Wazuh Project Part 2
The second post on creating a fully functional Wazuh SIEM setup.
Introduction
In Wazuh Project Part 1, I walked through the installation of the Wazuh Indexer, Server, and Dashboard. I got it to the point where I could access the dashboard via the browser on the host pc that hosted the VM that contained the Wazuh Server Instance. Now I will go into the installation of the Wazuh Endpoint Protection, setting up remote access for the Dashboard through the creation of a Tailscale network, and re-initiating the Wazuh server setup. By the end of this post, there should be a fully functional Wazuh setup that also has convinent remote SOC functionality, at least 2 endpoints properly configured, and be geared for expanding into more computers.
Turning Back on the setup
- If you turn off your machine running the server (as I did by accident), you will need to reinitialize the system.
1 2 3
sudo systemctl start wazuh-indexer # Required for data storage sudo systemctl start wazuh-manager # Wazuh server sudo systemctl start wazuh-dashboard # Web interface
Don’t Forget to Check Firewall Permissions!
- Also, I found that by turning back on the VM after it turned off, the OS Firewall was reinitialized at default settings. This could make connections appear broken from the Host OS… Just remember to turn back on the correct ports with the correct syntax for your given OS.
Tailscale for direct remote dashboard access
In order to properly be able to access the dashboard outside of remoting into the host machine (which is downright inconvenient), I decided to setup a Tailscale network. Tail scale is a very handy opensource VPN system that uses Wire Guard to create a software-defined mesh VPN. It comes with all the built in security functionality you would need on a network, and allows you to quickly scale up a virtual private network for free (at a “lab” scale of operations).
Adding IP address to Tailscale for remote access
- use root access to go into the correct directory of the Server machine.
- Once there, find the path to the correct configuration file.
1
sudo find / -name opensearch_dashboards.yml
- edit the
openserach_dashboards.ymlfile.1
sudo nano wazuh-dashboard/opensearch_dashboards.yml - Make sure
server.hostis set to0.0.0.0 - make sure port
9200is open on the VM firewall - no need to change
opensearch.hostsfrom127.0.0.1. Since the VM is now on the Tailscale network you created, you can access the dashboard by putting in it’s static Tailscale IP address directly into the browser of another Tailscale connected device (https://<Tailscale-IP-Address>) with the correct permissions.
I will be adding some layers of security (ACL editing) to the Tailscale network once I have it up and running with my personal endpoints all syncing data correctly. Currently, there is the default full access between each node in the Tailnet, but I want to reduce the access that Member computers have compared to the Administrator computer (My laptop). I don’t want to jeopardize the other devices on the network if one is actually taken over by a malicious entity.
Setting up the first endpoints
- To make things easy, the first endpoints are going to the be the Host PC and my Laptop.
- I Followed the process on the Wazuh Dashboard to download the endpoint protection file to my laptop.
- I Chose my VM’s IP address (that is on my TailNet) as the Host Manager because it is where the server side is located.
- Once I filled out the necessary info (including a dedicated name), I copied the provided script and ran it in Administrator PowerShell, then I started up the system with one final command -
1
NET START Wazuh
- and BOOM.
- Log data is showing up on my dashboard remotely on my Laptop.
I was having issues adding the VM running the Wazuh Server when I realized… there is already technically a built-in agent. The agent’s name is “000”. It doesn’t show up as an agent on the Wazuh dashboard and it’s specific logs can’t be found as an “endpoint”. However, if looking through filters, you can find data that is coming from the server… This is something I need to dig into further.
A little about the Wazuh Dashboard
Wazuh’s dashboard is the perfect tool… Except the only draw back (and some would say the advantage) is that you really do have to build everything up from “scratch”. There isn’t much for predefined filtering… But I cannot emphasize enough how useful and inciteful their documentation is on using the application. If you are to this stage of the project where you have managed to bring up a Wazuh Server plus a few endpoints, I would highly recommend spending some time to just dig through the documentation they provide. Not only for the optimization of the Dashboard and setting it up to be a useful tool, but for the backend with the Server and Indexer, making sure that everything is working in a way that is useful and beneficial.
Some Final Notes:
The Wazuh platform provides a very flexible and dynamic environment to work in. With their wide range of tools, one can scale up very effectively tens,hundreds, or even thousands of endpoints as long as you have the proper hardware/configuration. At this point, I have A fully functional remote SOC solution with a few endpoints setup and sending Log Data.
The third post of this series will focus on the final aspects of Wazuh, which is scaling the system up, tightening security, and getting some functionality from the Wazuh Dashboard. I will be recruiting devices beyond my own personal household and extending my VPN into friends and family. My next post will have my network expanding to 8ish endpoints, creating a nice and useable dashboard, adding adeqaute security measures to the VPN, and configuring data retention policies on my server. Until then, keep being curious, and stay safe out there!
- Luke A. Martin