Wazuh SEIM

Wazuh Server Installation

Resources

• OVA Virtual Machine (OVA) - Installation alternatives
• Docker Deployment on Docker - Installation alternatives · Wazuh documentation

OVA Installation

After installing the OVA, go into SSH to change the passwords for all services

curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.4/wazuh-passwords-tool.sh
#-ap is the password for shell wazuh-user
sudo bash wazuh-passwords-tool.sh -a -au wazuh -ap wazuh

#### Restart the server afterwards

WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. hope it helps anyone struggling.

Restarting Wazuh services

sudo systemctl restart wazuh-manager
sudo systemctl restart wazuh-indexer
sudo systemctl restart wazuh-dashboard
sudo systemctl restart filebeat

Wazuh Agent Installation

Add the Wazuh repository

Install the GPG key

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the package information

apt-get update

For Debian 7, 8, and Ubuntu 14 systems import the GCP key and add the Wazuh repository (steps 1 and 2)

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Deploy a Wazuh agent

To deploy the Wazuh agent on your endpoint, select your package manager and edit the WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname.

WAZUH_MANAGER="10.10.10.49" apt-get install wazuh-agent

If needed for additional deployment options such as agent name, agent group, and registration password Deployment variables for Linux - Deployment variables

Enable and start the Wazuh agent service

systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

The deployment process is now complete, and the Wazuh agent is successfully running on your Linux system.

Recommended action - Disable Wazuh updates Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command

sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
apt-get update

#Alternatively, you can set the package state to `hold`. This action stops updates but you can still upgrade it manually using `apt-get install`.

echo "wazuh-agent hold" | dpkg --set-selections

Uninstall a Wazuh agent

To uninstall the agent, run the following commands:

Remove the Wazuh agent installation.

apt-get remove wazuh-agent

#Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, run the following command:

apt-get remove --purge wazuh-agent

Disable the Wazuh agent service

systemctl disable wazuh-agent
systemctl daemon-reload

Resources

Deploying Wazuh agents on Linux endpoints - Wazuh agent