How to Install and Configure Wazuh on AnonVM for Security Monitoring

Wazuh is an open-source security monitoring platform for threat detection, compliance monitoring, and incident response. It is widely used to monitor the security of IT infrastructures by analyzing log data, detecting vulnerabilities, and correlating events. Wazuh integrates with SIEM systems like Elasticsearch and Kibana to provide a comprehensive solution for security visibility. This tutorial will guide you through installing and configuring Wazuh on AnonVM.


Table of Contents

  1. Prerequisites
  2. What is Wazuh?
  3. Installing Wazuh on AnonVM
  4. Configuring the Wazuh Manager
  5. Installing the Wazuh Agent
  6. Integrating Wazuh with Elasticsearch and Kibana
  7. Using the Wazuh Dashboard for Monitoring
  8. Conclusion

1. Prerequisites

Before installing Wazuh on AnonVM, ensure that you have the following:

  • Operating System: Ubuntu/Debian or CentOS/RHEL-based OS.
  • Root or Sudo Access: You need root privileges to install and configure Wazuh.
  • Internet Connection: To download necessary packages and dependencies.
  • Elasticsearch and Kibana: Wazuh integrates with Elasticsearch and Kibana for data storage and visualization. Ensure these are either already installed or ready for installation.

2. What is Wazuh?

Wazuh is a comprehensive security monitoring solution that performs real-time analysis of security events and provides extensive threat detection, vulnerability detection, and log data analysis. Its key features include:

  • Intrusion Detection: Detect suspicious activity and potential threats.
  • Log Data Analysis: Analyze logs to detect anomalies or security incidents.
  • Vulnerability Detection: Monitor system vulnerabilities and configurations.
  • Compliance Monitoring: Verify compliance with industry standards like PCI DSS, HIPAA, and more.
  • Alerting and Response: Trigger alerts based on predefined security rules.

Wazuh can be integrated with Elasticsearch for data storage and Kibana for visualizing security data, providing a full security information and event management (SIEM) solution.


3. Installing Wazuh on AnonVM

Step 1: Update the System

Start by updating your system to ensure all packages are up-to-date.

For Ubuntu/Debian:

 
sudo apt update && sudo apt upgrade -y

For CentOS/RHEL:

 
sudo yum update -y

Step 2: Install the Wazuh Manager

The Wazuh Manager is the central component of the system that processes logs and security events from agents and other devices.

For Ubuntu/Debian:
  1. Add the Wazuh repository:
 
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
  1. Install Wazuh Manager:
 
sudo apt update sudo apt install wazuh-manager -y
For CentOS/RHEL:
  1. Add the Wazuh repository:
 
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo rpm --import - echo "[wazuh] name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ gpgcheck=1 enabled=1" | sudo tee /etc/yum.repos.d/wazuh.repo
  1. Install Wazuh Manager:
 
sudo yum install wazuh-manager -y

Step 3: Start and Enable the Wazuh Manager

Once installed, start and enable the Wazuh Manager service to ensure it runs at boot:

 
sudo systemctl start wazuh-manager sudo systemctl enable wazuh-manager

4. Configuring the Wazuh Manager

The Wazuh Manager needs to be configured to work properly. Most configurations are done through the ossec.conf file, which is typically located at:

 
/etc/ossec/ossec.conf

You can adjust various parameters in this configuration file, such as enabling/disabling log collection, configuring email alerts, and setting up integration with other tools like Elasticsearch and Kibana.

After making changes to the configuration file, restart the Wazuh Manager to apply the changes:

 
sudo systemctl restart wazuh-manager

5. Installing the Wazuh Agent

The Wazuh Agent is installed on the systems that you want to monitor. It sends logs and security events to the Wazuh Manager.

Step 1: Install the Wazuh Agent on Client Machines

Follow similar steps to install the Wazuh agent on your monitored machines. For example, on Ubuntu:

 
sudo apt install wazuh-agent -y

On CentOS:

 
sudo yum install wazuh-agent -y

Step 2: Configure the Agent

Edit the agent configuration file located at:

 
/etc/ossec.conf

In the configuration file, set the IP address of your Wazuh Manager:

xml
 
<client> <server-ip>MANAGER_IP_ADDRESS</server-ip> </client>

Replace MANAGER_IP_ADDRESS with the IP address of your Wazuh Manager.

Step 3: Start and Enable the Wazuh Agent

After configuring the agent, start and enable it to run at boot:

 
sudo systemctl start wazuh-agent sudo systemctl enable wazuh-agent

6. Integrating Wazuh with Elasticsearch and Kibana

Wazuh can be integrated with Elasticsearch for storing event data and Kibana for visualizing security data. To do this, you’ll need to install and configure Wazuh Indexer and Wazuh App for Kibana.

Step 1: Install Elasticsearch and Kibana

Follow the official documentation to install Elasticsearch and Kibana on your server.

Step 2: Install the Wazuh App for Kibana

  1. Download and install the Wazuh app for Kibana:
 
sudo /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/kibana/wazuh-app-4.3.0_7.10.2.zip
  1. Restart Kibana to load the plugin:
 
sudo systemctl restart kibana

Step 3: Configure Wazuh Indexer

Install and configure the Wazuh Indexer to send event data to Elasticsearch:

 
sudo apt install wazuh-indexer -y # For Ubuntu/Debian sudo yum install wazuh-indexer -y # For CentOS/RHEL

Configure the Wazuh indexer settings in the /etc/wazuh-indexer/wazuh-indexer.yml file and restart the service:

 
sudo systemctl restart wazuh-indexer

7. Using the Wazuh Dashboard for Monitoring

Once everything is set up, you can use the Wazuh Dashboard in Kibana to monitor the security data.

  1. Open Kibana and go to the Wazuh app.

  2. You will see an overview of your system’s security events, including dashboards for:

    • Security events and alerts.
    • Compliance status.
    • Vulnerabilities.
    • System audit logs.
  3. You can filter, search, and analyze security events to get insights into your system’s security posture.


8. Conclusion

In this tutorial, we covered how to install and configure Wazuh on your AnonVM server for monitoring and analyzing security events. We installed the Wazuh Manager, set up the Wazuh Agent on client machines, integrated Wazuh with Elasticsearch and Kibana, and configured the Wazuh dashboard for easy access to security data.

By using Wazuh, you can ensure proactive monitoring of your infrastructure, detect threats, and maintain compliance with industry standards. The Wazuh platform provides a scalable and robust solution for enterprises and security professionals to manage and mitigate security risks.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Powered by WHMCompleteSolution