Lab 3 2: Wazuh - ItsMmmike/SEC-350 GitHub Wiki

Wazuh

Purpose:

  • In this lab, we configure a new Wazuh SIEM (Security Information Event Monitor) Server onto our Jump VM which will be used to replace the decommissioned Log01 Server in monitoring security events on the network.

Materials:

  • Jump/"Wazuh" (Ubuntu Server VM)
  • Web01 (Rocky VM)
  • Mgmt01 (Xubuntu VM)

Working Notes/Documentation:

Install Docker + Docker Compose

In order to run Wazuh in a docker container, we must first prepare our Jump Host Server to run Docker Containers w/ Docker Compose

# Increase Host Mapped Area (Needed for Wazuh Indexer to work properly)
sudo sysctl -w vm.max_map_count=262144
sudo echo "vm.max_map_count=262144" >> /etc/sysctl.conf ## Makes config permanent for system restarts

# Install Docker via installer Script
sudo curl -sSL https://get.docker.com/ | sh
sudo systemctl start docker
sudo systemctl enable docker ## Allows Docker to reload on startup

## Verify successful Docker install
sudo docker status

# Install Docker Compose via Installer Script
sudo curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

## Update Docker Compose Permissions
sudo chmod +x /usr/local/bin/docker-compose

## Verify Docker-Compose install
sudo docker-compose --version

Install Wazuh Server (Docker)

For this environment, I will be using the Wazuh v4.7.5 Single-Node Server Install as this had worked best given the limited resources on the "Jump" VM

# Clone the Wazuh Server v4.7.5 git repo/docker files onto the local system
sudo git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.5

# Navigate to the single node docker compose file location
sudo cd ./wazuh-docker/single-node/

# Generate certs for Wazuh Docker Services
sudo docker-compose -f generate-indexer-certs.yml run --rm generator

# Start Docker Compose containers for Wazuh Server
sudo docker-compose up -d ## Runs docker compose as a background task

## Verify if docker compose container functionality
sudo docker-compose ps

## View Logs/Status of Wazuh Service in Docker Compose
sudo docker-compose logs <wazuh.service-name-here>

===

Additional Resources:

Alternate Install (Auto-Installation Script Method)

# Installs Wazuh Server v4.7.5 via bash shell script + Ignores hardware reqs
sudo curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i -o

Verify Wazuh Service Functionality

Note: It may take a minute or two for the Wazuh Dashboard to fully boot up Once we've installed our Wazuh Server on the Jump VM, we can verify its functionality by browsing to the Jump VM's IP at https://<jump-vm-IP-goes-here>

image

Screenshot of me successfully browsing to the newly configured Wazuh Server on WKS01.

In order to login to the Wazuh Dashboard, the default creds should be admin and SecretPassword

  • These credentials can be changed by modifying the yaml file located at ./wazuh-docker/single-node/config/wazuh-dashboard/wazuh.yml

image

Screenshot of me accessing the Wazuh Dashboard via web browser on WKS01.

Configuring Wazuh Agent

In order to monitor security logs and events on a give system, we must first install a Wazuh agent onto the target system which will allow the Wazuh dashboard to receive system log updates. To do this, first log into your Wazuh Dashboard and navigate to the "Groups Screen"

From here Create a new Group labeled "Linux"

Under the "Agents Screen", deploy a new agent with the following configuration settings:

  1. Specified RedHat/CentOS (x86_64)
  2. Wazuh Server Address = 172.16.200.10
  3. Add Agent to "Linux" Group

The output agent install command should look similar to below:

image

Screenshot of my generated Wazuh Agent Installer Command

From here, the following commands will need to be run on the target system in order for the Agent to be fully configured on Web01:


# Install Wazuh Agent onto system
curl -o wazuh-agent-4.7.5-1.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.5-1.x86_64.rpm && sudo WAZUN_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='Linux' rpm -ihv wazuh-agent-4.7.5-1.x86_64.rpm

# Start/Enable Wazuh Agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

[!Warning]
It is recommended to run the Wazuh Agent installer as an Admin User (!= Root User) as this can possibly lead to issues w/ logs properly appearing in the Wazuh Dashboard.

image

Screenshot of the new agent appearing under the Wazuh Dashboard

===

Deliverables:

Deliverable 1:

image

Figure 1: Screenshot of me successfully browsing to my Wazuh Server Dashboard using my Mgmt01 VM.

Deliverable 2:

image

Figure 2: Screenshot of my Wazuh Dashboard showing a successfully registered Wazuh agent for my “web01-michael” VM.

Deliverable 3:

image

Figure 3: Screenshot of me viewing the Security Events for my “web01-michael” Wazuh Agent, showing a successful log capture for a ssh login using an invalid user.