Wazuh SIEM Setup
Cybersecurity Monitoring Lab – Part 7 – Wazuh SIEM Setup in Proxmox
HOMELAB
Rezwan Siddique
11/9/20236 min read
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=544,h=284,fit=crop/mxBj4MPzePSEbG53/wazuh-m6LDXy5xvOSoG9Pw.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=227,fit=crop/mxBj4MPzePSEbG53/wazuh-m6LDXy5xvOSoG9Pw.png)
Wazuh SIEM Setup in Proxmox
Wazuh is a SIEM (Security Information and Event Management) system that can be used to centralize logs and other security related information from systems on our networks. Using this information, analysts can detect and respond to intrusions, attacks and other malicious activity. For this homelab, Wazuh will be used in conjunction with Suricata to monitor our networks.
Requirements: https://documentation.wazuh.com/current/quickstart.html
Installation
Create a new Ubuntu LXC.
- Container image: Ubuntu 22.04
- Storage: 80 GB ( minimum 50 GB needed)
- CPU: 4 Cores
- Memory: 8 GB Swap: 1GB (min 4GM memory and 1 GB Swap)
- Network: vmbr0 – Static IP: 10.0.0.100 ( depending on your network)
- DNS: Host Settings
Update System
Start the machine and update the system:
##apt update && apt upgrade -y
Install Dependencies
Run the following commands to install the dependencies for Wazuh:
##apt install curl dnsutils net-tools sudo gnupg -y
Run Installation Script
Navigate to the tmp folder then download the script.
##cd /tmp
##curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -als
Once the installation is finished, you’ll receive the password to log in to the dashboard. But, we’re going to change the password before logging in. Alternatively, this password can be stored in a password manager instead of changing it.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=1077,h=115,fit=crop/mxBj4MPzePSEbG53/image-267-AVLzKokVgksoDNbq.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=35,fit=crop/mxBj4MPzePSEbG53/image-267-AVLzKokVgksoDNbq.png)
Change Admin Password
Download the password change script:
##curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.7/wazuh-passwords-tool.sh
Then run the script with:
##bash wazuh-passwords-tool.sh -u admin -p <newpassword>
The new password must meet complexity requirements so the script will throw an error if they are not met. After the script finishes running, clear the bash history.
##history -c
Then, reboot the system.
Configuring Wazuh
Initial Setup
Configure Firewall Rules
If your firewall rules block traffic between the networks the Wazuh server sits on and the machines it monitors, make sure ports 1514 and 1515 are open.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=792,h=585,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206105307-YbNZVkRGkJFpqM6Y.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=320,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206105307-YbNZVkRGkJFpqM6Y.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=792,h=373,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206105328-mP47KbVDQxSbeJz1.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=320,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206105328-mP47KbVDQxSbeJz1.png)
Same goes for AD network
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=750,h=406,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206121210-A1aQ0WMj1eHMoX6e.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=320,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206121210-A1aQ0WMj1eHMoX6e.png)
Logging In
Open browser and visit https://10.0.0.100 ( yours could be different depending on what static IP you set)
You’ll get a privacy error when first entering. Hit “advanced” then proceed.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=560,h=438,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206105629-Yle6Vo3yV7Ik7yo7.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=320,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206105629-Yle6Vo3yV7Ik7yo7.png)
Before we start adding machine to our SIEM, lets config Wazuh first.
Enable Vulnerability Detector
The first thing we’re going to do is set up the vulnerability detector for the machines we’re monitoring. On the home screen, click on the arrow next to “Wazuh” near the top-left corner. Click “Management” then “Configuration.”
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=734,h=395,fit=crop/mxBj4MPzePSEbG53/image-271-mk3yVoZzani5GBl2.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=177,fit=crop/mxBj4MPzePSEbG53/image-271-mk3yVoZzani5GBl2.png)
On the next page, click “Edit Configuration” in the top-right corner.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=1022,h=83,fit=crop/mxBj4MPzePSEbG53/image-272-1024x84-mxBlVev407cy3X8j.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=27,fit=crop/mxBj4MPzePSEbG53/image-272-1024x84-mxBlVev407cy3X8j.png)
Scroll down until you find the vulnerability detector line. Change it to yes.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=88,fit=crop/mxBj4MPzePSEbG53/image-273-mjEQVoMG5EuGR7ML.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=60,fit=crop/mxBj4MPzePSEbG53/image-273-mjEQVoMG5EuGR7ML.png)
Enable detection for Ubuntu and Debian systems as well since those systems are on our networks.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=295,fit=crop/mxBj4MPzePSEbG53/image-274-Yle6Vo34ZxIDBRy9.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=320,fit=crop/mxBj4MPzePSEbG53/image-274-Yle6Vo34ZxIDBRy9.png)
Make sure the Windows OS vulnerabilities are enabled as well.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=85,fit=crop/mxBj4MPzePSEbG53/image-275-A0xWp6y92Ms7EnLG.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=58,fit=crop/mxBj4MPzePSEbG53/image-275-A0xWp6y92Ms7EnLG.png)
Make sure aggregating vulnerabilities is enabled.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=109,fit=crop/mxBj4MPzePSEbG53/image-276-A1aQ0W49O4Cbxn2N.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=74,fit=crop/mxBj4MPzePSEbG53/image-276-A1aQ0W49O4Cbxn2N.png)
After that is done, click “Restart Manager.”
Create Groups
Open the Wazuh menu. Click on “Management,” then “Groups.”
