Wazuh installation in Linux Centos 7 Wazuh installation in Linux Centos 7
Wazuh is a free host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerts and active... Wazuh installation in Linux Centos 7

Wazuh is a free host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerts and active responses. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. Wazuh has a centralized and multiplatform architecture that allows monitoring and managing multiple systems.

We start from a clean Centos machine, we will explain step by step how to install:

1 – Install Wazuh-manager
2 – Install Wazuh-api
3 – Connect Wazuh app with the Wazuh-api
4 – As a second part, we will try to integrate the data collected from OSSEC in Kibana:

Integrate with ELK for logs display

And finally see the configuration of the HIDS agents:

5 – Install Wazuh-agent
6 – Connect Wazuh-agent with Wazuh-manager
We started the installation, the first thing we have to do is add the Wazuh repositories in the Centos machine:

cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF

Instalación de Wazuh-manager:

yum update
yum install wazuh-manager

Check if the installations was suscesfull and the service is running:

Wazuh API Installation:

curl --silent --location https://rpm.nodesource.com/setup_6.x | bash -

yum install nodejs

yum install wazuh-api

Connect Wazuh app with Wazuh-api:

cd /var/ossec/api/configuration/auth/

node htpasswd -c user soporte

systemctl restart wazuh-api

Need to input the password of that user:

We already have the API protected with username and password, ready to receive requests by port 55000 (by default).

You can see more information on how to build your own Elastic ELK stack here.

Now in our ELK we have to configure the plugin and register the URL of the Wazuh server, user and password of the API that we just established in the previous point:

We go to the ELK server and install the plugin (depending on the version of kibanan, we use one or the other):

As a last step, go to ELK and the new Wazuh menu will appear where we configure the API URL together with the username and password:

See you in the next post.

Thanks for reading.

gpinero

No comments so far.

Be first to leave comment below.

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image