Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:
- File integrity monitoring
Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
- Intrusion and anomaly detection
Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
- Automated log analysis
Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage. The Wazuh rules help make you aware of application or system errors, misconfigurations, attempted and/or successful malicious activities, policy violations and a variety of other security and operational issues.
- Policy and compliance monitoring
Wazuh monitors configuration files to ensure they are compliant with your security policies, standards and/or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.
This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack into a unified solution and simplifying their configuration and management.
Execute the following commands to install and configure Wazuh:
-
apt-get update
-
apt-get install curl apt-transport-https lsb-release gnupg2
-
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add –
-
echo “deb https://packages.wazuh.com/3.x/apt/ stable main” | tee -a /etc/apt/sources.list.d/wazuh.list
-
apt-get update
-
apt-get install wazuh-manager
-
systemctl status wazuh-manager
-
curl -sL https://deb.nodesource.com/setup_8.x | bash –
-
apt-get install gcc g++ make
-
apt-get install -y nodejs
-
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add –
-
echo “deb https://dl.yarnpkg.com/debian/ stable main” | sudo tee /etc/apt/sources.list.d/yarn.list
-
sudo apt-get update && sudo apt-get install yarn
-
apt-get install nodejs
-
apt-get install wazuh-api
-
systemctl status wazuh-api
-
sed -i “s/^deb/#deb/” /etc/apt/sources.list.d/wazuh.list
-
apt-get update
-
curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add –
-
echo “deb https://artifacts.elastic.co/packages/6.x/apt stable main” | tee /etc/apt/sources.list.d/elastic-6.x.list
-
apt-get update
-
apt-get install filebeat
-
curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.3/extensions/filebeat/6.x/filebeat.yml
-
Edit the file
/etc/filebeat/filebeat.ymland replaceYOUR_ELASTIC_SERVER_IPwith the IP address or the hostname of the Logstash server. -
apt search elasticsearch
-
apt-get install elasticsearch
-
systemctl daemon-reload
-
systemctl enable elasticsearch.service
-
systemctl start elasticsearch.service
-
curl https://raw.githubusercontent.com/wazuh/wazuh/v3.9.3/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT “http://localhost:9200/_template/wazuh” -H ‘Content-Type: application/json’ -d @-
-
curl -X PUT “http://localhost:9200/*/_settings?pretty” -H ‘Content-Type: application/json’ -d’
“settings”: {
“number_of_replicas” : 0
}
‘ -
sed -i ‘s/#bootstrap.memory_lock: true/bootstrap.memory_lock: true/’ /etc/elasticsearch/elasticsearch.yml
-
sed -i ‘s/^-Xms.*/-Xms12g/;s/^-Xmx.*/-Xmx12g/’ /etc/elasticsearch/jvm.options
-
mkdir -p /etc/systemd/system/elasticsearch.service.d/
-
echo -e “[Service]\nLimitMEMLOCK=infinity” > /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
-
systemctl daemon-reload
-
systemctl restart elasticsearch
-
apt-get install logstash
-
curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/logstash/6.x/01-wazuh-local.conf
-
systemctl daemon-reload
-
systemctl enable logstash.service
-
systemctl start logstash.service
-
systemctl status filebeat
-
systemctl start filebeat
-
apt-get install kibana
-
export NODE_OPTIONS=”–max-old-space-size=3072″
-
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.3_6.8.1.zip
-
Kibana will only listen on the loopback interface (localhost) by default. To set up Kibana to listen on all interfaces, edit the file
/etc/kibana/kibana.ymluncommenting the settingserver.host. Change the value to:
server.host: “0.0.0.0” -
systemctl enable kibana.service
-
systemctl start kibana.service
-
cd /var/ossec/api/configuration/auth
-
Create a username and password for Wazuh API. When prompted, enter the password:
node htpasswd -c user admin -
systemctl restart wazuh-api
Then in the agent machine execute the following commands:
- apt-get install curl apt-transport-https lsb-release gnupg2
- curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add –
- echo “deb https://packages.wazuh.com/3.x/apt/ stable main” | tee /etc/apt/sources.list.d/wazuh.list
- apt-get update
- You can automate the agent registration and configuration using variables. It is necessary to define at least the variable
WAZUH_MANAGER_IP. The agent will use this value to register and it will be the assigned manager for forwarding events.
WAZUH_MANAGER_IP=“10.0.0.2” apt-get install wazuh-agent- sed -i “s/^deb/#deb/” /etc/apt/sources.list.d/wazuh.list
- apt-get update
In this section, we’ll register the Wazuh API (installed on the Wazuh server) into the Wazuh App in Kibana:
- Open a web browser and go to the Elastic Stack server’s IP address on port 5601 (default Kibana port). Then, from the left menu, go to the Wazuh App.
- Click on
Add new API.
-
Fill Username and Password with appropriate credentials you created in previous step. Enter
http://MANAGER_IPfor the URL, whereMANAGER_IPis the real IP address of the Wazuh qserver. Enter “55000” for the Port.
-
Click on
Save.
A Passionate Techie 