SIEM Project Lab Setup | Part 8 | How to Deploy Wazuh Agents to Virtual Machine Endpoints
?
In this series, I show how to construct and configure a home lab in Oracle VirtualBox that contains two Linux virtual machines (VMs), a virtual pfSense router/firewall, and a Wazuh OVA appliance. In this article, we will deploy Wazuh agents to the two Linux VMs.
What is a Wazuh Agent?
A Wazuh agent is a small program that monitors a computer or other compatible device, creating log data. The agent then forwards the log data to Wazuh and then Wazuh analyzes it and if needed will also generate an alert for a security analyst to examine.
Upon examination, the security analyst decides if the alert is cause for alarm. If it is a true incident that has happened, the analyst will probably escalate it to a Tier 2 Analyst who will then decide what to do about the alert from there.? Lets get these agents deployed!
?
Note: If this is the first article you've read in this series, you may want to investigate Part 1 if you get the chance, but are more than welcome to follow along in this article too!
?
Step 1: Before we begin, we need to make a slight change to the Wazuh OVA. Click the Wazuh OVA and then click on Settings
?
Step 2: Make sure that Adapter 1 is the only Adapter in this section that is enabled. You may need to check Adapter's 2-4 to verify that the Enable Network Adapter checkbox is unchecked. Once you have only Adapter 1 Enabled, click "Attached to" and then select "Internal Network." When the settings match what you see in the image below, click OK
?
Step 3: Power on the pfSense VM. Give it time to fully power up. Once you see the screen referenced below, then power on all of your other VMs in this lab.
?
Step 4: Before continuing, sign into the Wazuh VM using the default login credentials
?
Step 5: Login to both Linux VMs using the passwords that you set for each VM.
?
Step 6: On one of your Linux VMs, open firefox and punch in the ip address of your Wazuh VM. If you don't know your Wazuh VM's IP address, go to the Wazuh VM and type in "ip a," then Enter and you'll see the IP address.
?
?
Note: If any of your VMs suddenly doesn't have an IP address when you start them up. What you want to do is shut down the VM, then click the VM in the VirtualBox Manager list. Click the orange settings icon. Then go to Network. Click the dropdown arrow where it says "Attached to:" then choose any other option other than "Internal Network." Then click Ok. Repeat those steps but this time when you click the dropdown where it says "Attached to," choose Internal Network. This causes the Wazuh VM to reach out to the pfSense router for a fresh DHCP IP address. You then want to restart the Wazuh VM, type in "ip a," then Enter, and you should have an IP. I hope this helps because this happened to me a time or two as well.
?
?
Once you punch in the IP address of the Wazuh server, you'll see the warning page similar to what you see in the below image.
?
?
Click "Advanced," then scroll down and click "Accept the Risk and Continue."
?
?
You'll see the Wazuh login page. Punch in "admin" for the username and password.
?
Step 7: From the main Wazuh screen, click on "Deploy new agent" in the upper left part of the page.
?
At this stage we will work on getting a Wazuh agent deployed on both the Ubuntu and Linux Mint VMs
?
Step 8: on the next page, under the Linux section, click the radio button next to "DEB amd64". Ubuntu and Linux are both built on the "DEB amd64" package.
?
Step 9: Scroll down to Step 2: Server Address. Take note of the ip address in the address bar of your web browser. In the case of the image below, my server address happens to be "172.16.0.6," so I will input that address in the "Server address" field.
领英推荐
?
?Step 10: Scroll down to "Step 3: Optional settings:." Under "Assign an agent name:," type in whatever name that you want this agent to be referred to. In my case, I'm deploying this agent to my Ubuntu VM, so I'll stick with "Ubuntu."?
?
?
??Also, click the dropdown under "Select one or more existing groups:" and select "default" for the group.
?
?This "Group" setting matters because the group assignment literally "groups" together any VM that is assigned to a group to a single list. For example, in a production environment, you may have VMs that are spun up for the sales group in a group called "sales" and VMs that are spun up for operations in a group called, you guessed it, "operations." This can help when it comes to making network diagrams and general organization of your environment.
?
?Step 11: Scroll down to step 4. You'll notice in this section that there are a series of commands that have been auto generated with the settings from the previous steps (how convenient, eh?). If you roll your mouse pointer over the command, you'll see that it says "Copy Command." Click it, as this copies the command to your clipboard.
?
Step 12: Open the terminal in the VM that you are deploying this agent to. Right click inside the terminal and click Paste. It should look something like this after you paste it in.
?
Once it is pasted in, press Enter. You'll probably be asked for your sudo password, which is most likely going to be the same password that you use to login to your VM. Type it in and press Enter. In case you're unfamiliar with Linux, Linux doesn't show the characters that are typed in when you're typing in the sudo password, so if you don't see any characters typed in, it is by design and there is no issue at play.
?
?Step 13: Once the commands are done running, re open the browser in your VM and scroll down to step 5. You'll see another set of commands in that section. As before, roll your mouse pointer over this new set of commands and click "Copy Command" and paste these commands into your terminal as well, then press Enter.
?
?
Once the command is done running, you'll be taken back to your basic terminal screen, as the image below demonstrates
Step 14: Now that we have finished all of the agent deployment steps, lets check and make sure our agent has been deployed. Re open your web browser and click on the "sandwich" icon in the upper left corner of your screen.
?
?
In the menu that appears, near the bottom of the list there is a line item that says "Agents management." Click there, and then click on "Summary."
?
?
?It should take you to a page similar to this one. If you see what the below image shows . . . SUCCESS! You've deployed your first Wazuh agent! AWESOME! Notice what I highlight as well in this section. The Name column shows the name of the VM that we selected during the agent deployment process, and the IP address and group (default) is properly shown as well. Pretty nice, right? The best part is that it also shows "Active" under the "status" column, all exactly what we are looking for! Nice!
?
?
Step 15: Now we need to run the same agent deployment process for the other VM. The easiest way that I found to get this done is to click the "a" in the upper right hand corner of Wazuh and then click "sign out." Then, repeat steps 6-14 of this guide. The only different thing you'll need to do when you get to step 7 is you'll need to click the sandwich button in the upper left, then click Agent Management, then Summary. Then continue Step 8-14 as normal.
?
?By the time you complete those steps, you should see both agents properly deployed within your Wazuh Agent Management screen, as referenced in the below image.
?
?
?At this point you're all set! To recap, we deployed a Wazuh agent to two different Linux VMs so that we can practice log analysis within Wazuh. In the next article, I'll walk you through setting up pfSense to forward firewall logs via syslog to Wazuh, so that Wazuh with be our one stop shop for all log analysis within our network.
?
I really hope you got a lot of value out of this walkthrough. If you did, please consider giving this article a like and sharing it with someone who can also get value out of it. Also, if you have any questions, comments, or concerns about this article, feel free to leave a comment. Thank you so much!
?
Have a great day and feel free to check out the next part in the series below!