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=275,fit=crop/mxBj4MPzePSEbG53/image-277-AzG8VBqKN1uWl7EW.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=188,fit=crop/mxBj4MPzePSEbG53/image-277-AzG8VBqKN1uWl7EW.png)
Click “Add New Group” and save. I’m creating groups for the Active Directory network and the LAN where the Suricata machine will sit.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=674,h=192,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206110131-YKbaKn5MD8S8N0Xg.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=94,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206110131-YKbaKn5MD8S8N0Xg.png)
Deploy Agents
Windows System Agent
In order to monitor a system, an agent needs to be installed on it. We’ll start with a Windows system. For Windows, we’re going to install the GUI agent.
Log on to one of the Windows VMs. Open the web browser and go to https://www.documentation.wazuh.com. Then, click on installation guide. Scroll down to “Installing the Wazuh Agent” then click on the Windows icon.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=207,fit=crop/mxBj4MPzePSEbG53/image-278-mk3yVBlW9vS5neBG.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=141,fit=crop/mxBj4MPzePSEbG53/image-278-mk3yVBlW9vS5neBG.png)
Download the installer.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=255,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206110548-dOq7oOMzj6InNebL.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=174,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206110548-dOq7oOMzj6InNebL.png)
Since we are on the AD, it will ask for the admin login and password for the domain. Insert it and complete the install.
Check the box for “Run Agent Configuration Interface.”
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=368,fit=crop/mxBj4MPzePSEbG53/image-281-mp86VjXP0kcPjyZv.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=251,fit=crop/mxBj4MPzePSEbG53/image-281-mp86VjXP0kcPjyZv.png)
Open the file explorer. Go to C:\Program Files (x86)\ossec-agent and open the win32ui.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=364,fit=crop/mxBj4MPzePSEbG53/image-282-d953VzEvvJC4WGOR.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=249,fit=crop/mxBj4MPzePSEbG53/image-282-d953VzEvvJC4WGOR.png)
Enter the IP address of the Wazuh server and save. Then click “Manage” and “restart.”
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=278,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206111419-AGB3KDrj2DUn2Oq6.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=190,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206111419-AGB3KDrj2DUn2Oq6.png)
Follow the same process and add the Agent on Active Directory VM.
Go back to Wazuh UI refresh the page and click on agents should both agents connected with the server .
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=853,h=314,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206173853-YyvPVWkq10TPRp4v.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=121,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206173853-YyvPVWkq10TPRp4v.png)
click on any machine name and should see detailed version of that machine.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=849,h=389,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206174154-mP47KxXZ3psWDRyo.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=150,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206174154-mP47KxXZ3psWDRyo.png)
Linux Agent
Go back to the Agents menu. Click on “Deploy New Agent.”
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=480,h=155,fit=crop/mxBj4MPzePSEbG53/image-292-YBg8PbZWQ7SvPRZe.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=106,fit=crop/mxBj4MPzePSEbG53/image-292-YBg8PbZWQ7SvPRZe.png)
Choose the appropriate operating system. We’re going to deploy the agent to the Suricata server, so it’ll be Debian/Ubuntu DEB amd64. The architecture will be x86_64 (64-bit). The server address will be the Wazuh server address.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=558,h=453,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206175517-AzG86NLJM4hOwEG2.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=320,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206175517-AzG86NLJM4hOwEG2.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=558,h=342,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227032729-Yg2aDyKV4PSKKxXq.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=201,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227032729-Yg2aDyKV4PSKKxXq.png)
Copy and paste the command in Suricata ubuntu LXC and refresh Wazuh. Within a minute we should be able to see it.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=933,h=37,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206184124-A1aQ75pNl8HV1JbP.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=13,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231206184124-A1aQ75pNl8HV1JbP.png)
We've successfully incorporated these three agents into our Wazuh SIEM. Our next step involves running various simulations. Before that, let's proceed to integrate our Suricata logs into Wazuh.
Suricata IDS Integration
Lets log on into our Suricata Ubuntu Container and update the system
#sudo apt-get update && sudo apt-get upgrade
Download and extract the Emerging Threats Suricata ruleset:
$ cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
$ sudo tar -xvzf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/
$ sudo chmod 640 /etc/suricata/rules/*.rules
Modify Suricata settings in the `/etc/suricata/suricata.yaml` file and set the following variables:
default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"
1. Restart the Suricata service:
$ sudo systemctl restart suricata
Add the following configuration to the `/var/ossec/etc/ossec.conf` file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file:
<ossec_config>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</ossec_config>
2. Restart the Wazuh agent to apply the changes:
$ sudo systemctl restart wazuh-agent
Now Lets Test it.
We are going to ping form our Kali machine
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=620,h=310,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042112-m5K2NVMKr6c7Mzxw.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=164,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042112-m5K2NVMKr6c7Mzxw.png)
If we check fast.log file we will see Suricata has picked up this event
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=604,h=81,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042230-mv04vEWXQnSoWvaD.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=44,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042230-mv04vEWXQnSoWvaD.png)
Lets head to Wazuh and click on Agents and select Suricata and select Security Events
And all the alerts should be there.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=612,h=152,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042424-AQE45NxjZnsDDpJX.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=81,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042424-AQE45NxjZnsDDpJX.png)
If we click on any alerts it will give us the details of this alert with the source and destination IP.
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=613,h=425,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042557-YanM4r1DQeUg1Qoo.png)
![](https://assets.zyrosite.com/cdn-cgi/image/format=auto,w=328,h=227,fit=crop/mxBj4MPzePSEbG53/pasted-image-20231227042557-YanM4r1DQeUg1Qoo.png)