What is Wazuh?

Wazuh is an open-source security monitoring platform that helps organizations detect threats, monitor integrity, and ensure compliance. It is a comprehensive and scalable solution that integrates with various tools to provide real-time security analytics. Wazuh is built on the OSSEC (Open Source Host-based Intrusion Detection System) framework and extends its capabilities, offering enhanced features for threat detection, log data analysis, and response to security incidents.

Key Features of Wazuh

1. Intrusion Detection

Wazuh provides real-time intrusion detection by monitoring and analyzing activities on endpoints. It detects anomalies, policy violations, and potential threats.

2. Log Data Analysis

It collects and analyzes log data from various sources, including firewalls, IDS/IPS systems, and applications. This helps in identifying suspicious activities and security breaches.

3. Vulnerability Detection

Wazuh scans systems for vulnerabilities, providing detailed reports on security issues and remediation steps.

4. Configuration Assessment

It ensures systems comply with security policies and best practices by performing configuration assessments and reporting deviations.

5. File Integrity Monitoring

Wazuh monitors file changes across the system, detecting unauthorized modifications to critical files.

6. Security Information and Event Management (SIEM)

Wazuh integrates with SIEM platforms, like Elasticsearch and Kibana, to offer comprehensive security monitoring and analytics.

Installing and Configuring Wazuh on Ubuntu

Prerequisites

Before installing Wazuh, ensure that your Ubuntu system is updated:

sudo apt update
sudo apt upgrade

Step 1: Install Wazuh Manager

The Wazuh Manager is the core component responsible for processing data received from the agents.

1. Add the Wazuh repository:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

2. Install the Wazuh Manager:

sudo apt update
sudo apt install wazuh-manager

3. Start and enable the Wazuh Manager service:

sudo systemctl start wazuh-manager
sudo systemctl enable wazuh-manager

Step 2: Install and Configure Elasticsearch

Elasticsearch is used to store and search the data collected by Wazuh.

1. Import the Elasticsearch PGP Key:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

2. Add the Elasticsearch repository:

sudo sh -c 'echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list'

3. Install Elasticsearch:

sudo apt update
sudo apt install elasticsearch

4. Start and enable the Elasticsearch service:

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

5. Edit the Elasticsearch configuration file to enable cross-origin resource sharing (CORS):

sudo nano /etc/elasticsearch/elasticsearch.yml

Add the following lines:

network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node

Step 3: Install and Configure Kibana

Kibana is used for visualizing the data stored in Elasticsearch.

1. Install Kibana:

sudo apt update
sudo apt install kibana

2. Start and enable the Kibana service:

sudo systemctl start kibana
sudo systemctl enable kibana

3. Edit the Kibana configuration file to enable access:

sudo nano /etc/kibana/kibana.yml

Add the following lines:

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]

Step 4: Install Wazuh API

The Wazuh API allows interaction with the Wazuh Manager via RESTful web services.

1. Install Node.js and npm:

curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash -
sudo apt install nodejs

2. Install the Wazuh API:

sudo apt update
sudo apt install wazuh-api

3. Start and enable the Wazuh API service:

sudo systemctl start wazuh-api
sudo systemctl enable wazuh-api

Step 5: Install Wazuh Agent

The Wazuh Agent is installed on the endpoints to collect and send data to the Wazuh Manager.

1. Add the Wazuh repository on the endpoint machine:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

2. Install the Wazuh Agent:

sudo apt update
sudo apt install wazuh-agent

3. Configure the Wazuh Agent to communicate with the Wazuh Manager:

sudo nano /var/ossec/etc/ossec.conf

Add or modify the <server> section:

<server>
  <address>IP_of_Wazuh_Manager</address>
</server>

4. Start and enable the Wazuh Agent service:

sudo systemctl start wazuh-agent
sudo systemctl enable wazuh-agent

Step 6: Accessing Wazuh Dashboard

1. Open your web browser and navigate to http://<your-server-ip>:5601.
2. Configure the Wazuh plugin in Kibana by navigating to the Wazuh app in the Kibana sidebar.

Interesting Packages and Extensions

1. Wazuh App for Splunk: Integrate Wazuh with Splunk for advanced data analysis.
2. Wazuh Docker: Run Wazuh in a containerized environment for ease of deployment and scalability.
3. Suricata: Use Suricata for network monitoring and integrate it with Wazuh for comprehensive security monitoring.
4. Grafana: Combine Grafana with Wazuh for enhanced visualization capabilities.

Conclusion

Wazuh is a powerful and flexible security monitoring platform that provides a wide range of features to enhance your organization’s security posture. By following this guide, you can install and configure Wazuh on Ubuntu, enabling you to detect threats, monitor system integrity, and ensure compliance effectively. Whether you’re a small business or a large enterprise, Wazuh offers the tools you need to protect your systems and data.