Complete Guide to Wazuh: From Subscription to Advanced Configuration

Introduction

Wazuh is a powerful, open-source security monitoring platform that provides threat detection, integrity monitoring, incident response, and compliance reporting. This comprehensive guide will walk you through everything you need to know about getting started with Wazuh, from understanding subscription options to hands-on configuration labs.

Understanding Wazuh Subscription Options

Open Source vs. Commercial Options

Wazuh Open Source (Free)

  • Full access to core SIEM and XDR capabilities
  • Community support through forums and documentation
  • Self-hosted deployment options
  • No licensing fees or usage restrictions
  • Perfect for small to medium organizations

Wazuh Cloud (Commercial)

  • Fully managed cloud service
  • Professional support with SLA guarantees
  • Automatic updates and maintenance
  • Scalable pricing based on data ingestion
  • Starting at approximately $2 per GB per month

Enterprise Support

  • Professional services and consulting
  • Custom integrations and development
  • Priority support channels
  • Training and certification programs

Choosing the Right Option

For most organizations starting with Wazuh, the open-source version provides excellent value. Consider commercial options if you need guaranteed support SLAs or prefer managed infrastructure.

System Requirements and Prerequisites

Minimum Hardware Requirements

Wazuh Manager (Single Node)

  • CPU: 2 cores
  • RAM: 4 GB
  • Storage: 50 GB
  • Network: 1 Gbps

Production Environment (Recommended)

  • CPU: 8+ cores
  • RAM: 16+ GB
  • Storage: 500+ GB SSD
  • Network: 10 Gbps

Operating System Support

  • Ubuntu 20.04, 22.04
  • CentOS 7, 8
  • Red Hat Enterprise Linux 7, 8, 9
  • Amazon Linux 2
  • SUSE Linux Enterprise Server 12, 15

Installation Methods

Method 1: All-in-One Installation (Quickstart)

The all-in-one installation deploys Wazuh manager, indexer, and dashboard on a single server.

# Download and run the installation assistant
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
chmod +x wazuh-install.sh
sudo ./wazuh-install.sh -a

This method is perfect for testing and small environments but not recommended for production.

Method 2: Distributed Installation

For production environments, deploy components separately for better performance and scalability.

Step 1: Install Wazuh Indexer

# Install Wazuh indexer
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get install wazuh-indexer

Step 2: Install Wazuh Manager

# Install Wazuh manager
apt-get install wazuh-manager
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Step 3: Install Wazuh Dashboard

# Install Wazuh dashboard
apt-get install wazuh-dashboard
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

Method 3: Docker Deployment

Perfect for development and testing environments.

# Clone the Wazuh Docker repository
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0
cd wazuh-docker/single-node

# Generate certificates
docker-compose -f generate-indexer-certs.yml run --rm generator

# Start all services
docker-compose up -d

Initial Configuration

Securing Your Installation

Change Default Passwords

# Access the password tool
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh \
  --change-all --admin-user wazuh --admin-password <new-password>

Configure Firewall Rules

# Allow necessary ports
ufw allow 22/tcp    # SSH
ufw allow 1514/udp  # Wazuh agent communication
ufw allow 1515/tcp  # Agent enrollment
ufw allow 443/tcp   # Dashboard HTTPS
ufw enable

SSL/TLS Configuration

Generate custom certificates for secure communication:

# Create certificate authority
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca.pem

# Generate server certificates
openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server.pem

Agent Installation and Configuration

Installing Agents on Different Operating Systems

Linux Agents

# Download and install
curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
WAZUH_MANAGER='192.168.1.100' dpkg -i wazuh-agent.deb
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Windows Agents

# Download installer
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi

# Install with manager IP
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="192.168.1.100"

# Start service
NET START WazuhSvc

macOS Agents

# Download and install
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.7.0-1.pkg
installer -pkg wazuh-agent.pkg -target /
/Library/Ossec/bin/agent-auth -m 192.168.1.100
/Library/Ossec/bin/wazuh-control start

Lab 1: Basic Security Monitoring Setup

Objective

Set up basic file integrity monitoring and log analysis for a web server.

