Introduction

What is Wazuh?
• Wazuh is a free and open source security
platform that delivers robust security monitoring
and protection for IT assets using its unified
Security Information and Event Management
(SIEM) and Extended Detection and Response
(XDR) capabilities.
• Wazuh helps organizations and individuals to
protect their data assets against security threats.
It is widely used by thousands of organizations
worldwide, from small businesses to large
enterprises. 3
 SIEM
• Security Information and Event Management

• Combines:
– Security Information Management
• Inventory, Assets, Installed Software, ...
– Security Event management
• Login attempts, access logs, ...

4
 Wazuh as a SIEM
• Security Log Analysis
• Vulnerability Detection
• File Integrity Monitoring
• Security Configuration Assessment
• Regulatory Compliance

5
 XDR
• eXtendend Detection and Response

• Security Incident Detection and Response

– If a system detects a bruteforce login attack it might
automatically add a firewall rule to block the attack.

6
 Wazuh as an XDR
• Threat Hunting
• Behavioral Analysis
• Automated Response
• Cloud Workload Protection

7
 Open Source
• Wazuh offers several advantages as an open
source SIEM+XDR platform. It is customizable
and can be modified to meet specific needs,
giving greater flexibility and control over your
environment.

8
Integration with 3rd Party

9
 Architecture
• The Wazuh architecture is based on:
– Agents
– Agentless devices
– The central server decodes and analyzes the
incoming information
– Wazuh indexer receives info from server for
indexing and storage

10
11
 How it Works
• The Wazuh solution is based on the Wazuh
agent, which is deployed on the monitored
endpoints, and on three central components: the
Wazuh server, the Wazuh indexer, and the
Wazuh dashboard.

12
 Components
• Agent
Installed on endpoints such as laptops,
desktops, servers, cloud instances, or virtual
machines.
• Indexer
Highly scalable, full-text search and analytics
engine. This central component indexes and
stores alerts generated by the Wazuh server.

13
 Components
• Server
It processes data through decoders and rules,
using threat intelligence to look for well-known
indicators of compromise (IOCs). This central
component is also used to manage the agents,
configuring and upgrading them remotely when
necessary.
• Dashboard
Web user interface for data visualization and
analysis.
14
15
Installatoin
Wazuh Installation Requirements
Agents CPU RAM Storage(90 days)

1-25 4vCPU 8 GiB 50 GB

8vCPU 8 GiB
25-50 100 GB

8vCPU 8 GiB
50-100 200 GB

• Recommended Operating Systems

• Amazon Linux 2, 2023
• Red Hat Linux 7, 8, 9
• Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04
• CentOS 7, 8 17
 Installation Methods
Ready to Use Machines
• Virtual Machine OVA(Online/Offline)
• Amazon Machine Image(Online)
Containers
• Dockers
• Kubernetes
Offline
• Download the components and later install them on a system with
no internet.
From Sources
• Installing the Wazuh manager without using a package manager.
You compile the source code and copy the binaries to your
computer instead.
Install Central Components using package manager (Manual)
Quick Install using script (Automated) 18
Installation Method - Workshop
• Download Wazuh OVA file using
https://packages.wazuh.com/4.x/vm/wazuh-
4.12.0.ova
• Import OVA file in vmware workstation.
(File --> Open --> OVA file)
• Important thing to look for is Network Settings.
(Bridged / NAT / Host-only)
• Assign the static IP to virtual machine.
– Easy method “systemd-networkd.service”
19
 Using “systemd-networkd”
• Check the name of your adapter using
command
$ ip a

• Open a new file using the command given below

$ sudo nano /etc/systemd/network/01-custom.network
20
 Using “systemd-networkd”
• In the file, write the following text, save(ctrl+o &
Enter) and exit(ctrl+x)
[Match]
Name=eth0
[Network]
Address=192.168.1.10/24

Gateway=192.168.1.1

• Restart the network service using the command

below
$ sudo systemctl restart systemd-networkd.service

21
 Access Wazuh Dashboard
• Check for the status of following services before
accessing the dashboard.
• Requires “Active” status for all of the services
– Indexer
$ sudo systemctl status wazuh-indexer.service

– Manager
$ sudo systemctl status wazuh-manager.service

– Dashboard
$ sudo systemctl status wazuh-dashboard.service

Access the Dashboard using https://<ip-address>

22
Connecting Agents - Windows
• Download the windows agent installer using
https://packages.wazuh.com/4.x/windows/wazuh
-agent-4.12.0-1.msi
• Execute the msi file and install the agent.
• Open the startup window for the agent, enter the
Wazuh-Manager IP address, click on save and
start the agent.
• Click on refresh and check for agent status.

23
 Connecting Agents - Linux
• Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH
| gpg --no-default-keyring --keyring gnupg-
ring:/usr/share/keyrings/wazuh.gpg --import && chmod
644 /usr/share/keyrings/wazuh.gpg

• Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg]
https://packages.wazuh.com/4.x/apt/ stable main" | tee
-a /etc/apt/sources.list.d/wazuh.list

• Update the package information:

# apt-get update

24
 Connecting Agents - Linux
• Edit the WAZUH_MANAGER variable to contain
your Wazuh manager IP address or hostname.
# WAZUH_MANAGER="192.168.99.116" apt-get install wazuh-
agent

• Enable and start the Wazuh agent service

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

• Recommended action - Disable Wazuh updates

# echo "wazuh-agent hold" | dpkg --set-selections

25
 Centralized
Management of
Agents
 ossec.conf
• The ossec.conf file is the main configuration file
on the Wazuh manager, and it also plays an
important role on the agents.
• Locations
– Linux: /var/ossec/etc/ossec.conf
– Windows: C:\Program Files (x86)\ossec-
agent\ossec.conf

• The ossec.conf file is in XML format, and all of

its configuration options are nested in their
appropriate section of the file. In this file, the
outermost XML tag is <ossec_config>
27
 ossec.conf
• An Example

<ossec_config>
<alerts>
<!--
alerts options here
-->
</alerts>
</ossec_config>

28
 agent.conf
• The agent.conf file is very similar to ossec.conf
but agent.conf is used to centrally distribute
configuration information to agents
• When setting up remote commands in the
shared agent configuration, you must enable
remote commands for Agent Modules. This is
enabled by adding the following line to the
C:\Program Files (x86)\ossec-
agent\local_internal_options.conf file in the
agent:
wazuh_command.remote_commands=1
29
 Agent Groups
• Agents can be grouped together in order to send
them a unique centralized configuration that is
group specific. Each agent can belong to more
than one group, and unless otherwise
configured, all agents belong to a group called
default.

• The manager pushes all files included in the

group folder to the agents belonging to this
group. For example, all files in
/var/ossec/etc/shared/default/ will be pushed to
all agents belonging to the default group. 30
 Agent Groups
• The agent.conf may exist in each group folder at
/var/ossec/etc/shared.
• For example, for the “group1” group, it is in
/var/ossec/etc/shared/group1/
• The file ar.conf (Active Response status) will
always be sent to agents even if it is not present
in the group folder.
• The agent will store the shared files in
C:\Program Files (x86)\ossec- agent\shared\,
not in a group folder.
31
 agent.conf (Configure)
<agent_config name="agent_name">
<localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>

<agent_config os="Linux">
<localfile>
<location>/var/log/linux.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
32
 agent.conf (Push)
• Each time you make a change to the agent.conf
file, it is important to check for configuration
errors. If any errors are reported by this check,
they must be fixed before the next step
/var/ossec/bin/verify-agent-conf

• Push the configuration to the agents:

– Automatically after every 10 sec (if found
different)
– Restart the wazuh-manager.service

33
 agent.conf (Restart)
• By default, the agent restarts by itself
automatically when it receives a new shared
configuration.
• If auto_restart has been disabled (in the <client>
section of Local configuration), the agent will
have to be manually restarted so that the new
agent.conf file will be used. This can be done as
follows:
/var/ossec/bin/agent_control -R -u 1032

34
Grouping Agents

35
Grouping Agents

36
Grouping Agents

37
 Grouping Agents
3
2

38
 Precedence
• It is important to understand which configuration
file takes precedence between ossec.conf and
agent.conf.
• The ossec.conf file is read before the shared
agent.conf and the last configuration of any
setting will overwrite the previous.

39
 Precedence - Example
ossec.conf
<sca>
<enabled>no</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>

<policies>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca> 40
 Precedence - Example
agent.conf
<sca>
<enabled>yes</enabled>

<policies>
<policy>cis_debian_linux_rcl.yml</policy>
</policies>
</sca>

41
Thank You