Skip to content

Wazuh

Wazuh is an open-source security monitoring and compliance tool that provides comprehensive threat detection, security monitoring, and incident response capabilities. It offers log analysis, file integrity monitoring, and vulnerability detection by collecting and analyzing data from various sources across an organization’s IT infrastructure. Wazuh helps organizations identify potential security threats, comply with regulatory requirements, and improve their overall security posture by providing real-time alerts and actionable insights. Azure Marketplace: Wazuh

Note:

  • Please be aware that it takes 15-20 minutes before the system is up and running.
  • Please be patient , you can check uptime from terminal.

SSH Into the server:

  • Utilize Azure to setup user and ssh keys.
  • Make sure to allow ssh, https, and the ports mentioned in ports & protocols section in the network security group.

Wazuh Basics:

  • System - Ubuntu24LTS
  • How to Login:
# ssh into terminal & get the autogenerated login password:
sudo cat /opt/wazuh-install-files/wazuh-passwords.txt
# Look for the user admin and copy the password ( not the quotation marks ).
# Go to your web browser & Login
https://IP_WAZUH
User: admin
Password: (wazuh-passwords.txt)

  • Install Wazuh agent from the Wazuh Dashboard.
Dashboard > Server Management > Endpoints Summary > Deploy New Agent
1. Select Your OS.
2. Add your Wazuh Public IP or Domain.
3. Optional
4. Run Commands
5. Start Agent

Ports & Protocols:

# Agent connection service
1514 TCP (default) - Agent connection service
1515 TCP - Agent enrollment service

# Wazuh Syslog collector
514 UDP/TCP (default) - Wazuh Syslog collector 

# Wazuh server RESTful API
55000 TCP - Wazuh server RESTful API

# Wazuh dashboard
443 TCP - Wazuh web user interface

OPTIONAL: Dev API:

# Retrieve the password for Wazuh api user from the wazuh terminal.
sudo cat /opt/wazuh-install-files/wazuh-passwords.txt
# Now, switch to your desktop. Run Locally from your own computer. ( Linux OS EX: )
sudo vim wazuh-api.sh

#!/bin/bash
USER="wazuh"
PASSWORD="wazuh-passwords.txt"
IP="$(curl -s ifconfig.me):55000"
echo -e "\n- Getting token...\n"
TOKEN=$(curl -u "$USER:$PASSWORD" -k -X POST "https://$IP/security/user/authenticate?raw=true")
echo -e "\n- API calls with TOKEN environment variable ...\n"
echo -e "Getting default information:\n"
curl -k -X GET "https://$IP/?pretty=true" -H "Authorization: Bearer $TOKEN"
echo -e "\n\nGetting /agents/summary/os:\n"
curl -k -X GET "https://$IP/agents/summary/os?pretty=true" -H "Authorization: Bearer $TOKEN"
echo -e "\n\nEnd of the script.\n"

sudo chmod +x wazuh-api.sh
bash wazuh-api.sh

References:

  • https://documentation.wazuh.com/current/index.html