Wazuh | Part 2 : Installing Wazuh and Configuring the Server

Welcome to part 2 of my journey in exploring Wazuh to gain a semblance of real-life experience in using an enterprise-grade security monitoring platform.

In the first part, I delve into a brief introduction about Wazuh, its components and capabilities as an open source security monitoring platform that provides threat detection, integrity monitoring, incident response and compliance.

In this second part of my Wazuh series, I will be installing Wazuh and its components, configuring the server, and taking a tour of the dashboard interface.

Introduction

There are a few methods on how to install Wazuh, but the workflow is the same. The installation method may depend on the purpose or size of the environment that need monitoring and protection. Whatever method is used, the installation workflow below is followed.

For efficiency and practicality, I will be installing the server, indexer, and the dashboard on the same host, or as what they call it as “all-in-one” installation. Hence, my reference for installing Wazuh is the Quickstart page of their website.

Quickstart

This guide will install the Wazuh central components, on the same host, with the help of an installation assistant. For other methods of installing Wazuh, you may refer to the Installation guide page for more details and other installation options. This installation will install Wazuh in just a few minutes.

Requirements

Following are the requirements needed to install Wazuh.

Hardware

This requirement is highly dependable on the number of protected endpoints and cloud workloads. This number can help estimate how much data will be analyzed and how many security alerts will be stored and indexed.

In this quickstart installation, this setup usually is enough for monitoring up to 100 endpoints and for 90 days of queryable/indexed alert data. The table below shows the recommended hardware for a quickstart deployment:

AgentsCPURAMStorage (90 days)
1–254 vCPU8 GiB50 GB
25–508 vCPU8 GiB100 GB
50–1008 vCPU8 GiB200 GB

For larger environments, see the Installation guide.

Operating system

Wazuh central components can be installed on a 64-bit Linux operating system. Recommended operating system versions:

Amazon Linux 2CentOS 7, 8
Red Hat Enterprise Linux 7, 8, 9Ubuntu 16.04, 18.04, 20.04, 22.04

Browser compatibility

Supported browsers:

  • Chrome 95 or later
  • Firefox 93 or later
  • Safari 13.7 or later

Other Chromium-based browsers might also work. Note: Internet Explorer 11 is not supported.

Installing Wazuh

I re-purposed my Ubuntu server machine in my previous Snort lab. I also uninstalled Snort in this machine due to incompatibility issues with Wazuh. All my machines in this project have NAT and host-only interfaces, though I believe that the latter is not required.

Creating and configuring my initial Ubuntu server can be found here.

To start off, I downloaded and started the Wazuh installation assistant. 

sudo curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

From the image, it can be seen that the installation assistant initially added the Wazuh repository then generated the configuration files. After which, it proceeded to install the core components.

It also shows where to access the web interface, and the credentials to be used.

To print the the credentials for all the Wazuh indexer and Wazuh API users, run the following command. The passwords are contained in the wazuh-passwords.txt file inside wazuh-install-files.tar.

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Uninstall the Wazuh central components can be done so by running the Wazuh installation assistant using the option -u or –-uninstall.

Accessing the web interface for the first time will display a warning message saying that the certificate was not issued by a trusted authority. Click on “Advanced” and then “Accept the Risk and Continue” so that the certificate used by Wazuh will be exempted.

The web interface can be accessed with https://IP address. In this example, I used the local host, but it can also be accessed using the NAT IP addresses or host-only.

Once I accepted the risk, I am now presented with the login page. The credentials are again found in the output of the first command used for installing Wazuh.

Exploring the Dashboard

There are four main modules in the Modules directory. They are Security Information Management, Auditing and Policy Monitoring, Threat detection and response, and Regulatory Compliance

Within each modules are sub-modules, which relate to some of its capabilities like Integrity Monitoring, Policy Monitoring, Security configuration Assessment, and Vulnerability Detection.

The Security Information Management module focuses on centralizing and managing security-related data, events, and logs to provide a comprehensive view of an organization’s security posture.

The Security events sub-module displays a summary of security events, highlighting their severity and status.

The Integrity Monitoring sub-module is responsible for tracking changes to files and system configurations to ensure their integrity and security. It’s an essential tool for detecting unauthorized modifications and potential security breaches.

Auditing and Policy Monitoring module contains sub-modules for continuous auditing and monitoring of agents for compliance with policies, controls, processes, and procedures to detect anomalies and policy breaches.

Threat Detection and Response module continuously monitor the environment for signs of weaknesses that may be exploited by attackers. The MITRE ATT&CK framework is integrated to enhance Wazuh’s ability to detect, analyze and respond to sophisticated cyber threats and attacks. If the server is configured to monitor containers like Docker, which at this point is not, a Docker Listener sub-module will appear here.

MITRE ATT&CK outlines the various tactics, techniques, and procedures used by adversaries during the different stages of a cyberattack.

Regulatory Compliance module helps organizations meet compliance requirements by providing audit trails, reporting, policy monitoring as per standards like PCI DSS, HIPAA, GDPR, etc.

The Management directory is the control center for administrating and operating a Wazuh installation. It is a section dedicated to configuring and managing various components of the Wazuh platform. It provides tools and settings to ensure that Wazuh is properly configured, integrated, and aligned with an organization’s security needs.

