Wazuh / OSSEC Install and Configuration Howto Tutorial Guide for Monitoring Agents SIEM

How To Install Wazuh Server

Wazuh (forked from the well known OSSEC project) is a full SIEM (Security Information Event Management) that works extremely well with the platforms it natively supports as an "Agent", which allows you to do scans of everything such as all processes running, CVE vulnerability check, incident reporting etc...

This is the easiest way:

The unattended install makes things a breeze to configure all of the components automatically including Kibana, Elasticsearch, Filebeat and the Wazuh-Manager itself.

wget https://packages.wazuh.com/resources/4.2/open-distro/unattended-installation/unattended-installation.sh

bash unattended-installation.sh

If you get an error it may be due to a key issue where apt-key cannot add the key without gnupg installed.

"The following signatures couldn't be verified because the public key is not available".

The error is a red herring because the install script does attempt to add the key using apt-key, but it will fail if you don't have gnupg installed.


Install gnupg to solve the public key error in the install script and run it again



Error: Wazuh Kibana Plugin Could Not Be Installed

This is odd, but you need sudo installed, even if running as root or the install will fail.

Check the log:

 

 

https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html

How To Install Wazuh Agent To Debian/Mint/Ubuntu apt Linux Servers

Install the GPG Key and the repo

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt update

Install Wazuh with the Specified Manager IP

WAZUH_MANAGER="10.10.10.11" apt-get install wazuh-agent

Enable and Start the Wazuh Agent

systemctl enable wazuh-agent
systemctl start wazuh-agent

 #** Change the IP above 10.10.10.11 to the IP of your Wazuh Server IP

 

Need to change the IP of your Wazuh manager?

Edit /var/ossec/etc/ossec.conf

Can't see your Agent registered?

Check the log file:

cat /var/ossec/logs/ossec.log

Check the Wazuh troubleshooting document.

 

View the Agent On The Manager:

 

 

How To Add Agentless Monitoring via SSH for other devices like routers/firewalls/OS's

Agentless means that nothing is installed on the device/server that we monitor, it is all done using the agentless service from the Wazuh Manager which runs as the user "ossec"

  1. Note that agentless is mainly relegated to detecting config changes on specific directories etc.. and agentless devices DO NOT show up under the list of "Agents" inside Wazuh GUI.  Instead you have to check the log and can possibly create your own custom dashboard and visualization to track these types of devices.
  2. Note that this all occurs on the Wazuh Manager.
  3. Note that the user that does the monitoring is "ossec" so that user must be able to authenticate to the agentless side

 

Make sure you have the expect instead on the wazuh-manager or agentless monitoring will fail (especially if you are using password auth)

apt install expect

1.) Use /var/ossec/agentless/register_host.sh

The format of this script is that we can just use this format and do pub key auth:

/var/ossec/agentless/register_host.sh add user@host

You can also specify a password to login with

/var/ossec/agentless/register_host.sh add user@host thepassword

For devices like Cisco you can specify an additional password which is the enable password

/var/ossec/agentless/register_host.sh add user@host thepassword ciscoenablepassword


You can pass the parameter list to show the list of agentless devices:

./register_host.sh list
*Available hosts:
realtechtalkcom@10.10.10.11
realtechtalkcom@10.10.10.7

If you are using pub key authentication run this:

sudo -u ossec ssh-keygen

Then copy the ossec /var/ossec/.ssh/id_rsa.pub contents to .ssh/authorized_keys on the remote host

2.) Edit ossec.conf and add the agentless rule you want

vi /var/ossec/etc/ossec.conf

Modify this part to match what you need, for example I took the output above of "realtechtalkcom@10.10.10.7" and added it to the "host" section in the XML below.

Note that the agentless XML below will be inside of an ossec_config


3.) Restart wazuh-manager

systemctl restart wazuh-manager

4.) Observe it

It should be good, if you get an error like below it is because you need to install "expect" on the manager.

cat /var/ossec/logs/ossec.log

2022/02/11 17:55:06 wazuh-agentlessd: INFO: ssh_integrity_check_linux: realtechtalkcom@10.10.10.7: Started.
 

 

2022/02/11 17:49:17 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/02/11 17:49:17 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/02/11 17:49:18 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/02/11 17:49:20 wazuh-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_linux'.
2022/02/11 17:49:20 wazuh-agentlessd: ERROR: Test failed for 'ssh_integrity_check_linux' (127). Ignoring.

2022/02/11 17:49:23 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/02/11 17:49:23 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds.

Removing Agentless Hosts

This can only be done by removing all hosts from /var/ossec/agentless/.passlist

There is no way to remove an individual host.  For production use you should keep a separate CSV with al ist of IPs and passwords that runs the register_host.sh script for each one.

