Milestone 8: SIEM Installation - squatchulator/Tech-Journal GitHub Wiki
Milestone 8: SIEM Installation
Worked on this project collaboratively with:
Miles Campbell, David Thomsen, Jacob Mayotte, Maxwell Berry, and Benji Gifford
Updated code here
- To get Wazuh deployed on a remote system, we need to do some prep first. Download the CentOS 7 2009 Minimal ISO from the CentOS official website and upload it to your ESXi.
- Once finished, create 2 new VMs; one called
Wazuh-01and one calledWks-01. Give them some pretty standard specs and put them on the Blue network. - Boot and run throhgh the installer on both - prep them with a new admin user named
deployer, set their alternate DNS to 1.1.1.1, and perform ayum updateon both. Once this finishes, take a snapshot calledBase. - Head over to
xubuntu-wanand go into your Ansible directory - create 3 new files. One needs to be a new inventory file calledwazuh-inv.txt, and the other 2 need to be in the Ansible directory and namedwazuh-agnet.ymlandwazuh-install.yml. Your directory structure should look something like this:
- Edit the inventory file and place in the following. These will be the variables for our Ansible endpoints:
[wazuh_servers]
<your server IP> ansible_ssh_user=deployer
[wazuh_agents]
<your agent IP> ansible_ssh_user=deployer
- Now go into the
wazuh-installfile. Add in the following to it:
- name: Wazuh Configuration
hosts: wazuh_servers
tasks:
- name: Downloading The Wazuh Server Script
ansible.builtin.shell:
chdir: /home/{{ ansible_user }}/
cmd: curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh
- name: Allow port 443, 1514, 1515, 55000 through firewalld
become: yes
shell: firewall-cmd --permanent --add-port=443/tcp && firewall-cmd --permanent --add-port=1514/tcp && firewall-cmd --permanent --add-port=1515/tcp && firewall-cmd --permanent --add-port=55000/tcp && firewall-cmd --reload
- name: Run Wazuh Server Script
become: yes
ansible.builtin.shell:
cmd: bash ./wazuh-install.sh -a -i
chdir: /home/{{ ansible_user }}/
- name: Start and Enable Wazuh Indexer
shell: systemctl enable wazuh-indexer-performance-analyzer && systemctl start wazuh-indexer-performance-analyzer
become: true
- name: Output Password
shell: tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
become: true
- name: Bounce The Box
shell: "sleep 5 && restart -r"
become: yes
async: 1
poll: 0
- Add the following into
wazuh-agent:
- name: Wazuh Agent Configuration
hosts: wazuh_agents
become: true
tasks:
- name: Install Wazuh agent package
yum:
name: "https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.11-1.x86_64.rpm"
state: present
environment:
WAZUH_MANAGER: "10.0.5.83"
WAZUH_AGENT_GROUP: "default"
- name: Allow port 1514, 1515, 55000 through firewalld
become: yes
shell: firewall-cmd --permanent --add-port=1514/tcp && firewall-cmd --permanent --add-port=1515/tcp && firewall-cmd --permanent --add-port=55000/tcp && firewall-cmd --reload
- name: Enable and Start Wazuh Agent
become: yes
shell: systemctl enable wazuh-agent && systemctl start wazuh-agent
- name: Bounce The Box
shell: "sleep 5 && restart -r"
become: yes
async: 1
poll: 0
- Now go into the directory that Ansible is located in. Run the following command to get the server installed:
ansible-playbook -i ansible/inventory/wazuh-inv.txt --ask-pass ansible/wazuh-install.yml -K -vvv
- Copy the password for the
adminuser that is displayed, and go into a GUI box on the Blue network (worst case you can just switch one real fast). Navigate to your server's IP address and enter the username and password when prompted. If everything goes well, you should be in! - Now to get the agent going, run this commnad:
ansible-playbook -i ansible/inventory/wazuh-inv.txt --ask-pass ansible/wazuh-agent.yml -K -vvvv
- At this point, you should just be able to go into Wazuh and see your agent there. Explore a bit and look for logs and whatnot!