Introduction
Wazuh is a powerful, open-source security monitoring platform that provides threat detection, integrity monitoring, incident response, and compliance reporting. This comprehensive guide will walk you through everything you need to know about getting started with Wazuh, from understanding subscription options to hands-on configuration labs.
Understanding Wazuh Subscription Options
Open Source vs. Commercial Options
Wazuh Open Source (Free)
- Full access to core SIEM and XDR capabilities
- Community support through forums and documentation
- Self-hosted deployment options
- No licensing fees or usage restrictions
- Perfect for small to medium organizations
Wazuh Cloud (Commercial)
- Fully managed cloud service
- Professional support with SLA guarantees
- Automatic updates and maintenance
- Scalable pricing based on data ingestion
- Starting at approximately $2 per GB per month
Enterprise Support
- Professional services and consulting
- Custom integrations and development
- Priority support channels
- Training and certification programs
Choosing the Right Option
For most organizations starting with Wazuh, the open-source version provides excellent value. Consider commercial options if you need guaranteed support SLAs or prefer managed infrastructure.
System Requirements and Prerequisites
Minimum Hardware Requirements
Wazuh Manager (Single Node)
- CPU: 2 cores
- RAM: 4 GB
- Storage: 50 GB
- Network: 1 Gbps
Production Environment (Recommended)
- CPU: 8+ cores
- RAM: 16+ GB
- Storage: 500+ GB SSD
- Network: 10 Gbps
Operating System Support
- Ubuntu 20.04, 22.04
- CentOS 7, 8
- Red Hat Enterprise Linux 7, 8, 9
- Amazon Linux 2
- SUSE Linux Enterprise Server 12, 15
Installation Methods
Method 1: All-in-One Installation (Quickstart)
The all-in-one installation deploys Wazuh manager, indexer, and dashboard on a single server.
# Download and run the installation assistant
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
chmod +x wazuh-install.sh
sudo ./wazuh-install.sh -a
This method is perfect for testing and small environments but not recommended for production.
Method 2: Distributed Installation
For production environments, deploy components separately for better performance and scalability.
Step 1: Install Wazuh Indexer
# Install Wazuh indexer
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get install wazuh-indexer
Step 2: Install Wazuh Manager
# Install Wazuh manager
apt-get install wazuh-manager
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
Step 3: Install Wazuh Dashboard
# Install Wazuh dashboard
apt-get install wazuh-dashboard
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard
Method 3: Docker Deployment
Perfect for development and testing environments.
# Clone the Wazuh Docker repository
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0
cd wazuh-docker/single-node
# Generate certificates
docker-compose -f generate-indexer-certs.yml run --rm generator
# Start all services
docker-compose up -d
Initial Configuration
Securing Your Installation
Change Default Passwords
# Access the password tool
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh \
--change-all --admin-user wazuh --admin-password <new-password>
Configure Firewall Rules
# Allow necessary ports
ufw allow 22/tcp # SSH
ufw allow 1514/udp # Wazuh agent communication
ufw allow 1515/tcp # Agent enrollment
ufw allow 443/tcp # Dashboard HTTPS
ufw enable
SSL/TLS Configuration
Generate custom certificates for secure communication:
# Create certificate authority
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca.pem
# Generate server certificates
openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server.pem
Agent Installation and Configuration
Installing Agents on Different Operating Systems
Linux Agents
# Download and install
curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
WAZUH_MANAGER='192.168.1.100' dpkg -i wazuh-agent.deb
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
Windows Agents
# Download installer
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
# Install with manager IP
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="192.168.1.100"
# Start service
NET START WazuhSvc
macOS Agents
# Download and install
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.7.0-1.pkg
installer -pkg wazuh-agent.pkg -target /
/Library/Ossec/bin/agent-auth -m 192.168.1.100
/Library/Ossec/bin/wazuh-control start
Lab 1: Basic Security Monitoring Setup
Objective
Set up basic file integrity monitoring and log analysis for a web server.