More documentation on Agentless Monitoring:

https://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/index.html

 

Troubleshooting

Can't See Agent After Adding It:

Check logs on the agent side, make sure neither side is being blocked by a firewall or other connectivity issue.

cat /var/ossec/logs/ossec.log

2022/02/11 13:35:38 wazuh-agentd: ERROR: (1216): Unable to connect to '10.10.10.11:1514/tcp': 'Connection refused'.
2022/02/11 13:35:44 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost.
2022/02/11 13:35:50 wazuh-agentd: INFO: Trying to connect to server (10.10.10.11:1514/tcp).
2022/02/11 13:35:50 wazuh-agentd: INFO: (4102): Connected to the server (10.10.10.11:1514/tcp).
2022/02/11 13:35:54 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2022/02/11 13:35:54 sca: INFO: Security Configuration Assessment scan finished. Duration: 35 seconds.
2022/02/11 13:35:54 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing...
2022/02/11 13:35:54 rootcheck: INFO: Starting rootcheck scan.
2022/02/11 13:36:01 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/02/11 13:37:32 rootcheck: INFO: Ending rootcheck scan.

 

Make sure wazuh-manager is started.

 

How To Add User To Wazuh

1. Click on the 3 bars on the top left and then click "Security"

 

 

2. Click "Internal users" on the left and then "Create internal user"

 

 

3. Enter Details of The Internal user

*Don't forget to add a backend role like "admin" or you will not be able to do anything in Wazuh.

Wazuh Add User Details

 

4. Scroll to the Bottom right and click "Create"

 

 

More on Wazuh User Creation and Roles

 

How to Enable Wazuh E-mail Notifications + Logging of ALL events + JSON

Edit /var/ossec/etc/ossec.conf
 

1. Edit the parameters logall to yes

2. Edit the e-mail_ parameters to what makes sense for you

3. Restart wazuh server with: systemctl restart wazuh-manager

How To Reset The Wazuh Admin Password

You can find the wazuh user password in /etc/filebeat/filebeat.yml and recover or reset it as shown in the password variable "password:" in the screenshot below.

sudo vi /etc/filebeat/filebeat.yml

https://documentation.wazuh.com/4.0/user-manual/elasticsearch/elastic_tuning.html

 

References:

https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html

https://documentation.wazuh.com/current/installation-guide/open-distro/index.html

https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/index.html

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html


Tags:

wazuh, install, configuration, howto, tutorial, monitoring, agentshow, server, easiest, unattended, breeze, configure, components, automatically, kibana, elasticsearch, filebeat, wget, https, packages, distro, installation, sh, bash, apt, gnupg, installed, quot, signatures, couldn, verified, herring, plugin, sudo, documentation, deployment, html, debian, mint, ubuntu, linux, servers, gpg, repo, curl, echo, deb, tee, etc, sources, update, specified, ip, wazuh_manager, enable, systemctl, user, users, backend, admin, scroll, creation, roles, notifications, logging, json, edit, var, ossec, conf, parameters, logall, mail_, restart, references, index,

Latest Articles

  • vi cannot copy and paste automatic visual mode solution
  • python3 error Ubuntu Linux error solution SyntaxError: invalid syntax line 12 pip{sys.version_info.major}
  • Could not read response to hello message from hook [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true: Connection reset by peer
  • -bash: expr: command not found Linux Debian Mint Ubuntu
  • How to remove metadata from pdf on Linux Ubuntu
  • How to install and configure haproxy on Linux Ubuntu Debian
  • Linux Ubuntu Mint Gnome keyboard Typing not working in certain application or window solution
  • talib/_ta_lib.c:747:10: fatal error: ta-lib/ta_defs.h: No such file or directory
  • How to install Windows or other OS and then bring to another computer by using a physical drive and Virtual Machine with QEMU
  • PXE-E23 Error BOOTx64.EFI GRUB booting is 0 bytes tftp pxe dhcp solution NBP filesize is 0 Bytes
  • vagrant install on Debian Mint Ubuntu Linux RHEL Quick Setup Guide Tutorial
  • RHEL 8 CentOS 8, Alma Linux 8, Rocky Linux 8 System Not Booting with RAID or on other servers/computers Solution for dracut and initramfs missing kernel modules
  • How to Upgrade to Debian 11 from Version 8,9,10
  • Ubuntu Linux Mint Debian Redhat Cannot View Files on Android iPhone USB File Transfer Not Working Solution
  • Virtualbox Best Networking Mode In Lab/Work Environment without using NAT Network or Bridged
  • debootstrap how to install Ubuntu, Mint, Debian install
  • Linux grub not using UUID for the root device instead it uses /dev/sda1 or other device name solution
  • How To Restore Partition Table on Running Linux Mint Ubuntu Debian Machine
  • Debian Ubuntu apt install stop daemon questions/accept the default action without prompting
  • iptables NAT how to enable PPTP in newer Debian/Ubuntu/Mint Kernels Linux