Lab 3.2 Wazuh

You've seen what a centralized syslog server can do in terms of receipt and organization of log files from across the enterprise. In this new lab, we are going to experiment with a far more modern logging system called Wazuh. Wazuh is one of several ELK based SIEMs. We are using this one because of the relatively ease of installation as well as functionality. Unlike a traditionally syslog client and server, Wazuh allows us to install agents on supported systems. Agents can refine that information sent to their SIEM for streamlined analysis.

Installation

For a single node installation on wazuh, run the following command on your wazuh server.

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i

NOTE: Takes a while for the server to run - at the end you should see something like:

“You can access the web interface https://<wazuh-dashboard-ip>

User: admin

Password: <a longish random password> Make note of this!

Deliverable 1. A screenshot that clearly shows your wazuh server as accessed via mgmt01 similar to the one below

Wazuh/OSSEC Agent on web01

• Go to the Groups screen in Wazuh

• Create a group called linux

• Go to the agents screen in Wazuh

• Deploy a new agent with the following configuration:

  • Linux, RPM amd64

  • Server Address: 172.16.200.10

  • Group: Linux

• Run the following command to install the agent on web01-hanne

  • make sure to run with sudo

curl -o wazuh-agent-4.7.5-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.5-1.x86_64.rpm && sudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='Web01Agent' rpm -ihv wazuh-agent-4.7.5-1.x86_64.rpm

• Start the agent

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent 
sudo systemctl start wazuh-agent 

Deliverable 2. Provide a wazuh screenshot that shows the registered agent on web01

Deliverable 3. Attempt an ssh login using an invalid user on web01 similar to the screenshot below. Search web01's wazuh security events until you find the associated event.

Deliverable 4.

Create a wazuh article in your tech journal. Cover the installation of the server, including agent installation. Find out where the agent files are located and peruse that directory structure.

Log storage File	Log source	Description
/var/ossec/logs/ossec.log	Internal	Stores all informational level logs generated by the Wazuh server
/var/ossec/logs/api.log	Internal	Stores logs generated by the Wazuh application when interacting with the Wazuh server APIs.
/var/ossec/logs/cluster.log	Internal	Stores logs generated by the activities of the Wazuh cluster
/var/ossec/logs/integrations.log	Internal	Stores logs generated by the Wazuh integration module when interfacing with third-party applications and systems.
/var/ossec/logs/active-responses.log	Internal	Stores logs generated by the Wazuh Active Response module.
/var/ossec/logs/firewall/firewall.log	Internal	Stores logs generated by the firewall
/var/ossec/logs/archives/archives.log	External	Stores logs received from third-party applications and systems in plaintext.
/var/ossec/logs/archives/archives.json	External	Stores logs received from third-party applications and systems in JSON.