Prerequisites

  • Wazuh manager installed and running
  • Web server (Apache/Nginx) with Wazuh agent installed

Step-by-Step Implementation

1. Configure File Integrity Monitoring

Edit /var/ossec/etc/ossec.conf on the agent:

<syscheck>
  <directories check_all="yes" realtime="yes">/var/www/html</directories>
  <directories check_all="yes" realtime="yes">/etc/apache2</directories>
  <directories check_all="yes">/etc/ssh</directories>
  <ignore>/var/www/html/logs</ignore>
  <ignore>/var/www/html/tmp</ignore>
</syscheck>

2. Configure Log Analysis

Add log monitoring rules:

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/access.log</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/error.log</location>
</localfile>

3. Create Custom Rules

Create /var/ossec/etc/rules/local_rules.xml:

<group name="web_attacks">
  <rule id="100001" level="10">
    <if_sid>31103</if_sid>
    <url>admin|wp-admin|phpmyadmin</url>
    <description>Suspicious admin panel access attempt</description>
    <group>web,attack</group>
  </rule>
  
  <rule id="100002" level="12">
    <if_sid>31106</if_sid>
    <url>\.php|\.asp|\.jsp</url>
    <description>Potential web shell upload</description>
    <group>web,attack</group>
  </rule>
</group>

4. Testing and Validation

# Restart Wazuh agent
systemctl restart wazuh-agent

# Create test file changes
echo "test content" > /var/www/html/test.txt
rm /var/www/html/test.txt

# Generate test web traffic
curl -X POST http://localhost/admin/login.php
curl http://localhost/shell.php

Expected Results

  • File integrity alerts in Wazuh dashboard
  • Web attack detection alerts
  • Detailed forensic information for incident response

Lab 2: Advanced Threat Detection

Objective

Implement advanced threat detection using custom decoders and rules for detecting brute force attacks and privilege escalation.

Implementation Steps

1. Create Custom Decoder

Add to /var/ossec/etc/decoders/local_decoder.xml:

<decoder name="ssh-brute-force">
  <parent>sshd</parent>
  <regex>Failed password for (\S+) from (\S+) port (\d+)</regex>
  <order>user,srcip,srcport</order>
</decoder>

<decoder name="sudo-command">
  <parent>sudo</parent>
  <regex>COMMAND=(\S+)</regex>
  <order>command</order>
</decoder>

2. Implement Correlation Rules

Create advanced correlation rules in /var/ossec/etc/rules/local_rules.xml:

<group name="brute_force">
  <rule id="100010" level="5">
    <if_sid>5716</if_sid>
    <description>SSH authentication failure</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5</group>
  </rule>
  
  <rule id="100011" level="10" frequency="5" timeframe="300">
    <if_matched_sid>100010</if_matched_sid>
    <same_source_ip />
    <description>Multiple SSH authentication failures from same source</description>
    <group>authentication_failures,brute_force</group>
  </rule>
  
  <rule id="100012" level="12" frequency="10" timeframe="60">
    <if_matched_sid>100010</if_matched_sid>
    <same_source_ip />
    <description>SSH brute force attack detected</description>
    <group>brute_force,attack</group>
  </rule>
</group>

3. Configure Active Response

Add to /var/ossec/etc/ossec.conf:

<command>
  <name>firewall-block</name>
  <executable>firewall-drop</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
  <command>firewall-block</command>
  <location>local</location>
  <rules_id>100012</rules_id>
  <timeout>600</timeout>
</active-response>

Testing the Lab

# Generate brute force attempts
for i in {1..15}; do
  ssh baduser@localhost
  sleep 2
done

# Check active response
iptables -L INPUT -v -n

Lab 3: Compliance Monitoring (PCI DSS)

Objective

Configure Wazuh for PCI DSS compliance monitoring including credit card data protection and access controls.

Configuration Steps

1. Enable PCI DSS Rootchecks

Edit /var/ossec/etc/shared/default/agent.conf:

<agent_config>
  <rootcheck>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
  </rootcheck>
</agent_config>

2. Configure PCI DSS Rules

Create PCI DSS specific rules:

<group name="pci_dss">
  <rule id="100020" level="7">
    <if_sid>5402</if_sid>
    <regex>su: FAILED|sudo: FAILED</regex>
    <description>PCI DSS - Failed privilege escalation attempt</description>
    <group>pci_dss_10.2.5,privilege_escalation</group>
  </rule>
  
