Jonathan Elder

Installing Wazuh

jonathan.e.elder

What Is Wazuh

Wazuh is a free and open-source security platform that provides XDR (extended detection and response) and SIEM (security information and event management) protection for endpoints. Wazuh is a powerful tool for security operations and can be quickly setup for basic use. This is how to get the server setup and have client machines send to it.

Requirements

The recommended hardware requirements are based on the estimated workload. The OS for the Wazuh server is 64-bit Linux. The Wazuh team recommends Amazon Linux 2, CentOS 7, 8 Red Hat Enterprise Linux 7, 8, 9 and Ubuntu 16.04, 18.04, 20.04, 22.04. For this installation I will be using Ubuntu.

 Below is the chart that Wazuh recommends:

Installing Wazuh

The simplest way to install Wazuh’s core components on the same machine is to use Wazuh’s QuickStart instructions. However, for more details and other installation for specific environments, you can use Wazuh’s installation guide here: https://documentation.wazuh.com/current/installation-guide/index.html  

For the simple and basic installation see below:

  1. Download and run the installation assistant
    1. curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
  2. Take note of the Output. It will show you the link to the web interface as well as the Username and Password to login. Login to the web interface now.
  3. You can find the passwords for all the Wazuh indexer and Wazuh API users in the wazuh-passwords.txt file inside wazuh-install-files.tar. To print them, run the following command: sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Installing Wazuh Agent

Once the Wazuh is installed, the next step is to deploy Wazuh agents to send to it. The common machines are Linux, Windows, and MacOS.

Windows

Using the GUI download the windows installer at: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi and run the msi file. Once installed, open the agent and input the ipaddress of the Wazuh server to send to. Next Select manage and start the service. The Agent should now be communicating.

Linux

Depending on your flavor of Linux the commands will vary, again for this tutorial, I am using Ubuntu so first you will need to Add the Wazuh repository:

  1. Install the GPG key:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg –no-default-keyring –keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg –import && chmod 644 /usr/share/keyrings/wazuh.gpg

  1. Add the repository:

echo “deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main” | tee -a /etc/apt/sources.list.d/wazuh.list

  1. Update the package information:

apt-get update

  • Deploy a Wazuh agent using the command:

WAZUH_MANAGER=”<ip of Wazuh server>” apt-get install wazuh-agent

  • systemctl daemon-reload
  • # systemctl enable wazuh-agent
  • # systemctl start wazuh-agent

You should now see the machines reporting to Wazuh giving some useful information.  

Categories: