You've seen what a centralized syslog server can do in terms of receipt and organization of log files from across the enterprise. In this new lab, we are going to experiment with a far more modern logging system called Wazuh. Wazuh is one of several ELK based SIEMs. We are using this one because of the relatively ease of installation as well as functionality. Unlike a traditionally syslog client and server, Wazuh allows us to install agents on supported systems. Agents can refine that information sent to their SIEM for streamlined analysis.

Installation

For a single node installation on wazuh, run the following command on your wazuh server.

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i

(NOTE: added -i to ignore minimum requirements of 2CPU and 4 GB RAM

It's a good idea to look at these remote installers before blindly run them through sudo. Take note of your admin password, put it in a password manager for now. It is read only and will require modifications to the configuration later to change it. Don't complain if you lose it.

NOTE: Takes a while for the server to run - at the end you should see something like: “You can access the web interface https:// User: admin Password: Make note of this!

You can then log into the Wazuh web dashboard from a browser tab on mgmt01

Deliverable 1.

A screenshot that clearly shows your wazuh server as accessed via mgmt01 similar to the one below

---

Wazuh/OSSEC Agent on web01

Find the groups screen in Wazuh, create a new group called linux Find the agents screen in Wazuh, Deploy a new agent with the following configuration. Redhat/CentoS CentOS 6 or higher (Note, it will work on rocky 8) x86_64 172.16.200.10 Linux This will give you the syntax for a command that you can run on Web01 to install the agent

Run the command on your web01 server Use the systemctl commands provided by Wazuh to Start the Wazuh agent on web01

Deliverable 2.

Provide a wazuh screenshot that shows the registered agent on web01

Deliverable 3.

Attempt an ssh login using an invalid user on web01 similar to the screenshot below. Search web01's wazuh security events until you find the associated event.