SEC‐350 Lab 3.2 ‐ Wazuh - Snowboundport37/champlain GitHub Wiki

# **Tech Journal - Lab 3.2 Wazuh**

## **Overview**
In this lab, I set up a Wazuh Security Information and Event Management (SIEM) server, deployed a Wazuh agent on `web01`, and tested event logging capabilities. The lab involved:
- Installing Wazuh on the designated server (`172.16.200.10`).
- Registering `web01` (`172.16.50.3`) as an agent.
- Simulating a failed SSH login to generate a security event.
- Analyzing the event in the Wazuh dashboard.
- Documenting the process in a **Tech Journal**.

---

## **Step 1: Installing Wazuh on the Server (`172.16.200.10`)**
### **Installation Command:**
```bash
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i

The -i flag bypasses minimum hardware requirements (2 CPU / 4GB RAM).
The installation generates a random admin password for Wazuh Web UI login.
The Wazuh dashboard is accessible at:
```
https://172.16.200.10
```

Verifying Wazuh Services:

sudo systemctl status wazuh-manager
sudo systemctl status wazuh-dashboard

If services are not running:

sudo systemctl start wazuh-manager
sudo systemctl start wazuh-dashboard

Step 2: Accessing the Wazuh Dashboard from mgmt01

Open a web browser on mgmt01.
Navigate to https://172.16.200.10.
Log in with admin credentials.

📸 Deliverable 1: Screenshot of the Wazuh dashboard accessed from mgmt01.

Step 3: Deploying Wazuh Agent on `web01`

1. Creating an Agent Group in Wazuh

In the Wazuh Web UI, go to "Groups" → Create a new group named linux.

2. Registering `web01` as an Agent

Navigate to "Agents" → "Add new agent".
Fill in:
- OS: RedHat/CentOS (Rocky 8 Compatible)
- Version: CentOS 6 or higher
- Architecture: x86_64
- Agent IP: 172.16.50.3
- Group: linux
Click Save and copy the generated installation command.

3. Installing the Agent on `web01`

SSH into web01:
```
ssh [email protected]
```
Run the copied installation command.

Enable and start the agent:

sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Verify the agent is running:
```
sudo systemctl status wazuh-agent
```

4. Confirming Agent Registration

In Wazuh UI, go to "Agents".
Verify web01 appears as connected.

📸 Deliverable 2: Screenshot of web01 registered in Wazuh.

Step 4: Simulating a Security Event

1. Performing a Failed SSH Attempt

From mgmt01, attempt to log in to web01 using an invalid user:

ssh [email protected]

This should fail and generate an authentication error in Wazuh.

2. Searching for the Security Event in Wazuh

In Wazuh Web UI, navigate to "Security Events".
Search for:
```
Authentication failure
```
Locate the failed SSH login event.

📸 Deliverable 3: Screenshot of Wazuh showing the SSH login failure event.

Step 5: Tech Journal Documentation (GitHub Wiki)

1. Documenting the Wazuh Setup

Installation steps for Wazuh server (172.16.200.10).
Agent installation on web01 (172.16.50.3).
How to search for security events in Wazuh.

2. Exploring Wazuh Agent Logs

Agent logs are stored in:
```
/var/ossec/logs/ossec.log
```
Configurations are found in:
```
/var/ossec/etc/ossec.conf
```

📸 Deliverable 4: Link to GitHub Wiki documentation covering the lab.

✅ Final Checklist

✅ Wazuh server installed and accessible at 172.16.200.10.
✅ Wazuh dashboard accessed from mgmt01.
✅ Wazuh agent installed on web01 (172.16.50.3).
✅ Failed SSH login event detected in Wazuh.
✅ Tech Journal article created and uploaded to GitHub.

🚀 Lab 3.2 - Wazuh Successfully Completed!