Posted inSecurity

Boost Your Defenses: Security Monitoring with Wazuh (OSSEC Fork)

Security tutorial - IT technology blog
Security tutorial - IT technology blog

Quick Start: Getting Wazuh Up and Running in 5 Minutes

Remember that sinking feeling when you check your logs and realize something nefarious has been knocking at your door? For me, it was that night my server got hit by SSH brute-force attacks at midnight. It’s why I now prioritize security from initial setup. And a big part of that is active security monitoring.

Today, I’ll walk you through setting up Wazuh, a powerful open-source security platform, born from OSSEC. Think of it as your digital bodyguard, constantly watching over your systems. We’ll get a basic agent connected to a manager in just a few steps.

1. Setting up the Wazuh Manager (All-in-One)

For immediate deployment, we’ll install the Wazuh manager, indexer, and dashboard all on a single Linux machine. This ‘all-in-one’ approach works well for small environments or proof-of-concept setups. I’ll assume you’re using a fresh Ubuntu 22.04 LTS server.

First, import the Wazuh GPG key and add the Wazuh repository:

sudo apt update
sudo apt install curl apt-transport-https -y
curl -sO https://packages.wazuh.com/key/GPG-KEY-WAZUH
sudo apt-key add GPG-KEY-WAZUH
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list

Then, install the Wazuh manager, indexer, and dashboard:

sudo apt update
sudo WAZUH_VERSION=4.7.2 apt install wazuh-manager wazuh-indexer wazuh-dashboard -y

With the packages installed, your next step is to generate self-signed certificates for the indexer and dashboard. You’ll then need to deploy them. When generating, make sure to adjust the IP address to reflect your manager’s actual IP.

/usr/share/wazuh-indexer/bin/indexer-certs-tool.sh -ip <MANAGER_IP>
mv admin-key.pem admin.pem ca.pem certs.zip /etc/wazuh-indexer/
cd /etc/wazuh-indexer/
unzip certs.zip
chmod 500 admin-key.pem admin.pem
chmod 400 ca.pem
chown wazuh-indexer:wazuh-indexer admin-key.pem admin.pem ca.pem
rm certs.zip

Now, enable and start the services:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer wazuh-manager wazuh-dashboard
sudo systemctl start wazuh-indexer wazuh-manager wazuh-dashboard

Give it a few minutes for all services to come up. You should be able to access the Wazuh Dashboard at https://<MANAGER_IP>. The default credentials are admin for both username and password. Change this immediately!

2. Installing the Wazuh Agent on a Client

Now, let’s get an agent installed on a system you want to monitor, say another Ubuntu server.

sudo apt update
sudo apt install curl apt-transport-https -y
curl -sO https://packages.wazuh.com/key/GPG-KEY-WAZUH
sudo apt-key add GPG-KEY-WAZUH
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo WAZUH_VERSION=4.7.2 apt install wazuh-agent -y

Next, configure the agent to connect to your Wazuh manager. Edit /var/ossec/etc/ossec.conf and change the <manager> IP address:

<ossec_config>
  ...
  <client>
    <server>
      <address><MANAGER_IP></address>
      <port>1514</port>
      <protocol>udp</protocol>
    </server>
  ...
</ossec_config>

Finally, enable and start the agent:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

After a few moments, you should see your agent appear in the Wazuh Dashboard under ‘Agents’. Congratulations, you’re now monitoring your first host!

Deep Dive: Understanding Wazuh’s Core Capabilities

Wazuh isn’t just a fancy log viewer; it’s a comprehensive security platform. Understanding its core functions will help you fully utilize its potential.

Agent-Manager Architecture

Wazuh operates using an agent-manager architecture. Agents installed on endpoints—like servers, laptops, or containers—collect security data and securely forward it to a central Wazuh manager. The manager then analyzes this data against its constantly updated threat intelligence database, rule sets, and decoders. Finally, alerts are generated, stored in the Wazuh indexer (typically OpenSearch), and visualized through the Wazuh dashboard (OpenSearch Dashboards).

Key Features that Matter

  • File Integrity Monitoring (FIM): This is a lifesaver. Wazuh monitors critical system files and directories for changes. If a configuration file gets tampered with, or an attacker drops a suspicious file, you’ll know immediately. I use this to track changes to /etc/passwd, /etc/sudoers, and web server configuration files.
  • Log Data Analysis: Every event on your system generates a log. Wazuh aggregates and analyzes these logs from operating systems, applications, and network devices. It looks for patterns indicating security incidents, errors, or policy violations. Think failed SSH logins, firewall denials, or suspicious process executions.
  • Intrusion Detection (IDS): By analyzing log data and system calls, Wazuh can detect common attack patterns, rootkit installations, and suspicious activities indicative of an intrusion.
  • Vulnerability Detection: Agents periodically scan the software installed on endpoints for known vulnerabilities (CVEs) and report them to the manager, helping you prioritize patching efforts.
  • Security Configuration Assessment (SCA): Wazuh can assess the configuration of your systems against security best practices (e.g., CIS Benchmarks), identifying misconfigurations that could be exploited.
  • Compliance: It provides out-of-the-box support for compliance standards like PCI DSS, GDPR, HIPAA, and NIST, helping you maintain a secure posture and generate reports.

