Testing Wazuh at home

Today I had an hour to spare and decided to test Wazuh. I have heard about OSSEC many years ago but never tried it. Wazuh is an open source fork of OSSEC.

Getting started

Download the virtual machine (.ova file) based on CentOS 7. You can find the direct link here. https://documentation.wazuh.com/3.12/installation-guide/virtual-machine.html

The machine is set up with 4 cores, 4 gigs of memory and a 40GB disk.

Start the virtual machine, I did this in VirtualBox. It can take a few minutes for it to respond and show the login prompt. I waited around 5 minutes. This was probably because the network did not work right away. I had set the machine in bridge mode on my wireless card, but it was apparently not supported to have multiple IP addresses on a single MAC by my wireless network - moving on. I ended up setting up the network as NAT, and then port forwarding all the ports on this page. Be aware that Kibana is running on port 443 and not 5601 on the virtual machine. https://documentation.wazuh.com/3.8/getting-started/architecture.html#required-ports

I had to set the keyboard with the command "localectl set-keymap dk-mac" - you can list your options with "localectl list-keymaps".

For testing the agent I got the installer from this page. https://documentation.wazuh.com/3.12/installation-guide/installing-wazuh-agent/macos/wazuh_agent_package_macos.html#wazuh-agent-package-macos

I swiftly went to the Wazuh app within Kibana to find the "Deploy new agent" button.

Only to find that I didn't need this, because I already installed an agent on my laptop. I needed to configure the agent manually, so this guide came in handy. https://documentation.wazuh.com/3.12/user-manual/registering/index.html#register-agents

I personally opted for the "simple registration" on this page. https://documentation.wazuh.com/3.12/user-manual/registering/macos-simple-registration.html

It worked as intended even though everything is running locally on my machine. This is when I got to play around with the features a bit.

Synchronize agent configuration from the manager

To be able to synchronize configuration from Wazuh manager to the agents we need to set a command on every agent installed. This is done with this command on my Mac:

After this is done, restart the agent with this command. "sudo /Library/Ossec/bin/ossec-control restart".

File Integrity Monitoring

I wanted to monitor the /Applications folder for file changes. I set this up by enabling by setting up this setting on the Wazuh manager in the "agent.conf" file for the "default" group of agents.

Be aware that the agents will use a lot of CPU while calculating the SHA256 for all the applications. Restart all remote agents by running this command on the manager: "/var/ossec/bin/agent_control -r -a".

Analyzing Cisco ASA syslog

I setup the ASA to send syslog toward my Wazuh setup - and nothing happened. Apparently that also need to be setup in the "/var/ossec/etc/ossec.conf" file on the manager.

After much trial and error I figured out that the VirtualBox network also needed to be allowed.

This was all that I has time for. Overall Wazuh seems like a very competent setup - especially for the price of 0. It does have a steep learning curve though, but that is the fun part of it all.

If you liked this post, please click "Like" so that others can find it.

About: Dennis Perto is an enthusiastic security analyst who places great honour in genuinely humble consulting. He believes in serving the client with expert knowledge, and in not being afraid to admit when he is not the right expert anymore. He enjoys researching vulnerabilities and exploits to advise trusted partners.

Feel free to connect with me here on LinkedIn, and follow me on Twitter: @PertoDK