:Install
# find last version
project: https://github.com/wazuh/wazuh-docker
#install git
git clone https://github.com/wazuh/wazuh-docker.git -b v4.12.0
cd wazuh-docker/single-node/
#change manager port 443(left) to your port
#modify memory limit find -Xms -Xmx 1 to 8 <= 50%
modify docker-compose.yml
sudo docker-compose -f generate-indexer-certs.yml run --rm generator
#-d backend run
sudo docker-compose up -d
#firewall config
TCP *9200, *1514, *1515, x 1516(array), *514, *55000, *9443
UPD x1514(no need), *514
sudo ufw allow 9200/tcp
sudo ufw allow 1514/tcp
sudo ufw allow 1515/tcp
#sudo ufw allow 1516/tcp x
sudo ufw allow 514/tcp
sudo ufw allow 55000/tcp
sudo ufw allow 9443/tcp
#sudo ufw allow 1514/udp x
sudo ufw allow 514/udp
#open https://ip:your_port or space(443) check status
#use default account admin and password SecretPassword to login
:Agent install, Windows or Ubuntu
Windows:install Agent and modify ip point to wazuh ip before start service
Linux:
linux agent: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html
sudo -s
#check curl be install
GPG Key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
REPO:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
CONFIG:
sudo apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
#echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
INSTALL: 0.0.0.0 is your wazuh ip
WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent
#if happen error is:The list of sources could not be read.
sudo nano /etc/apt/sources.list.d/wazuh.list, keep only one line as below:
deb [signed-by=/etc/apt/keyrings/wazuh-archive-keyring.gpg] https://packages.wazuh.com/4.x/apt/ stable main
sudo apt-get update
WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent
SERVICE:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
STOP UPDATE: agent update use manager control panel
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
echo "wazuh-agent hold" | dpkg --set-selections
=================
sudo nano /var/ossec/etc/ossec.conf
#<ossec_config>
<client>
<server>
<address>Wazuh_IP</address>
sudo tail -f /var/ossec/logs/ossec.log
:flooded
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash
#yum install nano -y
nano /var/ossec/etc/ossec.conf
# modify 3 to 5
<alerts>
<log_alert_level>5</log_alert_level>
</alerts>
#create Group:Server,Linux(Server) and ...default(PCs)
:general device
cd /var/ossec/etc/shared/default
nano internal_options.conf
#file content below
agent.buffer_send_interval=300
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768
#if you need after add it
logall=no
log_level=2
rule_level=5
log_alert_level=5
:import device
cd /var/ossec/etc/shared/[Group Name]
nano internal_options.conf
#file content below
agent.buffer_send_interval=60
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768
#if you need after add it
logall=no
log_level=2
/var/ossec/bin/wazuh-control restart
:client update
on agent client
/var/ossec/bin/agent_control -u
tail -n 50 /var/ossec/logs/ossec.log
see INFO: Downloaded file '/default/internal_options.conf'
:alarm log
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash
cd /var/ossec/etc/rules
nano local_rules.xml
# set number law <rule id="110001 ...110002 ....
<group name="windows,byself">
<rule id="110001" level="0">
<if_sid>wazuh:rule.id</if_sid>
<match>full_log keyword</match>
<description>event info</description>
<group>byself</group>
</rule>
</group>
/var/ossec/bin/wazuh-control restart
nano /var/ossec/etc/ossec.conf
# modify 3 to 5
<alerts>
<log_alert_level>5</log_alert_level>
</alerts>
#create Group:Server,Linux(Server) and ...default(PCs)
:general device
cd /var/ossec/etc/shared/default
nano internal_options.conf
#file content below
agent.buffer_send_interval=300
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768
#if you need after add it
logall=no
log_level=2
rule_level=5
log_alert_level=5
:import device
cd /var/ossec/etc/shared/[Group Name]
nano internal_options.conf
#file content below
agent.buffer_send_interval=60
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768
#if you need after add it
logall=no
log_level=2
/var/ossec/bin/wazuh-control restart
:client update
on agent client
/var/ossec/bin/agent_control -u
tail -n 50 /var/ossec/logs/ossec.log
see INFO: Downloaded file '/default/internal_options.conf'
:alarm log
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash
cd /var/ossec/etc/rules
nano local_rules.xml
# set number law <rule id="110001 ...110002 ....
<group name="windows,byself">
<rule id="110001" level="0">
<if_sid>wazuh:rule.id</if_sid>
<match>full_log keyword</match>
<description>event info</description>
<group>byself</group>
</rule>
</group>
/var/ossec/bin/wazuh-control restart
