Instructions
Wazuh is an open-source security monitoring and compliance tool that provides comprehensive threat detection, security monitoring, and incident response capabilities. It offers log analysis, file integrity monitoring, and vulnerability detection by collecting and analyzing data from various sources across an organization’s IT infrastructure. Wazuh helps organizations identify potential security threats, comply with regulatory requirements, and improve their overall security posture by providing real-time alerts and actionable insights. GCP Marketplace: Wazuh
Note:
- Please be aware that it takes 10-15 minutes before the system is up and running.
- Please be patient , you can check uptime from terminal.
SSH Into the server:
- Utilize Google SSH Console or setup ssh keys or password.
Wazuh Basics:
- System - Ubuntu24LTS
- How to Login:
# ssh into terminal & get the autogenerated login password:
sudo cat /opt/wazuh-install-files/wazuh-passwords.txt
# Look for the user admin and copy the password ( not the quotation marks ).
# Go to your web browser & Login
https://IP_WAZUH
User: admin
Password: (wazuh-passwords.txt)
- Install Wazuh agent from the Wazuh Dashboard.
Dashboard > Server Management > Endpoints Summary > Deploy New Agent
1. Select Your OS.
2. Add your Wazuh Public IP or Domain.
3. Optional
4. Run Commands
5. Start Agent
Ports & Protocols:
# Agent connection service
1514 TCP (default) - Agent connection service
1515 TCP - Agent enrollment service
# Wazuh Syslog collector
514 UDP (default) - Wazuh Syslog collector (disabled by default)
514 TCP (optional) - Wazuh Syslog collector (disabled by default)
OPTIONAL: Install syslog-ng
# Wazuh server RESTful API
55000 TCP - Wazuh server RESTful API
# Wazuh dashboard
443 TCP - Wazuh web user interface
OPTIONAL: Syslog-ng:
- Makes using TLS certs easy.
# Allow firewall access
sudo ufw allow 514/tcp
sudo yum install -y syslog-ng
cd /etc/syslog-ng/
# Generate certs
sudo openssl req -newkey rsa:2048 -nodes -keyout key.pem -out request.csr -subj "/C=US/ST=Any/L=Anytown/O=decyphertek-io/OU=adminotaur/CN=decyphertek"
sudo openssl x509 -req -days 3650 -in request.csr -signkey key.pem -out server-cert.pem
>>> Upload server-cert.pem to SaaS you want to forward syslog from Once syslog-ng has been started .
sudo touch /var/log/syslog-ng.log
sudo vim syslog-ng.conf
# Keep default config and add the following.
# Wazuh / Syslog-NG - TLS Config
source s_network_tls {
network(
transport("tls")
port(514) # Specify the port to listen on for TLS connections
tls(
key-file("/etc/syslog-ng/key.pem")
cert-file("/etc/syslog-ng/server-cert.pem")
peer-verify(optional-untrusted)
)
);
};
destination d_tls_logs {
file("/var/log/syslog-ng.log"); # Path to save the logs received over TLS
};
log { source(s_network_tls); destination(d_tls_logs); };
sudo vim /var/ossec/etc/ossec.conf
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng.log</location>
</localfile>
sudo systemctl daemon-reload
sudo systemctl enable syslog-ng
sudo systemctl start syslog-ng
sudo systemctl restart wazuh manager
OPTIONAL: Dev API:
# Retrieve the password for Wazuh api user from the wazuh terminal.
sudo cat /opt/wazuh-install-files/wazuh-passwords.txt
# Now, switch to your desktop. Run Locally from your own computer. ( Linux OS EX: )
sudo vim wazuh-api.sh
#!/bin/bash
USER="wazuh"
PASSWORD="wazuh-passwords.txt"
IP="$(curl -s ifconfig.me):55000"
echo -e "\n- Getting token...\n"
TOKEN=$(curl -u "$USER:$PASSWORD" -k -X POST "https://$IP/security/user/authenticate?raw=true")
echo -e "\n- API calls with TOKEN environment variable ...\n"
echo -e "Getting default information:\n"
curl -k -X GET "https://$IP/?pretty=true" -H "Authorization: Bearer $TOKEN"
echo -e "\n\nGetting /agents/summary/os:\n"
curl -k -X GET "https://$IP/agents/summary/os?pretty=true" -H "Authorization: Bearer $TOKEN"
echo -e "\n\nEnd of the script.\n"
sudo chmod +x wazuh-api.sh
bash wazuh-api.sh
References:
- https://documentation.wazuh.com/current/index.html
- https://decyphertek.readthedocs.io/en/latest/products/gcp-wazuh-instructions/