Prerequisites
- Wazuh manager installed and running
- Web server (Apache/Nginx) with Wazuh agent installed
Step-by-Step Implementation
1. Configure File Integrity Monitoring
Edit /var/ossec/etc/ossec.conf
on the agent:
<syscheck>
<directories check_all="yes" realtime="yes">/var/www/html</directories>
<directories check_all="yes" realtime="yes">/etc/apache2</directories>
<directories check_all="yes">/etc/ssh</directories>
<ignore>/var/www/html/logs</ignore>
<ignore>/var/www/html/tmp</ignore>
</syscheck>
2. Configure Log Analysis
Add log monitoring rules:
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
3. Create Custom Rules
Create /var/ossec/etc/rules/local_rules.xml
:
<group name="web_attacks">
<rule id="100001" level="10">
<if_sid>31103</if_sid>
<url>admin|wp-admin|phpmyadmin</url>
<description>Suspicious admin panel access attempt</description>
<group>web,attack</group>
</rule>
<rule id="100002" level="12">
<if_sid>31106</if_sid>
<url>\.php|\.asp|\.jsp</url>
<description>Potential web shell upload</description>
<group>web,attack</group>
</rule>
</group>
4. Testing and Validation
# Restart Wazuh agent
systemctl restart wazuh-agent
# Create test file changes
echo "test content" > /var/www/html/test.txt
rm /var/www/html/test.txt
# Generate test web traffic
curl -X POST http://localhost/admin/login.php
curl http://localhost/shell.php
Expected Results
- File integrity alerts in Wazuh dashboard
- Web attack detection alerts
- Detailed forensic information for incident response
Lab 2: Advanced Threat Detection
Objective
Implement advanced threat detection using custom decoders and rules for detecting brute force attacks and privilege escalation.
Implementation Steps
1. Create Custom Decoder
Add to /var/ossec/etc/decoders/local_decoder.xml
:
<decoder name="ssh-brute-force">
<parent>sshd</parent>
<regex>Failed password for (\S+) from (\S+) port (\d+)</regex>
<order>user,srcip,srcport</order>
</decoder>
<decoder name="sudo-command">
<parent>sudo</parent>
<regex>COMMAND=(\S+)</regex>
<order>command</order>
</decoder>
2. Implement Correlation Rules
Create advanced correlation rules in /var/ossec/etc/rules/local_rules.xml
:
<group name="brute_force">
<rule id="100010" level="5">
<if_sid>5716</if_sid>
<description>SSH authentication failure</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5</group>
</rule>
<rule id="100011" level="10" frequency="5" timeframe="300">
<if_matched_sid>100010</if_matched_sid>
<same_source_ip />
<description>Multiple SSH authentication failures from same source</description>
<group>authentication_failures,brute_force</group>
</rule>
<rule id="100012" level="12" frequency="10" timeframe="60">
<if_matched_sid>100010</if_matched_sid>
<same_source_ip />
<description>SSH brute force attack detected</description>
<group>brute_force,attack</group>
</rule>
</group>
3. Configure Active Response
Add to /var/ossec/etc/ossec.conf
:
<command>
<name>firewall-block</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>firewall-block</command>
<location>local</location>
<rules_id>100012</rules_id>
<timeout>600</timeout>
</active-response>
Testing the Lab
# Generate brute force attempts
for i in {1..15}; do
ssh baduser@localhost
sleep 2
done
# Check active response
iptables -L INPUT -v -n
Lab 3: Compliance Monitoring (PCI DSS)
Objective
Configure Wazuh for PCI DSS compliance monitoring including credit card data protection and access controls.
