Step-by-step setup of Wazuh SIEM/FIM tools on Ubuntu Server

By

 

Step-by-step setup of Wazuh SIEM/FIM tools on Ubuntu Server

FIM -- File integrity monitoring 

SIEM -- Security Information and Event Management

 

Server and Clinet same network

 

Hardware Configuration 4 CPU and 8/16GB RAM requred

1.    sudo apt update

2.    curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a --ignore-check

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

 

timedatectl list-timezones

sudo timedatectl set-timezone Asia/Kolkata

 

User: admin

    Password: nKRW5.IuBfTXOtcRDLQ1JRx?1Ef.17P?

 

3.    With this, your Wazuh server is ready. Copy the provided credentials from the terminal, enter the server IP into your browser, and proceed to login. Navigate to https:// 35.154.161.244  in your web browser, log in using the provided credentials, and start exploring your Wazuh SIEM dashboard.

 

    • Linux: /var/ossec/etc/ossec.conf

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Client Installation Ubuntu

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.5-1_amd64.deb && sudo WAZUH_MANAGER='3.110.69.244' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Ubuntu-1' dpkg -i ./wazuh-agent_4.7.5-1_amd64.deb

'3.110.69.244' – Change Server IP

sudo systemctl daemon-reload

sudo systemctl enable wazuh-agent

sudo systemctl start wazuh-agent

 

sudo systemctl daemon-reload

sudo systemctl enable wazuh-agent

sudo systemctl start wazuh-agent

 

Linux: /var/ossec/etc/ossec.conf

 

 

 

 

 

 

 

 

 

 

 

 

Client Installation Windows

Run the following commands to download and install the agent in PowerShell run as Administrator

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='3.110.69.244' WAZUH_AGENT_NAME='windows-pc' WAZUH_REGISTRATION_SERVER='3.110.69.244'

'3.110.69.244' -Replace Server IP

Start the agent:

NET START WazuhSvc

 

Windows: C:\Program Files (x86)\ossec-agent\ossec.conf

Windows: Restart-Service -Name wazuh

 

 

 

  1. Add the following settings to the Wazuh agent configuration file, replacing the directories values with your own filepaths:
    • Linux: /var/ossec/etc/ossec.conf
    • Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
    • macOS: /Library/Ossec/etc/ossec.conf
  2. <syscheck>
  3.    <directories><FILEPATH_OF_MONITORED_FILE></directories>
  4.    <directories><FILEPATH_OF_MONITORED_DIRECTORY></directories>
  5. </syscheck>
  6. Restart the Wazuh agent with administrator privilege to apply any configuration change:
    • Linux: systemctl restart wazuh-agent
    • Windows: Restart-Service -Name wazuh
    • macOS: /Library/Ossec/bin/wazuh-control restart
  7. Add the following settings to the Wazuh agent configuration file:
    • Linux: /var/ossec/etc/ossec.conf
    • Windows: C:\Program Files (x86)\ossec-agent\ossec.conf

9.     <syscheck>

10.       <directories realtime="yes"><FILEPATH_OF_MONITORED_DIRECTORY></directories>

11.    </syscheck>

  1. Restart the Wazuh agent with administrator privilege to apply any configuration change:
    • Linux: systemctl restart wazuh-agent
    • Windows: Restart-Service -Name wazuh

 

Comments

Post a Comment

Popular posts from this blog

How to install and configure OSSEC server and client

By
How to install and configure OSSEC server and client sudo timedatectl set-timezone Asia/Calcutta Asia/Calcutta   1. sudo apt-get update && sudo apt-get upgrade -y 2. sudo apt-get install build-essential libevent-dev zlib1g-dev libssl-dev unzip wget -y 3. sudo apt-get install libpcre2-dev 4. sudo apt-get install libsystemd-dev 5. wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz 6. tar -xvzf 3.7.0.tar.gz 7. cd ossec-hids-3.7.0 8. sudo ./install.sh 9. sudo /var/ossec/bin/ossec-control start   Configure OSSEC nano /var/ossec/etc/ossec.conf Update below <global>     <email_notification>yes</email_notification>     <email_to>root@localhost</email_to>     <smtp_server>127.0.0.1</smtp_server>     <email_from>ossecm@localhost</email_from> </global>   <global>     <emai...
Read more

Autodesk Maya 2024 Install Windows 11

By
 1) Install Autodesk Application - Do Not Start it yet  2) Install the Autodesk network license manager (v11.18.0) from crack folder (NLM.msi Update 8)      -Default install is "C:\Autodesk\Network License Manager"     -Stop any running instance (lmgrd, adskflex) if you have one     -Replace adskflex.exe by cracked one   3) Replace the version.dll - \Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\ 4) Edit lic.dat and change HOSTNAME and MAC to suit your configuration (if you are not sure start LMTOOLS Utility and go to     System Settings, your HOSTNAME and MAC will be listed)    You can change vendor port too and add your previous licenses of course :)    Save lic.dat where you want (we suggest to "C:\Autodesk\Network License Manager" folder) 5) You have 2 options:     1)Start Network License Manager manually :     Run the license manager w...
Read more

Wazuh Server Detecting unauthorized processes

By
  Wazuh Server Detecting unauthorized processes Ubuntu endpoint Take the following steps to configure command monitoring and query a list of all running processes on the Ubuntu endpoint. Add the following configuration block to the Wazuh agent  nano/var/ossec/etc/ossec.conf file. This allows to periodically get a list of running processes: <ossec_config>   <localfile>     <log_format>full_command</log_format>     <alias>process list</alias>     <command>ps -e -o pid,uname,command</command>     <frequency>30</frequency>   </localfile> </ossec_config> Restart the Wazuh agent to apply the changes: $ sudo systemctl restart wazuh-agent Install Netcat and the required dependencies: $ sudo apt install ncat nmap -y   Wazuh server Add the following rules to the /var/ossec/etc/rules/local_rules....
Read more