Overview
Wazuh is an open-source security information and event management (SIEM) tool. It is designed to help organizations detect and respond to security threats by providing log analysis, intrusion detection, vulnerability detection, and other security-related capabilities. Wazuh is built on top of the ELK (Elasticsearch, Logstash, and Kibana) stack and integrates with other security tools to provide a comprehensive security solution.
Wazuh Components
- The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.
- The Wazuh server analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
- The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for security events, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.
Cheatsheet
Wazuh Service Name
systemctl status wazuh-manager
systemctl status wazuh-indexer
systemctl status wazuh-dashboard
Wazuh Log
# Wazuh Indexter
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
# Wazuh manager
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
# Wazuh dashboard:
journalctl -u wazuh-dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
Change Wazuh Admin Password
- Download tool
curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.3/wazuh-passwords-tool.sh
- Change single user
bash wazuh-passwords-tool.sh -u admin -p mypassword
- Change passwor all user:
bash wazuh-passwords-tool.sh -a
- Password will change usere on
Remember to update the new password in:
/etc/filebeat/filebeat.yml
/etc/kibana/kibana.yml
/etc/wazuh-indexer/
/etc/wazuh-dashboard/
Wazuh Client’s Agent
/var/ossec/bin/manage_agents -l # Listed all Agent
/var/ossec/bin/manage_agents -r 003 # remove agent id 003
Duplicate Wazuh Agent
Check the ossec.log
/var/ossec/bin/manage_agents -l # to check the Agent ID
/var/ossec/bin/manage_agents -e <agent_id> # to see the key
Copy the key
Go to client agent-> /var/ossec/bin/manage_agents -i <copied_key>
service wazuh-agent restart
tail -f /var/ossec/logs/ossec.log
Install Agent on client endpoint
Windows
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.7-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.7.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.7.msi /q WAZUH_MANAGER='wazuh.home.amanulloh.com' WAZUH_REGISTRATION_SERVER='wazuh.home.amanulloh.com' WAZUH_AGENT_GROUP='default'
NET START WazuhSvc
Linux
curl -so wazuh-agent-4.3.7.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.7-1_amd64.deb && sudo WAZUH_MANAGER='wazuh-server.home.amanulloh.com' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.7.deb
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Remote Agent Upgrade from server (SSH)
- List Agent and its version
/var/ossec/bin/agent_upgrade -l
- Upgrade agent
/var/ossec/bin/agent_upgrade -a 002
Remote agent upgrade manual
- Windows
Download -> https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi
Install -> .\wazuh-agent-4.3.10-1.msi /q
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10-1.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10-1.msi /q
Install the GPG key
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
- Add the wazuh repository
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
- Upgrade the wazuh agent to the latest version
apt-get update
apt-get install wazuh-agent