Mahdi Bagheri's Blog
Begin Security Monitoring with Wazuh

Begin Security Monitoring with Wazuh

Mahdi Bagheri's photo
Mahdi Bagheri

Introduction

Wazuh is a monitoring solution with focus on security, combining features for XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) into one platform. And the best part is, it’s free and open source.

Some of the capabilities of Wazuh are Log Data Analysis, Intrusion Detection, File Integrity Monitoring, Vulnerability Detection and Compliance Reporting.

By using a security monitoring solution like Wazuh it is possible to gain more insights into the security posture of the machines available so we can act faster in case threats and vulnerabilities arise to mitigate possible attacks.

In this article we are going to setup Wazuh and also install our first Wazuh agent on the machine of our choice to start collecting data.

Installation

The following steps will show how to setup Wazuh with Docker. It is possible to deploy Wazuh as a single-node or multi-node stack. The following steps show the deployment of the single-node stack.
As recommended per Documentation we will start by adding the following line to our /etc/sysctl.conf file:

vm.max_map_count=262144

Retrieving the source codes

First we will clone the Wazuh repository to our system via a git clone command:

git clone https://github.com/wazuh/wazuh-docker.git -b v4.10.1

Generating self signed certificates

Next we will move into the wazuh-docker/single-node folder. We are provided with the generate-indexer-certs.yml file through which we will generate some certificates for our wazuh containers. We will execute it with:

docker-compose -f generate-indexer-certs.yml run --rm generator

This will generate the certificates for the Wazuh indexer, Wazuh manager and Wazuh dashbaord.

If you don’t want to run the application behind a reverse proxy this would be it for the first part and a single docker-compose up would start the application and map it to host port 443.

Running Wazuh behind a Reverse Proxy

First adjust the docker-compose.yml file and map the Wazuh dashboard container port 5601 to host port 5601 or any other available port of your liking.

Next navigate to wazuh-docker/single-node/config/wazuh-dashboard and configure the opensearch_dashboard.yml file by commenting the server.ssl.key and server.ssl.certificate entries and changing the server.ssl.enable value to false.

server.ssl.enabled: false
#server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
#server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"

With these changes the Wazuh setup should run behind the proxy after starting it with a docker-compose up.

Changing the default credentials

We probably don’t want to run Wazuh with the default credentials to make our application an easy target for attackers. Therefore we will now change them.

If your application is already running, stop it first with a simple docker-compose down command.

Inside config/wazuh_indexer/internal_users.yml we will find sections for the admin user and the kibanaserver user. The passwords stored in this file are hashed via bcrypt. After having decided for the new passwords we want to provide run the following command:

docker run --rm -ti wazuh/wazuh-indexer:4.10.1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

This will start a prompt asking for the password and generate the corresponding bcrypt hashes. We will take these newly generated hashes and replace them with the old values inside the internal_users.yml file.

Afterwards we will need to also replace the values inside the docker-compose.yml file. For admin we replace the value wherever we find the INDEXER_PASSWORD entry (wazuh.manager and wazu.dashboard container). For kibanaserver we do the same for the DASHBOARD_PASSWORD entry (wazuh.dashboard container).

Now we start the Wazuh stack again via docker-compose up and access the bash shell of the single-node-wazuh.indexer-1. Easiest is to first determine the container ID via docker ps and then entering it with:

docker exec -t <Container ID of single-node-wazuh.indexer-1> bash

Inside the container we execute the following commands:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

We wait a moment (2-5 minutes) as suggested by the Wazuh documentation and run finally

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl

We wait again a short moment and then the changes should be applied and the Wazuh dashboard accessible.

In case we want to also change the credentials for the API we would do this by changing the Password inside config/wazuh_dashboard/wazuh.yml and in the docker-compose.yml and re-run the whole stack via docker-compose down and up.

Deploying an Wazuh agent

To start collecting data from the machine of our choice, we need to deploy an Wazuh agent on it first. For this we log into our Wazuh dashboard and navigate to the agents section. Here we find the option to Deploy a new agent. We select the button and on the new page we select the OS and the file format in which the installation instructions should be delivered. For server address we provide the address through which the agent can reach the machine on which the Wazuh server is running. We provide a name for the agent and select a group to put it into. Next we are provided with installation instructions, e.g. a command to run.

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.10.1-1_amd64.deb \ 
&& sudo WAZUH_MANAGER='<IP>' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='<Name>' \
dpkg -i ./wazuh-agent_4.10.1-1_amd64.deb

When the agent has been installed we enable and start wazuh agent service (command are also provided). And when we navigate back to the agents sections of the dashboard an entry should be listed for the deployed agent showing it in an active state.

Next steps

Now that we have set up Wazuh and deployed our first agent it is up to you to bring out everything Wazuh has to offer and configure it to your needs. This could include configuring the log sources that you want to observer, checking for vulnerabilities or suspicious files, configuring alerts and receiving notifications in case of events that require fast intervention.

For more information refer to the official Documentation.

wazuhSIEMxdrSecurityDocker