Enable SIEM in Non‐Default Infrastructure - Pratiksha-Marane/duplo-docs GitHub Wiki

Enable SIEM in Non-Default Infrastructure

1. Create a Tenant with Compliance Plan

  1. Navigate to Tenants:
    • Go to the Tenant section.
    • Create a new tenant named Compliance.
    • Assign the customers Plan to this tenant.

2. Configure SIEM.svd File

  1. Download the SIEM.svd file from the following GitHub link: SIEM.svd
  2. Update the placeholders in the file:
    • Compliance Tenant ID: Add the tenant ID here.
    • Plan Certificate ID: Provide the certificate ID.
    • AMI ID: Provide the AMI ID.
    • Plan DNS: Add DNS details.
    • SIEM Push URL: Retrieve from StatusCake.

3. Add the SIEM.svd File

  1. Navigate to System Settings:
    • Go to System SettingsService DescriptionAdd.
    • Upload the SIEM.svd file.

4. Add OSSEC Agent

  1. Download the OSSEC Agent from this link: OSSEC Agent
  2. Navigate to System Settings:
    • Go to System SettingsTemplatesAdd Template.
    • Upload the OSSEC agent template.
  3. Deploy the Agent in a tenant:
    • In the tenant add one flag, go to Security.
    • Add can_deploy_cluster_wide_daemonset by setting it to true.

5. Deploy Wazuh Agent

  1. Navigate to Security:
    • Go to AgentsDeploy Agent.
  2. Fill in the following information:
    • Agent Name: wazuh-agent
    • Infrastructure: the infra where you deployed the SIEM agent.
    • Host/Tenant: Select the tenant.
    • Deployment Type: k8s daemonset
    • Deployment Template: wazuh-agent
    • Master IP: Provide the siem master ip.

6. Get Access to AWS Console

  1. Go to the Load Balancer created earlier:
    • Go to security groups.
    • Add Security Group Rules:
      • Port 1514 — agent communication port.
      • NAT IP of the infra where the SIEM is deployed.
      • Port 55000 — Wazuh master → Provide NAT IP as source.

7. Create a Load Balancer for SIEM

  1. Navigate to Docker:
    • Go to dockerservicesSIEMcreate load balancer.
  2. Configure the Load Balancer:
    • Type: network
    • Container Port: 1514
    • External Port: 1514
    • Visibility: public
    • Application Mode: native app
  3. Add the Load Balancer.

8. Add Listener for the Load Balancer

  1. Configure Listener:
    • Type: network lb
    • Container Port: 55000
    • External Port: 55000
    • Visibility: public
    • Application Mode: native.

9. Deploy Agent in Another Infrastructure

  1. Go to Agents:

    • Navigate to AgentsDeploy Agent.

  2. Fill in the following information:

    • Agent Name: wazuh-agent
    • Infrastructure: prod
    • Host/Tenant: Select the tenant.
    • Deployment Type: k8s daemonset
    • Deployment Template: wazuh-agent
    • Master IP: Provide the siem-compliance.{envname}.{region}.

  3. In the tenant Add one flag, go to Security and add can_deploy_cluster_wide_daemonset by setting it to true.

10. Verify SIEM Dashboard

After agent deployment, check the SIEM dashboard to be up and running.

Recording

SIEM in Non-default Infrastructure

Passcode: Vh!a!3Y6