Wazuh SIEM Setup

Cybersecurity Monitoring Lab – Part 7 – Wazuh SIEM Setup in Proxmox

HOMELAB

Rezwan Siddique

11/9/20236 min read

Wazuh SIEM Setup in Proxmox

Wazuh is a SIEM (Security Information and Event Management) system that can be used to centralize logs and other security related information from systems on our networks. Using this information, analysts can detect and respond to intrusions, attacks and other malicious activity. For this homelab, Wazuh will be used in conjunction with Suricata to monitor our networks.

Requirements: https://documentation.wazuh.com/current/quickstart.html

Installation

Create a new Ubuntu LXC.

- Container image: Ubuntu 22.04

- Storage: 80 GB ( minimum 50 GB needed)

- CPU: 4 Cores

- Memory: 8 GB Swap: 1GB (min 4GM memory and 1 GB Swap)

- Network: vmbr0 – Static IP: 10.0.0.100 ( depending on your network)

- DNS: Host Settings

Update System

Start the machine and update the system:

##apt update && apt upgrade -y

Install Dependencies

Run the following commands to install the dependencies for Wazuh:

##apt install curl dnsutils net-tools sudo gnupg -y

Run Installation Script

Navigate to the tmp folder then download the script.

##cd /tmp

##curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -als

Once the installation is finished, you’ll receive the password to log in to the dashboard. But, we’re going to change the password before logging in. Alternatively, this password can be stored in a password manager instead of changing it.

Change Admin Password

Download the password change script:

##curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.7/wazuh-passwords-tool.sh

Then run the script with:

##bash wazuh-passwords-tool.sh -u admin -p <newpassword>

The new password must meet complexity requirements so the script will throw an error if they are not met. After the script finishes running, clear the bash history.

##history -c

Then, reboot the system.

Configuring Wazuh

Initial Setup

Configure Firewall Rules

If your firewall rules block traffic between the networks the Wazuh server sits on and the machines it monitors, make sure ports 1514 and 1515 are open.

Same goes for AD network

Logging In

Open browser and visit https://10.0.0.100 ( yours could be different depending on what static IP you set)

You’ll get a privacy error when first entering. Hit “advanced” then proceed.

Before we start adding machine to our SIEM, lets config Wazuh first.

Enable Vulnerability Detector

The first thing we’re going to do is set up the vulnerability detector for the machines we’re monitoring. On the home screen, click on the arrow next to “Wazuh” near the top-left corner. Click “Management” then “Configuration.”

On the next page, click “Edit Configuration” in the top-right corner.

Scroll down until you find the vulnerability detector line. Change it to yes.

Enable detection for Ubuntu and Debian systems as well since those systems are on our networks.

Make sure the Windows OS vulnerabilities are enabled as well.

Make sure aggregating vulnerabilities is enabled.

After that is done, click “Restart Manager.”

Create Groups

Open the Wazuh menu. Click on “Management,” then “Groups.”

Click “Add New Group” and save. I’m creating groups for the Active Directory network and the LAN where the Suricata machine will sit.

Deploy Agents

Windows System Agent

In order to monitor a system, an agent needs to be installed on it. We’ll start with a Windows system. For Windows, we’re going to install the GUI agent.

Log on to one of the Windows VMs. Open the web browser and go to https://www.documentation.wazuh.com. Then, click on installation guide. Scroll down to “Installing the Wazuh Agent” then click on the Windows icon.

Download the installer.

Since we are on the AD, it will ask for the admin login and password for the domain. Insert it and complete the install.

Check the box for “Run Agent Configuration Interface.”

Open the file explorer. Go to C:\Program Files (x86)\ossec-agent and open the win32ui.

Enter the IP address of the Wazuh server and save. Then click “Manage” and “restart.”

Follow the same process and add the Agent on Active Directory VM.

Go back to Wazuh UI refresh the page and click on agents should both agents connected with the server .

click on any machine name and should see detailed version of that machine.

Linux Agent

Go back to the Agents menu. Click on “Deploy New Agent.”

Choose the appropriate operating system. We’re going to deploy the agent to the Suricata server, so it’ll be Debian/Ubuntu DEB amd64. The architecture will be x86_64 (64-bit). The server address will be the Wazuh server address.

Copy and paste the command in Suricata ubuntu LXC and refresh Wazuh. Within a minute we should be able to see it.

We've successfully incorporated these three agents into our Wazuh SIEM. Our next step involves running various simulations. Before that, let's proceed to integrate our Suricata logs into Wazuh.

Suricata IDS Integration

Lets log on into our Suricata Ubuntu Container and update the system

#sudo apt-get update && sudo apt-get upgrade

Download and extract the Emerging Threats Suricata ruleset:

$ cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz

$ sudo tar -xvzf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/

$ sudo chmod 640 /etc/suricata/rules/*.rules

Modify Suricata settings in the `/etc/suricata/suricata.yaml` file and set the following variables:

default-rule-path: /etc/suricata/rules

rule-files:

- "*.rules"

1. Restart the Suricata service:

$ sudo systemctl restart suricata

Add the following configuration to the `/var/ossec/etc/ossec.conf` file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file:

<ossec_config>

<localfile>

<log_format>json</log_format>

<location>/var/log/suricata/eve.json</location>

</localfile>

</ossec_config>

2. Restart the Wazuh agent to apply the changes:

$ sudo systemctl restart wazuh-agent

Now Lets Test it.

We are going to ping form our Kali machine