The Wazuh Security Information and Event Management (SIEM) solution provides monitoring, detection, and alerting of security events and incidents.
Installation of WAZU (I have followed the steps provided in the document and some references in google search)
Follow the installation steps 1 to 5 from the above-mentioned installation document.
Prep Work :
- Setup and hostname as FQDN to generate Certs
- and prepare the environment for installation.
I have 2 Interface on My Linux ( one is connected to external and another connected to internal for security reasons)
External Facing :
setup a hostname so FQDN can resolve the domain name :
edit hosts file and setup and desired name you looking to use. (my case soclab.bb.local)
10.10.9.1 soclab.bb.local soclab
I am able to ping success :
Step 1 – Download the
wazuh-certs-tool.sh script and the
config.yml configuration file. This creates the certificates that encrypt communications between the Wazuh central components.
curl -sO https://packages.wazuh.com/4.3/wazuh-certs-tool.sh curl -sO https://packages.wazuh.com/4.3/config.yml
Step 2 – edit the config.yml as per our environment :
My config.yml Look as below :
Step 3 – bash ./wazuh-certs-tool.sh -A
You see the below files in the folder.
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
Follow the below steps to install packages and Wazuh :
Below config – Configuring the Wazuh indexer
NODE_NAME=soclab.bb.local mkdir /etc/wazuh-indexer/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem chmod 500 /etc/wazuh-indexer/certs chmod 400 /etc/wazuh-indexer/certs/* chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs My Cert folder have below :
Start the Services :
#systemctl daemon-reload # systemctl enable wazuh-indexer # systemctl start wazuh-indexer
Now Wazuh indexer running, later initialize cluster
#/usr/share/wazuh-indexer/bin/indexer-security-init.sh check the port 9200 and 9300 Listening :
#curl -k -u admin:admin https://soclan.bb.local:9200
show the results means the indexer running as expected :
Now Indexer running, now we move to dashboard installation, so it is easy to manage the config using GUI.
My config looks as below :
This is straight forward installation. if you have changed the password part of the dashboard installation steps: Securing your Wazuh installation
If so please change the kibanaserver password in the config file.
echo <kibanaserver-password> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore –allow-root add -f –stdin opensearch.password
Restart the dashboard service to take effect of a new password.
systemctl restart wazuh-dashboard (below you see the service is active).
Now time to access GUI :
Now You have Indexer and dashboard running as expected.
My Next step set up a Graylog and configured logging to collect some logs and test them.