Wazuh is a security platform that combines XDR and SIEM for monitoring and protecting endpoints and cloud workloads [Link]. Virtually any platform has a respective agent available: Linux, Windows, MacOS, Solaris, HPUX, and AIX
Bare minimal requirements (start small and expand as needed):
- 2 vCPU
- 4 GB of RAM
- 50 GB of Storage
Even though the minimum requirements that I recommended are half of the official documentation, I managed to monitor over 50 endpoints with it at 2.5% avg CPU utilization and 65 to 85% of RAM. The key to my use case is the fact that I monitor Linux endpoints that have no users playing around. Only stand-alone servers with their automatic loads. This reduces the amount of events to the minimum.
INSTALLATION
curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
It may take some time but when the installation is completed, it will print the generated password for the Admin account:
INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0 INFO: Verbose logging redirected to /var/log/wazuh-install.log INFO: Wazuh web interface port will be 443. INFO: --- Dependencies ---- INFO: Installing apt-transport-https. INFO: Wazuh repository added. INFO: --- Configuration files --- INFO: Generating configuration files. INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. INFO: --- Wazuh indexer --- INFO: Starting Wazuh indexer installation. INFO: Wazuh indexer installation finished. INFO: Wazuh indexer post-install configuration finished. INFO: Starting service wazuh-indexer. INFO: wazuh-indexer service started. INFO: Initializing Wazuh indexer cluster security settings. INFO: Wazuh indexer cluster initialized. INFO: --- Wazuh server --- INFO: Starting the Wazuh manager installation. INFO: Wazuh manager installation finished. INFO: Starting service wazuh-manager. INFO: wazuh-manager service started. INFO: Starting Filebeat installation. INFO: Filebeat installation finished. INFO: Filebeat post-install configuration finished. INFO: Starting service filebeat. INFO: filebeat service started. INFO: --- Wazuh dashboard --- INFO: Starting Wazuh dashboard installation. INFO: Wazuh dashboard installation finished. INFO: Wazuh dashboard post-install configuration finished. INFO: Starting service wazuh-dashboard. INFO: wazuh-dashboard service started. INFO: Initializing Wazuh dashboard web application. INFO: Wazuh dashboard web application initialized. INFO: --- Summary --- INFO: You can access the web interface https://<wazuh-dashboard-ip>:443 User: admin Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 24/03/2024 14:23:29 INFO: Installation finished.
Navigate to the URL using the newly created credentials.
SETTING UP AGENTS
After logging in to the Dashboard, click on Add Agent.
Select the platform + architecture of the end point to be monitored, provide the server address (ideally a local name that points to the server, in case it changes IP), and the group (in my case I left the default).
Note that it will not perform anything other than compose a command line that can be copied and executed on the hosts.
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.10' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent_4.9.0-1_amd64.deb
Unfortunately, after setting up the agent it does not start or enable boot automatically. So, run the following command too.
sudo systemctl daemon-reload && sudo systemctl enable wazuh-agent && sudo systemctl start wazuh-agent
It may take a few seconds to change to Active Agents.
All good, now!
If the agent does not connect to the server, check the logs for clues.
sudo tail -f /var/ossec/logs/ossec.log | grep -i -E "error|warn"
MONITORING END-POINTS
By clicking any Agent (end-point), events will start to be populated. A series of checks will happen right after they are joined (not too resource-intensive).
Then, new events will be created as they happen in the server.
A summary of the current status of the Agent. It classifies each “issue/event” with a respective TTP (Tactic, Technique, and Procedure) from the Mitre and correlates to the compliance regulations.
See example:
Note: it will flag a lot of false positives that will need a thorough understanding of the system and its applications to define what is normal operation from what needs investigation. For example, users/admin logins will be recorded as events. System patches will cause a massive number of events. And so on…
Vulnerability Detector and Security Configuration Assessment (SCA) comes disabled by default. Enable them!
Feel free to enable all the individual repositories of vulnerability. In the example above, I enabled for Canonical (Ubuntu).
Here is where the real work starts!
BONUS
Wazuh started as a fork of OSSEC a long time ago. OSSEC looks like being under much slower development but is still popular and relevant in the cyber security universe [Link].
git clone https://github.com/ossec/ossec-hids.git cd ossec-hids sudo apt update sudo apt install libz-dev libssl-dev libpcre2-dev build-essential libsystemd-dev -y ./install.sh
Or using APT [Link].
wget -q -O - https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt | sudo apt-key add - echo "deb https://updates.atomicorp.com/channels/atomic/ubuntu $DISTRIB_CODENAME main" >> /etc/apt/sources.list.d/atomic.list sudo apt update sudo apt install ossec-hids-server -y
For MS Windows endpoints (yes, some people use it), check out BLUESPAWN [Link]. It is another open-source EDR.