  <rule id="100021" level="12">
    <if_sid>31100</if_sid>
    <regex>\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}</regex>
    <description>PCI DSS - Potential credit card number in logs</description>
    <group>pci_dss_3.4,data_protection</group>
  </rule>
</group>

3. Set up Automated Reporting

Configure automated PCI DSS reports:

# Create report script
cat > /usr/local/bin/pci_report.sh << 'EOF'
#!/bin/bash
curl -u wazuh:password -XGET "https://localhost:55000/security/users/authenticate" -k
# Generate PCI DSS compliance report
curl -u wazuh:password -XGET "https://localhost:55000/compliance/pci" -k > /var/log/pci_report.json
EOF

chmod +x /usr/local/bin/pci_report.sh

# Schedule weekly reports
echo "0 9 * * 1 /usr/local/bin/pci_report.sh" | crontab -

Performance Tuning and Optimization

Memory and CPU Optimization

Optimize Wazuh Manager Configuration

<global>
  <logall>no</logall>
  <logall_json>no</logall_json>
  <email_notification>no</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from>[email protected]</email_from>
  <email_to>[email protected]</email_to>
  <email_maxperhour>12</email_maxperhour>
</global>

<remote>
  <connection>secure</connection>
  <port>1514</port>
  <protocol>udp</protocol>
  <queue_size>131072</queue_size>
</remote>

Indexer Performance Tuning

Edit /etc/wazuh-indexer/opensearch.yml:

# Memory settings
bootstrap.memory_lock: true

# Thread pool settings
thread_pool.write.queue_size: 1000
thread_pool.search.queue_size: 1000

# Index settings
indices.query.bool.max_clause_count: 10000
indices.fielddata.cache.size: 20%

Storage Optimization

Configure Index Lifecycle Management

# Create ILM policy
curl -X PUT "localhost:9200/_ilm/policy/wazuh-policy" -H 'Content-Type: application/json' -d'
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size": "10GB",
            "max_age": "1d"
          }
        }
      },
      "warm": {
        "min_age": "7d",
        "actions": {
          "allocate": {
            "number_of_replicas": 0
          }
        }
      },
      "delete": {
        "min_age": "90d"
      }
    }
  }
}'

Troubleshooting Common Issues

Agent Connection Problems

Check Agent Status

# On manager
/var/ossec/bin/agent_control -l

# On agent
/var/ossec/bin/agent_control -t

Fix Agent Authentication Issues

# Remove agent
/var/ossec/bin/manage_agents -r agent_id

# Re-register agent
/var/ossec/bin/agent-auth -m manager_ip -A agent_name

Performance Issues

Monitor Resource Usage

# Check manager statistics
/var/ossec/bin/wazuh-logtest -U 1000

# Monitor queue status
/var/ossec/bin/agent_control -s

Dashboard Access Problems

Check Service Status

systemctl status wazuh-dashboard
systemctl status wazuh-indexer
systemctl status wazuh-manager

# Check logs
tail -f /var/log/wazuh-indexer/wazuh-indexer.log
tail -f /var/log/wazuh-dashboard/wazuh-dashboard.log

Best Practices and Security Recommendations

Security Hardening

  1. Enable SSL/TLS everywhere
  2. Use strong authentication
  3. Implement proper firewall rules
  4. Regular security updates
  5. Monitor administrative access

Operational Best Practices

  1. Regular backups of configuration
  2. Document all customizations
  3. Test in staging environment
  4. Monitor system resources
  5. Implement log rotation

Scaling Considerations

  1. Use distributed architecture
  2. Implement load balancing
  3. Plan for growth
  4. Monitor performance metrics
  5. Consider cloud deployment

Conclusion

Wazuh provides a comprehensive security monitoring solution that can be tailored to meet various organizational needs. From basic installation to advanced threat detection and compliance monitoring, this guide has covered the essential aspects of deploying and configuring Wazuh effectively.

The labs provided demonstrate practical implementation scenarios that security teams commonly encounter. By following these examples and best practices, organizations can build a robust security monitoring infrastructure that provides real-time threat detection, compliance reporting, and incident response capabilities.

Remember to regularly update your Wazuh deployment, review and tune your rules, and continuously monitor performance to ensure optimal security coverage for your environment.

For additional resources and community support, visit the official Wazuh documentation at https://documentation.wazuh.com and join the community forums for ongoing assistance and knowledge sharing.

Share: