Home Deploying Wazuh in a home lab
Post
Cancel

Deploying Wazuh in a home lab

In this post we’re going to deploy Wazuh. According to its website, Wazuh is is a free and open source security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.

Wazuh helps organizations and individuals to protect their data assets against security threats. It is widely used by thousands of organizations worldwide, from small businesses to large enterprises.

Downloading Wazuh image

In this link we can download the OVA to deploy Wazuh in Vmware or VirtualBox. After download the OVA, we only have to import it and start it.

vmware

the credentials to log in are:

  • user: wazuh-user
  • pass: wazuh

Then, we should check the ip address to access in a browser with:

1
ip a

In this case is: 192.168.197.139

the Wazuh dashboard can be accessed from the web interface by using the following credentials:

  • URL: https://
  • user: admin
  • pass: admin

Deploying agents

in the modules section, we confirm there are no agents enrolled in our Wazuh server and we select add agent to enroll our clients.

no-age

Next, we should select the options that match with our client where it will be installed the agent. In this scenario, Windows 10 and Ubuntu will be enrolled to Wazuh server

For Windows 10, those are the options:

  • operating system: Windows
  • Wazuh server address: 192.168.197.139 (ip address of Wazuh server)
  • agent group: default
  • copy the command to execute in Powershell in the client:
1
2
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.7-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.7.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.7.msi /q WAZUH_MANAGER='192.168.197.139' WAZUH_REGISTRATION_SERVER='192.168.197.139' WAZUH_AGENT_GROUP='default'
NET START WazuhSvc
  • start wazuh service in windows client with NET START WazuhSvc

windows-agent

In ubuntu, the steps are similar, we only have to change the operating system to Debian / Ubuntu and the command is:

1
curl -so wazuh-agent-4.3.7.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.7-1_amd64.deb && sudo WAZUH_MANAGER='192.168.197.139' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.7.deb

ubuntu-agent

Finally, we start and confirm the wazuh agent is working corretly with:

1
2
3
systemctl daemon-reload
systemctl enable wazuh-agent --now
systemctl status wazuh-agent

Exploring Dashboards

Accessing from the web interface, we can confirm the agents enrrolled:

agents-enrolled

Finally, we can see the information we cna obtain in Wazuh like security events and results of compliance:

exploring-dash

exploring-dash2

exploring-dash3

CIS

This post is licensed under CC BY 4.0 by the author.