Rules and Decoders: The Brains Behind the Operation

Wazuh uses a powerful rule-based engine. Decoders first parse raw log data into structured events. Then, rules evaluate these structured events against predefined conditions. If an event matches a rule, an alert is generated. For example, a decoder might extract the source IP and username from an SSH login attempt. A rule might then fire an alert if there are more than 5 failed login attempts from the same IP within a minute.

Advanced Usage: Customizing Your Security Posture

Once you’ve got the basics down, you’ll want to tailor Wazuh to your specific environment and threat model.

Crafting Custom Rules

While the built-in rules are extensive, every environment has unique needs. Perhaps you have a custom application logging critical security events, or you need to track access to a very specific file. This is precisely where custom rules become invaluable. You define these rules in /var/ossec/etc/rules/local_rules.xml on the manager, and they are processed before any default rules.

Here’s an example of a simple custom rule to alert if a specific user (e.g., devops_admin) logs into the system:

<group name="local,syslog,sshd,">
  <rule id="100001" level="7">
    <if_sid>5500</if_sid> <!-- SSHD authentication success -->
    <field name="user">^devops_admin$</field>
    <description>User devops_admin logged into the system.</description>
    <group>authentication_success,pci_dss_10.2.5,pci_dss_10.6.1,gdpr_IV.35.7,nist_800_53_AU.12,nist_800_53_AC.7,</group>
  </rule>
</group>

Remember to restart the Wazuh manager after adding custom rules: sudo systemctl restart wazuh-manager.

Integrations: Taking Action on Alerts

An alert is only useful if someone sees it. Wazuh can integrate with various external tools for notifications and automation:

  • Email: Basic but effective. Configured in /var/ossec/etc/ossec.conf.
  • Messaging Platforms: Integrate with Slack, Microsoft Teams, or Telegram for real-time notifications. This often involves using the Wazuh integrator module and writing a small script.
  • SIEM/SOAR Tools: In larger organizations, it’s common to feed Wazuh alerts into a centralized SIEM (Security Information and Event Management) like Splunk or a dedicated Elastic Stack (if not using Wazuh’s integrated indexer and dashboard). Alternatively, alerts can go to a SOAR (Security Orchestration, Automation, and Response) platform.
  • Ticketing Systems: Automatically create tickets in Jira or ServiceNow for critical alerts.

For example, to send alerts to a Slack channel, you’d add an integration block in ossec.conf:

<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX</hook_url>
  <level>10</level> <!-- Only send alerts with level 10 or higher -->
</integration>

Active Response: Fight Back Automatically

This is where Wazuh goes from passive monitoring to active defense. Active Response allows the manager to execute predefined scripts on agents in response to specific alerts. For instance, if an IP address triggers too many failed SSH logins, Wazuh can automatically block that IP at the firewall level on the affected host. This is similar to what Fail2Ban does, but centralized and policy-driven.

You define active response scripts and their triggers in ossec.conf. A common active response is to block an attacker’s IP using firewall-drop.

Practical Tips for a Robust Security Posture

Getting Wazuh deployed is the first step. To truly benefit, you need to embed it into your security operations.

  • Don’t Drown in Alerts – Tune Them: Initially, you might get a lot of noise. It’s crucial to tune your rules. Suppress low-priority alerts that aren’t actionable and raise the level of critical ones. Focus on what truly indicates a breach or misconfiguration in your environment. Use the Wazuh dashboard to analyze alert patterns and refine your rules.
  • Baseline Your Systems: Understand what ‘normal’ looks like. This helps identify anomalies. If your web server suddenly starts executing commands from /tmp, but it never did before, that’s a huge red flag. Baselining helps define what’s abnormal.
  • Regularly Review Your Alerts: Don’t just set it and forget it. Integrate alert review into your daily or weekly routine. This helps you understand your threat landscape and identify evolving attack vectors.
  • Keep Wazuh Updated: The security landscape changes daily. New vulnerabilities and attack techniques emerge. Keeping your Wazuh manager and agents updated ensures you have the latest rules, decoders, and features to detect current threats.
  • Think About Agent Deployment Automation: For larger environments, manually installing agents is a pain. Explore configuration management tools like Ansible, Puppet, or Chef to automate agent deployment and configuration. Wazuh even provides Ansible playbooks.
  • Backup Your Configuration: Your Wazuh manager’s configuration (ossec.conf, rules, decoders) is critical. Make sure it’s regularly backed up.
  • Monitor Wazuh Itself: Yes, monitor your security monitoring solution. Ensure agents are checking in, manager services are running, and disk space for your indexer isn’t running low.

Implementing a tool like Wazuh requires an ongoing commitment, but the peace of mind and enhanced security posture it provides are invaluable. It lets you shift from reactively fixing issues after they’ve caused damage to proactively detecting and even preventing them. Happy securing!

Share:
Tags: