Post

Wazuh Project Part 1

The first post on creating a fully functional small scale Wazuh SIEM setup.

Posted Updated
Preview Image
By Luke A. Martin
9 min read
Wazuh Project Part 1

Introduction:

This is the first of a series of posts that should give you (the reader) the foundation to build out a similar system. This isn’t meant for someone who doesn’t understanding basic networking and IT principles, rather it is designed for those who are tinkering with Cybersecurity tools and are looking to expand their own understanding of the applications and systems that they already use. A lot of the concepts and workflows in relation to Wazuh are universal in Cybersecurity, so you will see the similar setups with applications such as Microsoft Sentinel and other SIEM focused products.

The platform of choice for this project is Wazuh. This platform is a opensource software with fantastic documentation and support. It is free to use as long as you can scale up your system on your own hardware, which is exactly what I have done. Wazuh is the full package when it comes to SIEM operations, providing monitoring, automations, intelligence, and security enforcement functionality across all monitored devices. Wazuh has 4 main components for installation, the indexer, the server, the dashboard, and of course the endpoint protection application.

The indexer and server are what I have running on a VM in my lab at my house. This is the core piece of the system that provides the storage and organization of the log data collected from the endpoints. The dashboard is accessible via a Web Portal, and the endpoint protection application can be easily shared and downloaded onto any computer to add it into the system.

There are reasonable security concerns in this setup with bringing traffic from the internet through your network. It is important to make sure to have proper network controls in place. For Me, this meant setting up a VPN using Tailscale (as seen on Part 2) which ends up providing me with adequal ACL control and isolation from my home network. Isolating the Indexer and the Server to a VM.

Hardware Recommendations:

I would highly recommend to make sure you have a dedicated computer for this endeavor. The Server and Indexer will need to remain on at all times to keep logging the data stream coming in from the Endpoints. However, at a smaller scale lab system, there is no need to spend a lot of money for a large server. I found a refurbished Dell OptiPlex tower with 32 GB of ram, 2 TB SSD, and a core i7 to be fully functional for at least a few dozen endpoints. This put me down about $300, which was a great find. The main thing is you need to make sure that you can dedicate at least 4 CPU cores, 500 GBs, and 16 GBs of ram to a dedicated Virtual Machine that would be running the Server and indexer for optimal performance.

Hosting Via a Virtual Machine:

I Would highly recommend running a Virtual Machine. I used Oracle’s Virtual Box, which can be run on any Desktop (no need for a special hypervisor). Takes some time to get used to working with Virtual Machines if you haven’t before, so make sure that you understand the whole process.

You don’t have to deploy this on a VM. You could also do this on a docker or on a bare-metal setup. I chose to use a VM partially for education purposes (with VM being a very common way that corporations host these types of applications), as well as the key security controls that come along with running VMs compared to Dockers or on a bare-metal configuration.

The Installation:

  • Wazuh Installation Documentation
  • Above is the documentation for installing Wazuh
  • I followed the Assisted Installation for each one, However there are specific steps that were left out from documentation that I filled in below.
  • Feel free to follow my steps alongside the official documentation (I would HIGHLY recommend to follow the official docs as well, it is quite good).

Run full setup as a Root User or Local Admin. Issues will arise if done otherwise.

Indexer Installation:

1) Initial Configuration

  • Download the installer and config.yml file on the machine (In my case, my VM) which will host the Indexer and Server.
  • I personally am running a Linux (Cent OS) Box, so commands might vary depending on your chosen OS.
1
2

wget https://packages.wazuh.com/4.11/wazuh-install.sh
wget https://packages.wazuh.com/4.11/config.yml

2) Configuration

  • Open config.yml
    1

    sudo nano <PATH TO config.yml>
  • Replace the names of the indexer, server, and dashboard with what you want.

I ran into issues with using Bridged Mode (In the VM) for my first attempt. So, just to get a functional system working, I ran my VM in NAT mode with IP addresses for my indexer, server, and dashboard as 127.0.0.1, making the dashboard accessible via my host. I will be putting this setup on a Tailscale VPN for adequate control… that is a project for a second post.

  • Generate config files
    1

    sudo bash wazuh-install.sh --generate-config-files

Write down the chosen names!

  • It becomes a pain later on when you have to reference the names when configuring the installation
  • Keep the written names in a secure location (password vault, secure notes, etc.), not in the same VM that runs the applications.
  • IF you end up forgetting to write them down (as I did the first time). The ‘config.yml’ file can be access through the ‘.tar’ file where it is embedded:
    1

    sudo tar -xf wazuh-install-files.tar wazuh-install-files/config.yml
  • View said file:
    1

    cat wazuh-install-files/config.yml

Port Forwarding: setup port forwarding for 9200 (Indexer Requests) and 9300 (RESTful API Access) in on the VM. This can be done in the Network section of settings for your specific VM.

  • Grab the Admin passwords
    1
2

    sudo tar -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
sudo nano wazuh-install-files/wazuh-passwords.txt

  • record passwords and credentials for future needs.

  • Run the installation
    1

    sudo bash wazuh-install.sh --wazuh-indexer <indexer name>

3) Verify installation

1

curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200
  • This should give you a printout on terminal with specifications about the build
1

curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v
  • Checks to make sure that the Cluster is functioning well.
  • Thats it for the Indexer! One of the more tedious parts of the inital setup.

Server Installation:

  • wazuh-install.sh has already been installed and is located in the .tar file.
  • So no need to install it again (Which isn’t talked about in the Documentation)!

1) start the server build

1

bash wazuh-install.sh --wazuh-server <server_name>
  • This will start a build process that takes a couple minutes
  • this installs filebeat and wazuh manager - all part of the wazuh server setup.

Open Ports: Make sure that ports 1514, 1515, 1516, and 55000 are open on your VM! This will be needed for the server. This can be configured in your VM application.

  1. Port 1514: This is the default port for agent communication service
  2. Port 1515: This port is used for the agent enrollment service
  3. Port 1516: This port is utilized by the Wazuh cluster daemon for TCP communication (Only needed for cluster deployments)
  4. Port 55000: This port is used for the Wazuh server RESTful API, allowing communication between the Wazuh dashboard and the server.

TIP:

  • I would also recommended to turn off auto-updates since these could break the whole system if the server updates and the endpoints do not.
    1

    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
  • Once the installs are complete and the needed ports are open that is it for the Server!

Dashboard Installation:

  • I Installed the Dashboard on the SAME VM running the Indexer as well as the Server. While this isn’t necessary (you could run it on a seperate node), This was the most convinent for troubleshooting purposes.
  • Just like the server, there is no reason to install the .sh file since it is already installed.

1) Run the Wazuh installation assistant to configure the Wazuh dashboard - NOTE: the node name (in this case, dashboard) must be the same node name defined in the config.yml file.

1

sudo bash wazuh-install.sh --wazuh-dashboard dashboard
  • It took me between 2-4 minutes for the full installation.
  • It initially had an error, just rerunning the command seemed to fix the failed installation.
  • Once it finishes you should get the following code.
1
2
3
4
5
6

INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS>
   User: admin
   Password: <ADMIN_PASSWORD>

INFO: Installation finished.

Getting Your Admin Passwords:

  • You now have installed and configured Wazuh. Find all passwords that the Wazuh installation assistant generated in the wazuh-passwords.txt file inside the wazuh-install-files.tar archive. To print them, run the following command:
    1

    tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Accessing the dashboard for the first time

  • When accessing for the firstime, the browser will give you an “unsafe” warning.
  • If you don’t want to see this warning and add some security, you can:
    • create an exception by adding the connection in the advanced options of the browser.
    • Or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser instead.
    • Thirdly, you can get a certificated from a trusted authority (CA).

Making sure Dashboard Connectivity is Possible:

  • There are lots of troubleshoot documents on the following website:
  • https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html

Some Final Notes:

  • I attempted to fully install this setup on 3 seperate installations. A lot of the notes that I have thrown in (such as not writing down the names of your nodes) are direct issues I ran into and had to back-fill in my mistakes.
  • This is not a super easy process, so if it takes a while to get something stood up due to random command errors… That is just the learning experience! I spent a grand total of 10 to 20 hours grinding my way through this process.
  • When I did this part of the project, I had around 5 months of experience in IT, the Comptia A+ certification, and was about to take my Security+ exam (which I passed). Consider that to be the low-bar for what kind of background one should have before attempting such a project.

That is all I have for this post! The next post will be focusing on achieving higher quality accessibility of the dashboard, specifically a TailScale VPN connection to allow connectivity via a remote laptop. I will also get the endpoint protection installed and functioning on at least 2 devices. Until then, thanks for reading, keep being curious, and stay safe out there!

  • Luke A. Martin
cybersecurity
Project
This post is licensed under CC BY 4.0 by the author.

Trending Tags

Project analysis