Wazuh / OSSEC Install and Configuration Howto Tutorial Guide for Monitoring Agents SIEM

How To Install Wazuh Server

Wazuh (forked from the well known OSSEC project) is a full SIEM (Security Information Event Management) that works extremely well with the platforms it natively supports as an "Agent", which allows you to do scans of everything such as all processes running, CVE vulnerability check, incident reporting etc...

This is the easiest way:

The unattended install makes things a breeze to configure all of the components automatically including Kibana, Elasticsearch, Filebeat and the Wazuh-Manager itself.

wget https://packages.wazuh.com/resources/4.2/open-distro/unattended-installation/unattended-installation.sh

bash unattended-installation.shIf you get an error it may be due to a key issue where apt-key cannot add the key without gnupg installed.

"The following signatures couldn't be verified because the public key is not available".

The error is a red herring because the install script does attempt to add the key using apt-key, but it will fail if you don't have gnupg installed.

Install gnupg to solve the public key error in the install script and run it again

Error: Wazuh Kibana Plugin Could Not Be Installed

This is odd, but you need sudo installed, even if running as root or the install will fail.

Check the log:

https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html

How To Install Wazuh Agent To Debian/Mint/Ubuntu apt Linux Servers

Install the GPG Key and the repo

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list apt update

Install Wazuh with the Specified Manager IP

WAZUH_MANAGER="10.10.10.11" apt-get install wazuh-agent

Enable and Start the Wazuh Agent

systemctl enable wazuh-agent systemctl start wazuh-agent

#** Change the IP above 10.10.10.11 to the IP of your Wazuh Server IP

Need to change the IP of your Wazuh manager?

Edit /var/ossec/etc/ossec.conf

Can't see your Agent registered?

Check the log file:

cat /var/ossec/logs/ossec.log

Check the Wazuh troubleshooting document.

View the Agent On The Manager:

How To Add Agentless Monitoring via SSH for other devices like routers/firewalls/OS's

Agentless means that nothing is installed on the device/server that we monitor, it is all done using the agentless service from the Wazuh Manager which runs as the user "ossec"

Note that agentless is mainly relegated to detecting config changes on specific directories etc.. and agentless devices DO NOT show up under the list of "Agents" inside Wazuh GUI. Instead you have to check the log and can possibly create your own custom dashboard and visualization to track these types of devices.
Note that this all occurs on the Wazuh Manager.
Note that the user that does the monitoring is "ossec" so that user must be able to authenticate to the agentless side

Make sure you have the expect instead on the wazuh-manager or agentless monitoring will fail (especially if you are using password auth)

apt install expect

1.) Use /var/ossec/agentless/register_host.sh

The format of this script is that we can just use this format and do pub key auth:

/var/ossec/agentless/register_host.sh add user@host

You can also specify a password to login with

/var/ossec/agentless/register_host.sh add user@host thepassword

For devices like Cisco you can specify an additional password which is the enable password

/var/ossec/agentless/register_host.sh add user@host thepassword ciscoenablepassword

You can pass the parameter list to show the list of agentless devices:

./register_host.sh list *Available hosts: realtechtalkcom@10.10.10.11 realtechtalkcom@10.10.10.7

If you are using pub key authentication run this:

sudo -u ossec ssh-keygen

Then copy the ossec /var/ossec/.ssh/id_rsa.pub contents to .ssh/authorized_keys on the remote host

2.) Edit ossec.conf and add the agentless rule you want

vi /var/ossec/etc/ossec.conf

Modify this part to match what you need, for example I took the output above of "realtechtalkcom@10.10.10.7" and added it to the "host" section in the XML below.

Note that the agentless XML below will be inside of an ossec_config

3.) Restart wazuh-manager

systemctl restart wazuh-manager

4.) Observe it

It should be good, if you get an error like below it is because you need to install "expect" on the manager.

cat /var/ossec/logs/ossec.log

2022/02/11 17:55:06 wazuh-agentlessd: INFO: ssh_integrity_check_linux: realtechtalkcom@10.10.10.7: Started.

2022/02/11 17:49:17 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml' 2022/02/11 17:49:17 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/02/11 17:49:18 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2022/02/11 17:49:20 wazuh-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_linux'. 2022/02/11 17:49:20 wazuh-agentlessd: ERROR: Test failed for 'ssh_integrity_check_linux' (127). Ignoring. 2022/02/11 17:49:23 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml' 2022/02/11 17:49:23 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds.

Removing Agentless Hosts

This can only be done by removing all hosts from /var/ossec/agentless/.passlist

There is no way to remove an individual host. For production use you should keep a separate CSV with al ist of IPs and passwords that runs the register_host.sh script for each one.

Troubleshooting

Can't See Agent After Adding It:

Check logs on the agent side, make sure neither side is being blocked by a firewall or other connectivity issue.

cat /var/ossec/logs/ossec.log

2022/02/11 13:35:38 wazuh-agentd: ERROR: (1216): Unable to connect to '10.10.10.11:1514/tcp': 'Connection refused'. 2022/02/11 13:35:44 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost. 2022/02/11 13:35:50 wazuh-agentd: INFO: Trying to connect to server (10.10.10.11:1514/tcp). 2022/02/11 13:35:50 wazuh-agentd: INFO: (4102): Connected to the server (10.10.10.11:1514/tcp). 2022/02/11 13:35:54 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/sca_unix_audit.yml' 2022/02/11 13:35:54 sca: INFO: Security Configuration Assessment scan finished. Duration: 35 seconds. 2022/02/11 13:35:54 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing... 2022/02/11 13:35:54 rootcheck: INFO: Starting rootcheck scan. 2022/02/11 13:36:01 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2022/02/11 13:37:32 rootcheck: INFO: Ending rootcheck scan.

Make sure wazuh-manager is started.

How To Add User To Wazuh

1. Click on the 3 bars on the top left and then click "Security"

2. Click "Internal users" on the left and then "Create internal user"

3. Enter Details of The Internal user

*Don't forget to add a backend role like "admin" or you will not be able to do anything in Wazuh.

Wazuh Add User Details

4. Scroll to the Bottom right and click "Create"

How to Enable Wazuh E-mail Notifications + Logging of ALL events + JSON

Edit /var/ossec/etc/ossec.conf

1. Edit the parameters logall to yes

2. Edit the e-mail_ parameters to what makes sense for you

3. Restart wazuh server with: systemctl restart wazuh-manager

How To Reset The Wazuh Admin Password

You can find the wazuh user password in /etc/filebeat/filebeat.yml and recover or reset it as shown in the password variable "password:" in the screenshot below.

sudo vi /etc/filebeat/filebeat.yml