Overview

Wazuh is an open-source security information and event management (SIEM) tool. It is designed to help organizations detect and respond to security threats by providing log analysis, intrusion detection, vulnerability detection, and other security-related capabilities. Wazuh is built on top of the ELK (Elasticsearch, Logstash, and Kibana) stack and integrates with other security tools to provide a comprehensive security solution.

Wazuh Components

The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.
The Wazuh server analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for security events, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.

Cheatsheet

Wazuh Service Name

systemctl status wazuh-manager
systemctl status wazuh-indexer
systemctl status wazuh-dashboard

Wazuh Log

# Wazuh Indexter
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

# Wazuh manager
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

# Wazuh dashboard:
journalctl -u wazuh-dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

Change Wazuh Admin Password

- Download tool
curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.3/wazuh-passwords-tool.sh
- Change single user
bash wazuh-passwords-tool.sh -u admin -p mypassword
- Change passwor all user:
bash wazuh-passwords-tool.sh -a
- Password will change usere on

Remember to update the new password in:
/etc/filebeat/filebeat.yml
/etc/kibana/kibana.yml
/etc/wazuh-indexer/
/etc/wazuh-dashboard/

Wazuh Client’s Agent

/var/ossec/bin/manage_agents  -l # Listed all Agent
/var/ossec/bin/manage_agents -r 003 # remove agent id 003

Duplicate Wazuh Agent

Check the ossec.log
/var/ossec/bin/manage_agents  -l # to check the Agent ID
/var/ossec/bin/manage_agents -e <agent_id> # to see the key
Copy the key
Go to client agent-> /var/ossec/bin/manage_agents -i <copied_key>
service wazuh-agent restart 
tail -f /var/ossec/logs/ossec.log

Install Agent on client endpoint

Windows

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.7-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.7.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.7.msi /q WAZUH_MANAGER='wazuh.home.amanulloh.com' WAZUH_REGISTRATION_SERVER='wazuh.home.amanulloh.com' WAZUH_AGENT_GROUP='default'

NET START WazuhSvc

Linux

curl -so wazuh-agent-4.3.7.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.7-1_amd64.deb && sudo WAZUH_MANAGER='wazuh-server.home.amanulloh.com' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.7.deb

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Remote Agent Upgrade from server (SSH)

- List Agent and its version
/var/ossec/bin/agent_upgrade -l
- Upgrade agent 
/var/ossec/bin/agent_upgrade -a 002

Remote agent upgrade manual

- Windows
Download -> https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi
Install -> .\wazuh-agent-4.3.10-1.msi /q
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10-1.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10-1.msi /q

Install the GPG key

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
- Add the wazuh repository
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
- Upgrade the wazuh agent to the latest version

apt-get update
apt-get install wazuh-agent

Overview#

Wazuh Components#

Cheatsheet#

Wazuh Service Name#

Wazuh Log#

Change Wazuh Admin Password#

Wazuh Client’s Agent#

Duplicate Wazuh Agent#

Install Agent on client endpoint#

Windows#

Linux#

Remote Agent Upgrade from server (SSH)#

Remote agent upgrade manual#

Install the GPG key#