In my preceding blog entry, available at this link, I provided a tutorial on the installation of WAZUH SIEM within a Dockerized environment. In this subsequent post, I will elucidate the procedure for deploying and configuring a WAZUH agent on an endpoint system to facilitate log forwarding.
Prerequisites
Before you begin the installation, make sure you have the following prerequisites in place:
- A Wazuh manager or server has been previously configured and is currently operational. (For detailed instructions, kindly refer to Part 1 of this blog series.)
- Network connectivity between the client systems and the Wazuh manager.
- Administrative access to the client systems.
- Time synchronization between the client and the Wazuh server
Lab Diagram
The lab setup for Wazuh. All servers are in the same logical network.
Installing the Wazuh Agent on Windows server 2019
Proceed with the following steps to install the Wazuh agent on a Windows server. Please note that an active internet connection is necessary for this procedure. Access your Wazuh server from the browser, and you will be greeted with a screen similar to the one depicted below:
Select the “Add Agent” option, and then execute the subsequent steps detailed within the “Deploy a New Agent” page.
- Select the operating system of your server, which, in our scenario, is Windows, for the deployment of the agent.
- Mention the wazuh server address.
- Select the group as default.
After this Wazuh will generate a script which can be run on our agent.
4. Install and enroll agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-
agent-4.3.10.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='192.168.1.1'
WAZUH_REGISTRATION_SERVER='192.168.1.1' WAZUH_AGENT_GROUP='default'
Your WAZUH_MANAGER and WAZUH_AGENT_GROUP name may differ from the example above.
Copy the script provided above and execute it on the agent. To do this, access your Windows 2019 server, open PowerShell, paste the script into the terminal, and press the Enter key.
The command will execute without any complications. The agent has been successfully installed on the server, and it is now time to initiate the agent. To accomplish this, please copy the command below and execute it in the PowerShell.
NET START WazuhSvc
Once the agent is started, you will observe the following message:
You can also monitor the activity by accessing the Wazuh manager Docker node. SSH to your wazuh-manger docker node, execute the following command to view the logs:
docker logs --follow single-node_wazuh.manager_1 2023/10/19 09:14:42 wazuh-authd: INFO: New connection from <WAZUH_AGENT_IP> 2023/10/19 09:14:42 wazuh-authd: INFO: Received request for a new agent (WIN-HOST) from: <WAZUH_AGENT_IP> 2023/10/19 09:14:42 wazuh-authd: INFO: Agent key generated for 'WIN-HOST' (requested by any) 2023/10/19 09:14:45 wazuh-remoted: INFO: (1409): Authentication file changed. Updating. 2023/10/19 09:14:45 wazuh-remoted: INFO: (1410): Reading authentication keys file. 2023-10-19T09:15:12.801Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json
Return to your Wazuh server and navigate to the “Wazuh” tab, then select “Agent.” Here, you will observe that one agent has been successfully enrolled, which is visible on the dashboard.
Installing the Wazuh Agent on Ubuntu 20.04 server
Follow the below steps to install Wazuh agent on a ubuntu 20.04 server. We need to generate the installation script first. for this we need to login to our Wazuh server. After login, click on “Wazuh” then “Agent”. Click on “Deploy new agent” and perform the below activity from “Deploy a new agent page”
- Select the operating system of your server, which, in our scenario, is Debian/Ubuntu, for the deployment of the agent.
- Choose the architecture.
- Mention the wazuh server address.
- Select the group as default.
After this Wazuh will generate a script which can be run on our agent.
5. Install and enroll agent:
curl -so wazuh-agent-4.3.10.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10- 1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.1' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.10.deb
Your WAZUH_MANAGER and WAZUH_AGENT_GROUP name may differ from the example above.
Copy the command provided above, and then log in to your Linux agent. Paste the command into your shell. The script should execute without any problems. The agent is now installed, and it’s time to initiate it. Enter the following command to start the Wazuh agent:
sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
You can also monitor the activity by accessing the Wazuh manager Docker node. SSH to your wazuh-manger docker node, execute the following command to view the logs:
docker logs --follow single-node_wazuh.manager_1 2023/10/19 09:40:37 wazuh-authd: INFO: New connection from <WAZUH_AGENT_IP> 2023/10/19 09:40:37 wazuh-authd: INFO: Received request for a new agent (linux-host) from: <WAZUH_AGENT_IP> 2023/10/19 09:40:37 wazuh-authd: INFO: Agent key generated for 'linux-host' (requested by any) 2023-10-19T09:40:42.869Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json 2023/10/19 09:40:45 wazuh-remoted: INFO: (1409): Authentication file changed. Updating. 2023/10/19 09:40:45 wazuh-remoted: INFO: (1410): Reading authentication keys file.
Return to your Wazuh server, and navigate to the “Wazuh” section. Then, select “Agent.” At this point, you will notice that an additional agent has been successfully enrolled, and this status is visible on the dashboard.
This is the method for installing the Wazuh agent on either a Windows or Linux server. Alternatively, you can choose to install the agent by downloading the executable (exe) or Debian (deb) files directly from the official Wazuh website (here). Download the necessary agent tools and proceed by following the on-screen instructions provided.
Explore the agent
With the agents successfully enrolled in the server, let’s delve into the Wazuh SIEM. To do so, click on the agent with ID 001, which represents our Windows agent. Subsequently, you will be presented with a screen resembling the one depicted below.
Click on agent id 002. This is our Linux agent. You will see a screen like below.
The agent dashboard typically comprises several sections, including MITRE, Compliance, FIM (File Integrity Monitoring), and SCA (Security Configuration Assessment). Each section offers distinct functionalities, such as:
MITRE: The Wazuh SIEM MITRE section is a critical component that aligns with the MITRE ATT&CK framework, a comprehensive knowledge base of adversary tactics and techniques.
Compliance: This section contains predefined rule sets and compliance templates for various industry standards and regulations, such as PCI DSS, NIST 800-53, GDPR etc. It continuously monitors the organization’s systems and logs for compliance violations, generating alerts and reports when deviations from the established standards are detected.
FIM: Wazuh File Integrity Monitoring (FIM) is a crucial security feature that monitors and safeguards the integrity of files and directories on a system. When a change is detected, Wazuh generates alerts, providing real-time visibility into potential security breaches, malware infections, or unintended modifications to critical files.
That’s a wrap for now. In my forthcoming post, I will demonstrate how to activate vulnerability scanning and enhance server security through SCA (Security Configuration Assessment) with Wazuh SIEM. Until then, enjoy exploring Wazuh.
Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.