Wazuh is a free host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerts and active responses. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. Wazuh has a centralized and multiplatform architecture that allows monitoring and managing multiple systems.
We start from a clean Centos machine, we will explain step by step how to install:
1 – Install Wazuh-manager
2 – Install Wazuh-api
3 – Connect Wazuh app with the Wazuh-api
4 – As a second part, we will try to integrate the data collected from OSSEC in Kibana:
Integrate with ELK for logs display
And finally see the configuration of the HIDS agents:
5 – Install Wazuh-agent
6 – Connect Wazuh-agent with Wazuh-manager
We started the installation, the first thing we have to do is add the Wazuh repositories in the Centos machine:
cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
Instalación de Wazuh-manager:
yum update yum install wazuh-manager
Check if the installations was suscesfull and the service is running:
Wazuh API Installation:
curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - yum install nodejs yum install wazuh-api
Connect Wazuh app with Wazuh-api:
cd /var/ossec/api/configuration/auth/ node htpasswd -c user soporte systemctl restart wazuh-api
Need to input the password of that user:
We already have the API protected with username and password, ready to receive requests by port 55000 (by default).
You can see more information on how to build your own Elastic ELK stack here.
Now in our ELK we have to configure the plugin and register the URL of the Wazuh server, user and password of the API that we just established in the previous point:
We go to the ELK server and install the plugin (depending on the version of kibanan, we use one or the other):
As a last step, go to ELK and the new Wazuh menu will appear where we configure the API URL together with the username and password:
See you in the next post.
Thanks for reading.