Wazuh reference - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

Wazuh reference

This page contains configurations/tips on working with the Wazuh.

Table of contents

  1. Installing Wazuh

  2. Group creation

  3. Agent Installation

  4. Config locations

  5. Sources

Installing Wazuh

To install Wazuh onto the logging host, run the following command:

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

This should, after installation, supply you with an admin credential and password. If this password is lost, it can be recovered by extracting the file "wazuh-install-files.tar" (which will be in the directory you ran the above command in), and accessing the file "wazuh-passwords.txt"

image

This install of Wazuh can then be accessed from the web by going to "https://{IP_OF_LOGGING_SERVER}", for example if the IP was "172.16.200.10":

D1

Group creation

To create a Wazuh group, use the dropdown to access Management > then under Administration access Groups:

image2

image12

You can then press "Add new group" to add a new group:

image

Agent installation

REQUIRES A GROUP

To install a Wazuh agent onto a host, use the dropdown and go to "Agents" (below is already navigated, might need to press "Deploy new agent" if an agent is already deployed, then follow below!):

image9

You would then set the Operating system, Version, Architecture, Wazuh Server IP, and Group. Below shows an example for a host with the following specifications:

  1. Rocky Linux OS

  2. Wazuh server IP = 172.16.200.10

  3. Designated group = linux

image4

image10

(ONLY NEED TO SUPPLY 1-5!!!)

After supplying the needed information, step 6 will supply the commands that need to run on the logging host (in this case, a server with the IP 172.16.50.3):

image11

After the commands in step 6 are ran, do the commands in step 7. After those commands are run, the agents screen will show the following (can access previous agents screen by pressing "Deploy new agent"):

image3

Pressing on the agent (for example "web01-oliver") will then give you the option to see various events related to it:

image

For example, failed logins would be under "Security events" > Events tab > finding the event:

D3

Config locations

  • Default Wazuh configuration directory: /var/ossec

  • Wazuh main config file location: /var/ossec/etc/ossec.conf

  • Wazuh agent configuration location: /var/ossec/etc/shared/agent.conf

Sources

Can't find something? Look in the Backup Wazuh reference