Lab 3.2 Wazuh - zacharylongo/Tech-Journals GitHub Wiki

Introduction

Wazuh is a free, open-source, security monitoring solution that provides intrusion detection, file integrity monitoring, and log analysis. This tech journal will guide you through the installation process of Wazuh, including the installation of the server, firewall configuration, and agent installation.

Installing the Wazuh Server

Before installing the Wazuh server, make sure to update your system and install the necessary dependencies. On a Ubuntu system, you can run the following commands to update your system and install dependencies:

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install curl apt-transport-https lsb-release gnupg

Next, you need to add the Wazuh repository to your system:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

Finally, you can install the Wazuh server by running the following command:

sudo apt-get update && sudo apt-get install wazuh-manager

Configuring the Firewall

By default, Wazuh uses port 1514 for communication. To configure the firewall, you need to allow incoming traffic on port 1514. On a Ubuntu system, you can use the following commands to allow incoming traffic:

sudo ufw allow 1514/tcp

sudo ufw enable

Installing the Wazuh Agent

You can install the Wazuh agent on the systems you want to monitor. To install the agent, you first need to add the Wazuh repository to your system, as described in the section "Installing the Wazuh Server". Next, you can install the agent by running the following command:

sudo apt-get update && sudo apt-get install wazuh-agent

After installation, you need to register the agent with the Wazuh server. You can do this by running the following command:

sudo /var/ossec/bin/manage_agents

Follow the on-screen instructions to register the agent with the Wazuh server.

Location of Agent Files

The Wazuh agent files are located in the following directory:

/var/ossec/

The main config file for the agent is found at

/var/ossec/etc/ossec.conf