Wazuh (forked from the well known OSSEC project) is a full SIEM (Security Information Event Management) that works extremely well with the platforms it natively supports as an "Agent", which allows you to do scans of everything such as all processes running, CVE vulnerability check, incident reporting etc...
This is the easiest way:
The unattended install makes things a breeze to configure all of the components automatically including Kibana, Elasticsearch, Filebeat and the Wazuh-Manager itself.
bash unattended-installation.shIf you get an error it may be due to a key issue where apt-key cannot add the key without gnupg installed.
"The following signatures couldn't be verified because the public key is not available".
The error is a red herring because the install script does attempt to add the key using apt-key, but it will fail if you don't have gnupg installed.
This is odd, but you need sudo installed, even if running as root or the install will fail.
Check the log:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
WAZUH_MANAGER="10.10.10.11" apt-get install wazuh-agent
systemctl enable wazuh-agent
systemctl start wazuh-agent
#** Change the IP above 10.10.10.11 to the IP of your Wazuh Server IP
Check the Wazuh troubleshooting document.
Agentless means that nothing is installed on the device/server that we monitor, it is all done using the agentless service from the Wazuh Manager which runs as the user "ossec"
Make sure you have the expect instead on the wazuh-manager or agentless monitoring will fail (especially if you are using password auth)
apt install expect
The format of this script is that we can just use this format and do pub key auth:
/var/ossec/agentless/register_host.sh add user@host
You can also specify a password to login with
/var/ossec/agentless/register_host.sh add user@host thepassword
For devices like Cisco you can specify an additional password which is the enable password
/var/ossec/agentless/register_host.sh add user@host thepassword ciscoenablepassword
You can pass the parameter list to show the list of agentless devices:
sudo -u ossec ssh-keygen
Then copy the ossec /var/ossec/.ssh/id_rsa.pub contents to .ssh/authorized_keys on the remote host
Modify this part to match what you need, for example I took the output above of "firstname.lastname@example.org" and added it to the "host" section in the XML below.
systemctl restart wazuh-manager
It should be good, if you get an error like below it is because you need to install "expect" on the manager.
2022/02/11 17:55:06 wazuh-agentlessd: INFO: ssh_integrity_check_linux: email@example.com: Started.
2022/02/11 17:49:17 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/02/11 17:49:17 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/02/11 17:49:18 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/02/11 17:49:20 wazuh-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_linux'.
2022/02/11 17:49:20 wazuh-agentlessd: ERROR: Test failed for 'ssh_integrity_check_linux' (127). Ignoring.
2022/02/11 17:49:23 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/02/11 17:49:23 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds.
This can only be done by removing all hosts from /var/ossec/agentless/.passlist
There is no way to remove an individual host. For production use you should keep a separate CSV with al ist of IPs and passwords that runs the register_host.sh script for each one.
Check logs on the agent side, make sure neither side is being blocked by a firewall or other connectivity issue.
2022/02/11 13:35:38 wazuh-agentd: ERROR: (1216): Unable to connect to '10.10.10.11:1514/tcp': 'Connection refused'.
2022/02/11 13:35:44 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost.
2022/02/11 13:35:50 wazuh-agentd: INFO: Trying to connect to server (10.10.10.11:1514/tcp).
2022/02/11 13:35:50 wazuh-agentd: INFO: (4102): Connected to the server (10.10.10.11:1514/tcp).
2022/02/11 13:35:54 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2022/02/11 13:35:54 sca: INFO: Security Configuration Assessment scan finished. Duration: 35 seconds.
2022/02/11 13:35:54 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing...
2022/02/11 13:35:54 rootcheck: INFO: Starting rootcheck scan.
2022/02/11 13:36:01 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/02/11 13:37:32 rootcheck: INFO: Ending rootcheck scan.
Make sure wazuh-manager is started.
*Don't forget to add a backend role like "admin" or you will not be able to do anything in Wazuh.
More on Wazuh User Creation and Roles
1. Edit the parameters logall to yes
2. Edit the e-mail_ parameters to what makes sense for you
3. Restart wazuh server with:
systemctl restart wazuh-manager
You can find the wazuh user password in /etc/filebeat/filebeat.yml and recover or reset it as shown in the password variable "password:" in the screenshot below.
sudo vi /etc/filebeat/filebeat.yml
wazuh, install, configuration, howto, tutorial, monitoring, agentshow, server, easiest, unattended, breeze, configure, components, automatically, kibana, elasticsearch, filebeat, wget, https, packages, distro, installation, sh, bash, apt, gnupg, installed, quot, signatures, couldn, verified, herring, plugin, sudo, documentation, deployment, html, debian, mint, ubuntu, linux, servers, gpg, repo, curl, echo, deb, tee, etc, sources, update, specified, ip, wazuh_manager, enable, systemctl, user, users, backend, admin, scroll, creation, roles, notifications, logging, json, edit, var, ossec, conf, parameters, logall, mail_, restart, references, index,