Configuration Steps
1. Enable PCI DSS Rootchecks
Edit /var/ossec/etc/shared/default/agent.conf
:
<agent_config>
<rootcheck>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
</rootcheck>
</agent_config>
2. Configure PCI DSS Rules
Create PCI DSS specific rules:
<group name="pci_dss">
<rule id="100020" level="7">
<if_sid>5402</if_sid>
<regex>su: FAILED|sudo: FAILED</regex>
<description>PCI DSS - Failed privilege escalation attempt</description>
<group>pci_dss_10.2.5,privilege_escalation</group>
</rule>
<rule id="100021" level="12">
<if_sid>31100</if_sid>
<regex>\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}</regex>
<description>PCI DSS - Potential credit card number in logs</description>
<group>pci_dss_3.4,data_protection</group>
</rule>
</group>
3. Set up Automated Reporting
Configure automated PCI DSS reports:
# Create report script
cat > /usr/local/bin/pci_report.sh << 'EOF'
#!/bin/bash
curl -u wazuh:password -XGET "https://localhost:55000/security/users/authenticate" -k
# Generate PCI DSS compliance report
curl -u wazuh:password -XGET "https://localhost:55000/compliance/pci" -k > /var/log/pci_report.json
EOF
chmod +x /usr/local/bin/pci_report.sh
# Schedule weekly reports
echo "0 9 * * 1 /usr/local/bin/pci_report.sh" | crontab -
Performance Tuning and Optimization
Memory and CPU Optimization
Optimize Wazuh Manager Configuration
<global>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>[email protected]</email_from>
<email_to>[email protected]</email_to>
<email_maxperhour>12</email_maxperhour>
</global>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>udp</protocol>
<queue_size>131072</queue_size>
</remote>
Indexer Performance Tuning
Edit /etc/wazuh-indexer/opensearch.yml
:
# Memory settings
bootstrap.memory_lock: true
# Thread pool settings
thread_pool.write.queue_size: 1000
thread_pool.search.queue_size: 1000
# Index settings
indices.query.bool.max_clause_count: 10000
indices.fielddata.cache.size: 20%
Storage Optimization
Configure Index Lifecycle Management
# Create ILM policy
curl -X PUT "localhost:9200/_ilm/policy/wazuh-policy" -H 'Content-Type: application/json' -d'
{
"policy": {
"phases": {
"hot": {
"actions": {
"rollover": {
"max_size": "10GB",
"max_age": "1d"
}
}
},
"warm": {
"min_age": "7d",
"actions": {
"allocate": {
"number_of_replicas": 0
}
}
},
"delete": {
"min_age": "90d"
}
}
}
}'
Troubleshooting Common Issues
Agent Connection Problems
Check Agent Status
# On manager
/var/ossec/bin/agent_control -l
# On agent
/var/ossec/bin/agent_control -t
Fix Agent Authentication Issues
# Remove agent
/var/ossec/bin/manage_agents -r agent_id
# Re-register agent
/var/ossec/bin/agent-auth -m manager_ip -A agent_name
Performance Issues
Monitor Resource Usage
# Check manager statistics
/var/ossec/bin/wazuh-logtest -U 1000
# Monitor queue status
/var/ossec/bin/agent_control -s
Dashboard Access Problems
Check Service Status
systemctl status wazuh-dashboard
systemctl status wazuh-indexer
systemctl status wazuh-manager
# Check logs
tail -f /var/log/wazuh-indexer/wazuh-indexer.log
tail -f /var/log/wazuh-dashboard/wazuh-dashboard.log
Best Practices and Security Recommendations
Security Hardening
- Enable SSL/TLS everywhere
- Use strong authentication
- Implement proper firewall rules
- Regular security updates
- Monitor administrative access
Operational Best Practices
- Regular backups of configuration
- Document all customizations
- Test in staging environment
- Monitor system resources
- Implement log rotation
Scaling Considerations
- Use distributed architecture
- Implement load balancing
- Plan for growth
- Monitor performance metrics
- Consider cloud deployment
Conclusion
Wazuh provides a comprehensive security monitoring solution that can be tailored to meet various organizational needs. From basic installation to advanced threat detection and compliance monitoring, this guide has covered the essential aspects of deploying and configuring Wazuh effectively.
The labs provided demonstrate practical implementation scenarios that security teams commonly encounter. By following these examples and best practices, organizations can build a robust security monitoring infrastructure that provides real-time threat detection, compliance reporting, and incident response capabilities.
Remember to regularly update your Wazuh deployment, review and tune your rules, and continuously monitor performance to ensure optimal security coverage for your environment.
For additional resources and community support, visit the official Wazuh documentation at https://documentation.wazuh.com and join the community forums for ongoing assistance and knowledge sharing.