The Agents directory is where the resources needed for the deployment, configuration and management of Wazuh agents across an infrastructure are located. It is also used to monitor events and behavior of endpoints for analysis, detection, and response.

Tools directory have two components: API console and Rulese Test. API console allows interacting with the Wazuh manager from a web browser API to manage and monitor the installation programmatically. The console provides a command line interface to make API calls without writing code. Ruleset Test allows testing Wazuh rules before applying them into production.

These security components allow the Wazuh administrators to set up role-based access control (RBAC) by creating user accounts, assigning them to roles, and crafting authorization policies tailored to each role’s functions. This provides user management, access control and separation of duties within Wazuh.

The Settings folder contains configurations, logs and data for core backend processes, modules and services that make up a Wazuh installation. It provides centralized control over system-level components.

Configuring the Wazuh Server

Most of the configuration settings of my Wazuh server is based from HackerSploit youtube video on Installing & Configuring Wazuh.

I created two groups in my server, a windows group, and an ubuntu group. Grouping agents this way allows me to tailor monitoring and policies specifically to Windows or Linux endpoints in the future.

Go to Management directory and select Groups. Click on “Add new group” and I typed in the names of the groups then saved it.

Two new groups are now added aside from the default group.

There are six configuration settings that can be configured in this folder, they are main configurations, alerts and output management, auditing and policy monitoring, system threats and incident response, log data analysis, and cloud security monitoring. The following are some settings that can be configured here:

  • email notifications,
  • log retention policies,
  • external integrations,
  • API configuration,
  • remote command execution,
  • cluster settings if applicable,
  • agent registration, communication, and synchronization with the manager
  • rules and decoders used by Wazuh for parsing logs and detecting security events.

Click Edit configuration to start editing the configuration settings.

Moving forward, the following are the configurations in my Wazuh server.

  • I enabled Wazuh archives. Wazuh archives are the files that the Wazuh server creates to store logs, alerts, and other security data from monitored devices. They store everything that the Wazuh server receives, whether it’s a security event that triggers a rule or not.
  • This setting is for configuring email notifications. Wazuh can be configured to send emails of particular logs.
  • Policy monitoring is enabled. I turned on policy monitoring to continuously audit agents against security configuration benchmarks. This lets me identify and fix policy violations.
  • Osquery is enabled. I enabled Osquery that once configured, will use SQL-based queries in exploring the operating system data of the endpoints.
  • System inventory is enabled. This will run periodic scans on my endpoints to collect details like installed software, running processes, open network ports, connected hardware, and operating system version.Maintaining an up-to-date inventory provides greater visibility into my environment and is useful for things like vulnerability management. The inventory data will be stored locally on agents and can also be queried centrally via the Wazuh API or dashboard.
  • Vulnerability-detector is enabled. With vulnerability detection enabled, Wazuh will scan my Ubuntu server and agents to detect any vulnerable software packages installed. This prevents overlooked vulnerabilities from turning into exploit targets down the road.
  • Enabled Ubuntu and Debian OS vulnerabilities. I configured Wazuh to check multiple sources like Debian, Ubuntu, and Windows advisories for known vulnerabilities. This supplements the vulnerability data from the National Vulnerability Database to provide broader coverage.
  • Windows OS vulnerabilities is enabled by default.
  • File integrity monitoring is enabled. I enabled FIM to monitor critical paths, files, and directories. FIM will alert me to any unauthorized changes to system binaries, application files, or log files so I can investigate immediately or respond to it in a timely manner.
  • Active response configuration. The image below contains commands that Wazuh will do when triggered. Now when high severity alerts are triggered that indicate a real threat, Wazuh can take actions like blocking an IP address or killing a process automatically. This speeds up incident response.
  • System Inventory is enabled. I enabled the System Inventory module in Wazuh to gain greater visibility into the endpoints in my environment. This module will periodically run scans to collect details like installed software, running processes, open network ports, connected hardware devices, and the operating system version
  • This setting edits the cluster configuration. I left it as it is since my environment is small and there’s no need for me to change it.

For the changes to take effect, save and restart the manager. This may take a minute or so.

The Wazuh server is now configured, although I will be going back to edit the configuration as required in the hands-on later. The only thing that is missing are the agents so that exploring Wazuh’s Capabilities can begin.

Conclusion

In this second part of my Wazuh series, I installed Wazuh and got the core components on Ubuntu server up and running. I took a tour of the dashboard interface to understand how to navigate and monitor the system. I also configured some key capabilities of Wazuh like file integrity monitoring, active response, and vulnerability scanning to enhance security and detection.

With the foundation laid, I am now ready to deploy agents and see these capabilities in action. Wazuh is now set up and waiting to start ingesting and analyzing data from endpoints.

In part 3, I will be creating a Windows VM and dive into deploying and managing agents across both Ubuntu and Windows devices; ready for exploring the capabilities of Wazuh.

Thanks for reading!

See you on to the next part.

References

Wazuh Documentation

HackerSploit

One response to “Wazuh | Part 2 : Installing Wazuh and Configuring the Server”

  1. Wazuh Blog Teil2 –

    […] Wazuh | Part 2 : Installing Wazuh and Configuring the Server August 25, 2023 […]

    Like

    Reply

Leave a comment