control and separation of duties within Wazuh.

The Settings folder contains configurations, logs and data for core backend
processes, modules and services that make up a Wazuh installation. It provides
centralized control over system-level components.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 13/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Configuring the Wazuh Server


Most of the configuration settings of my Wazuh server is based from HackerSploit
youtube video on Installing & Configuring Wazuh.

I created two groups in my server, a windows group, and an ubuntu group. Grouping
agents this way allows me to tailor monitoring and policies specifically to Windows
or Linux endpoints in the future.

Go to Management directory and select Groups. Click on “Add new group”.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 14/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Two new groups are now added aside from the default group.

There are six configuration settings that can be configured in this folder, they are
main configurations, alerts and output management, auditing and policy
monitoring, system threats and incident response, log data analysis, and cloud
security monitoring. The following are some settings that can be configured here:

email notifications,

log retention policies,

external integrations,

API configuration,

remote command execution,

cluster settings if applicable,

agent registration, communication, and synchronization with the manager

rules and decoders used by Wazuh for parsing logs and detecting security
events.

Click Edit configuration to start editing the configuration settings.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 15/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Moving forward, the following are the configurations in my Wazuh server.

I enabled Wazuh archives. Wazuh archives are the files that the Wazuh server
creates to store logs, alerts, and other security data from monitored devices.
They store everything that the Wazuh server receives, whether it’s a security
event that triggers a rule or not.

This setting is for configuring email notifications. Wazuh can be configured to


send emails of particular logs.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 16/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Policy monitoring is enabled. I turned on policy monitoring to continuously


audit agents against security configuration benchmarks. This lets me identify
and fix policy violations.

Osquery is enabled. I enabled Osquery so that I can practice my sql-based


queries in exploring the operating system data of the endpoints.

System inventory is enabled. This will run periodic scans on my endpoints to


collect details like installed software, running processes, open network ports,
connected hardware, and operating system version.Maintaining an up-to-date
inventory provides greater visibility into my environment and is useful for
things like vulnerability management. The inventory data will be stored locally
on agents and can also be queried centrally via the Wazuh API or dashboard.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 17/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Vulnerability-detector is enabled. With vulnerability detection enabled, Wazuh


will scan my Ubuntu server and agents to detect any vulnerable software
packages installed. This prevents overlooked vulnerabilities from turning into
exploit targets down the road.

Enabled Ubuntu and Debian OS vulnerabilities. I configured Wazuh to check


multiple sources like Debian, Ubuntu, and Windows advisories for known
vulnerabilities. This supplements the vulnerability data from the National
Vulnerability Database to provide broader coverage.

Windows OS vulnerabilities is enabled by default.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 18/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

We can also add more sources for vulnerability detection.

File integrity monitoring is enabled. I enabled FIM to monitor critical paths,


files, and directories. FIM will alert me to any unauthorized changes to system
binaries, application files, or log files so I can investigate immediately or
response to it in a timely manner.

Active response configuration. The image below contains commands that


Wazuh will do when triggered. Now when high severity alerts are triggered that
indicate a real threat, Wazuh can take actions like blocking an IP address or
killing a process automatically. This speeds up incident response.

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 19/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

System Inventory is enabled. I enabled the System Inventory module in Wazuh


to gain greater visibility into the endpoints in my environment. This module will
periodically run scans to collect details like installed software, running
processes, open network ports, connected hardware devices, and the operating
system version

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 20/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

This setting edits the cluster configuration. I left it as it is since my environment


is small and there’s no need for me to change it.

For the changes to take effect, save and restart the manager. This may take a minute
or so.

The Wazuh server is now configured, although I will be going back to edit the
configuration as required in the hands-on later. The only thing that is missing are
the agents so that exploring Wazuh’s Capabilities can begin.

Conclusion
In this second part of my Wazuh series, I installed Wazuh and got the core
components on Ubuntu server up and running. I took a tour of the dashboard
interface to understand how to navigate and monitor the system. I also configured

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 21/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

some key capabilities of Wazuh like file integrity monitoring, active response, and
vulnerability scanning to enhance security and detection.

With the foundation laid, I am now ready to deploy agents and see these capabilities
in action. Wazuh is now set up and waiting to start ingesting and analyzing data
from endpoints.

In part 3, I will be creating a Windows VM and dive into deploying and managing
agents across both Ubuntu and Windows devices; ready for exploring the
capabilities of Wazuh.

Thanks for reading!

See you on to the next part.

References
Wazuh Documentation

HackerSploit

Originally published at http://igorsec.blog on August 14, 2023.

Wazuh Cybersecurity Learning Blog Hacking

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 22/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Follow

Written by igor_sec
138 Followers

More from igor_sec

igor_sec

TryHackMe |Wireshark: The Basics


Learn the basics of Wireshark and how to analyse protocols and PCAPs.

6 min read · Jun 23

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 23/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

igor_sec

CyberDefenders | Boss Of The SOC v1


21 min read · Jul 5

igor_sec

Snort Challenge — The Basics : TryHackMe


Task 1: Introduction

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 24/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

26 min read · Jul 20

igor_sec

Snort | TryHackMe — Write-up


SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System
(NIDS/NIPS). It was developed and still maintained by…

22 min read · Jul 20

See all from igor_sec

Recommended from Medium

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 25/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

Abdelhadi ilyes

Installing Wazuh on Ubuntu system using docker


Hello, today we are going to see how to install Wazuh in docker container in linux server OS.

3 min read · Jul 16

18

igor_sec

TryHackMe | Incident Handling with Splunk

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 26/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

As an analyst, understanding how to leverage logs to investigate incidents is a critical skill. In


this post, I’ll walk through an…

26 min read · Oct 16

55

Lists

Self-Improvement 101
20 stories · 1093 saves

How to Find a Mentor


11 stories · 352 saves

Good Product Thinking


11 stories · 394 saves

Best of The Writing Cooperative


67 stories · 155 saves

mr.smashy in CodeX

Logging and Monitoring for Home Labs


Visibility in your environment is usually a big gap

· 6 min read · Jul 3

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 27/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

STASIS

Integrating Wazuh with DFIR Iris


This article will guide you on integrating Wazuh and DFIR Iris.

4 min read · Oct 15

94

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 28/29
12/27/23, 2:20 PM Wazuh | Part 2 : Installing Wazuh and Configuring the Server | Medium

TheCyberChef

MONITORING AND DETECTION LAB — Part Three


4 min read · Nov 24

10 1

Justin Mangaoang

Installing Security Onion


Now that we have installed pfSense, we can now turn our attention to the core aspect of the lab.

5 min read · Oct 7

12 2

See more recommendations

https://medium.com/@huglertomgaw/wazuh-part-2-installing-wazuh-and-configuring-the-server-6d2061e8c70c 29/29

You might also like