Join the Webinar | Strong Protection Against Cyber Threats

What is Wazuh?

Wazuh is an open source Host Detection System (HIDS).

Wazuh is a free, open source, enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. Wazuh is used to collect, index and analyze security data to help organizations detect intrusions, threats and behavioral anomalies.

Wazuh has features such as Windows registry monitoring, rootkit detection, file integrity checks, and instant alerts and response.

There are two different distribution options for Wazuh:

  1. All-in-one distributionWazuh And elasticsearch For Open Distribution is installed on the same host.
  2. Distributed Distribution: Each component is installed on a separate host as a single node or a cluster of multiple nodes. This type of deployment ensures high availability and scalability of the product and is suitable for large operating environments.

Wazuh Installation

Wazuh contains the following components;

  • Wazuh Server
  • Elastic Stack (ELK)
  • Wazuh Agent

Now let's take a look at how to install and configure it.

Install Wazuh and Open Distro for Elasticsearch components in an all-in-one distribution. Here I will be talking about the installation step by step.

ubuntu I will install it on the operating system.

Adding the Wazuh Repository

  • First, we will install the necessary packages for installation.

  • Installing GPG key

  • Adding the repository
  • Updating package information

 2) Installing Wazuh manager

  • Installing the Wazuh admin package

  • Activating and starting the Wazuh admin service.

  • The following command can be run to find out the status of the Wazuh manager.

And the output of the command should be like this.

3) Installing Elasticsearch

  • Installing Elasticsearch and opening the distribution for Elasticsearch

4) Configuring Elasticsearch

  • We run the command below to download the configuration file.

5) Setting Elasticsearch users and roles

  • In order to use Kibana correctly, we need to add users and roles. To do this, we need to run the following commands in order.

6) Create a certificate

  • To remove demo certificates, run the following command.
  • To create and distribute certificates, we must run the following commands respectively.
  • We run the following command to create the certificates.
  • We can run the following commands to move Elasticsearch certificates to their relevant locations.
  • We run the following commands to enable and start the Elasticsearch service.
  • We use the following command to run the Elasticsearch script to load and initialize the new certificate information.
  • We run the following command to check whether Elasticsearch has been installed successfully.

To view via localhost, we paste the following command into our browser and get a result like the image.

7) Install Filebeat

filebeatis the tool on the Wazuh server that securely forwards alerts and logged events to Elasticsearch.

  • The Filebeat package is installed as follows.
  • We use the following command to download the pre-configured Filebeat configuration file used to forward Wazuh alerts to Elasticsearch.
  • We download the alert template for Elasticsearch.
  • We download the Wazuh module for Filebeat.
  • We copy Elasticsearch certificates.

  • We enable and start the Filebeat service with the following commands.

8) Installing Kibana

Kibana is a flexible and intuitive web interface for visualizing and interfacing events stored in Elasticsearch.

  • Let's install the Kibana package.
  • Let's download the Kibana configuration file.
  • We create the following directory and run the following commands respectively.
  • We are installing the Wazuh Kibana plugin. The plugin should be installed from the Kibana main directory as follows.
  • We copy the Elasticsearch certificates here and run the following commands.

  • We connect the Kibana socket to privileged port 443.
  • We enable and start the Kibana service.
  • We check the Kibana status with the following command.
  • We access the web interface as follows.

I "wazuh_server_ipI write the IP address in the ” section. And a login screen appears like the one below.

 

Categories Articles