"

24 Introduction to Wazuh

Maggie Lindemann

Wazuh is a free, open-source security platform that helps protect data from cyber threats. It combines Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) capabilities. Wazuh can be deployed on-premises or in the cloud. Thousands of organizations worldwide, small and large, use Wazah to enhance their security.

LEARNING OBJECTIVES

  • Install the Wazuh VM
  • Interact with the Wazuh Dashboard
  • Install a Wazuh agent
  • Create and view alerts made by Wazuh agents

PREREQUISITES

Deliverables

  • Dashboard summary displaying two Wazuh agents operational
  • Metasploitable machine vulnerability details
  • Expanded metadata for SSH alert

Resources

Contributors and Testers

  • TBD

 

Phase I – Setup

While this lab expands upon Network Segmentation (Ch 37), some environmental modifications will be made, namely, replacing some of the VPCS with actual virtual machines. How long the staging takes will depend on your internet connection and how well configured your network segmentation is.

 

Sleeping 0
Figure Zzzzzz
  1. Clear any firewall rules from all devices you may have implemented earlier
  2. Install the Wazuh virtual appliance from here
  3. Import the Wazuh VM to VirtualBox
    1.  Navigate to VirtualBox
    2. On the file menu, click on import appliance
    3. Use the folder to navigate to the location of your Wazuh VM download
    4. Click on next
    5. By default, Wazuh uses 4 CPU cores and 8192 MB of RAM, which is a bit hefty. Adjust these settings to 2 CPU cores and 4096 MB of ram to economize so that it resembles the following:
      Same as text
      Figure 1 – Importing the Wazuh VM appliance
  4. Integrate the Wazuh VM into your GNS3 environment in the following convention:
    1. Import the Wazuh VM into GNS3
    2. Remove both of the VLAN 10 (Marketing) VPCS machines
    3. Remove the VLAN 20 (Cyber Shop) VPCS machine that is attached to ether 10
    4. Add the Wazuh VM to ether 23; it will be in the VLAN 10 (marketing group)
      Picture of Text
      Figure 2 – Our Wazuh network environment
  5. Launch the Wazuh VM. It might hang up a bit during initialization, where you’ll see something like this for a bit under a minute
    Showing boot notices
    Figure 3 Wazuh VM initializing
  6. You’ll be met with a login prompt when it finally boots; the credentials are
    USERNAME:  wazuh-user
    PASSWORD:  wazuh
  7. Run “ip a” and verify that the result matches your switch/router configurations
  8. Note down the IP address as well, as this is where our Wazuh agents will be pointing to (in this case, it’s 56.148.10.249)
    results of command ip a
    Figure 4 – results of running the command “ip a”
  9. Please navigate back to VirtualBox manager so we can configure the Kali (it should not be situated within the GNS3 environment yet)
    1. Recommend performing a full clone at this time
    2. Change the new Kali VM network settings to NAT (we need internet access to install some software)
      Changing network settings to NAT
      Figure 5 – Change Kali clone VM network settings to NAT
    3. Start the new Kali VM
    4. Open terminal and open a root shell by typing

      sudo su root

    5. You should now have a root shell, where you’ll run the following:
      1. Update the file paths

        apt update

      2. Install a Wazuh agent on the Kali VM by typing the following: (This command will probably wrap around) 
        curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
        Command Meaning
        curl A tool used to transfer files via URLs
        -s Silent mode – no progress bar
        https://packages.wazuh.com/key/GPG-KEY-WAZUH URL that contains the file
        | The “pipe” used for connecting related but separate commands in Linux
        gpg GNU Privacy Guard, a free, open-source software suite that encrypts and signs data and messages
        –no-default-keyring You don’t have any keys in your home directory, so telling gpg not to look there
        –keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg Use the key ring in this directory
        –import && chmod 644 /usr/share/keyrings/wazuh.gpg if the previous command executes correctly, then grant 644 file permissions for this key
      3. This line may wrap around

        echo deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main | tee -a /etc/apt/sources.list.d/wazuh.list

        Command Meaning
        echo displays a string as an argument
        deb an installation file format that contains all files needed to install a program
        “deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ the deb file and arguments
        stable main use the most stable version from the main distribution locations
        | the “pipe” used for connecting related but separate commands in Linux
        tee read from standard input
        -a append the given file with the following
        /etc/apt/sources.list.d/wazuh.list a wazuh file containing information
      4. Now that the Wazuh files have been added, type the following to update your Kali VM 
        apt update --allow-insecure-repositories
      5. Upgrade the software by typing

        apt full-upgrade

        NOTE: Sometimes the above command will not update “storngswan” but this can be fixed by running the command "apt install --only-upgrade strongswan" immediately after.

         

      6. Now download the Wazuh agent using the address you wrote down for the Wazuh VM earlier by typing:

        WAZUH_MANAGER=x.x.x.x apt-get install wazuh-agent

         

        NOTE: x.x.x.x is to be replaced with whatever address you jotted down earlier when you ip a’d your Wazuh VM, this is the address to which the agent you’re installing will be relaying logs/info to. The screenshot below may have “10.0.0.2” as a placeholder, but the correct address based on my environment is “56.148.10.249”,  yours may be different, so don’t forget to adjust accordingly.

        Wazuh manager install
        Figure 6 Wazuh manager install

         

      7. Reload the daemon by typing

        systemctl daemon-reload

      8. Enable the Wazuh agent to start on boot by typing

        systemctl enable wazuh-agent 

      9. Start the Wazuh agent by typing

        systemctl start wazuh-agent

      10. Check the status of the daemon by typing

        systemctl status wazuh-agent.service

        Shows status of agent
        Figure 7 – Shows status of Wazuh agent
    6. Take a snapshot of the machine using Virtualbox
      1.  Click on machine on the top left of the virtual box window, then select take snapshot
        Shows what was described in text
        Figure 8 – Snapshot of Kali Linux with Wazuh installed
      2. If you were successful, the snapshot will make itself known at the top left of your virtual machine’s window, where its name will be parenthesized at the title along the machine’s usual name
        Same as text
        Figure 9 – Snapshot name appended to VM name
      3. Turn off the Kali VM
      4. Navigate to VirtualBox and change the network settings back to Generic Driver (UDP Tunnel)
    7. Navigate to the GNS3 workspace and import the Kali VM
    8. Add the Kali VM to VLAN 10 (Marketing) via port ether24
    9. Start the Kali VM and check its IP address by typing

      ip add

    10. It should take on an IP address that you set up for VLAN 10 Marketing on the Router
    11. Launch Kali’s Firefox browser
    12. Enter the Wazuh Manager’s IP in the address bar (the IP you noted from the Wazuh VM earlier (56.148.10.249 in my case)
      1.  You’ll be met with a warning screen;
        1. Select advanced
          Displays text result
          Figure 10 – Potential security threat notice
        2. Scroll down and press the button “Accept the Risk and Continue”
          Picture showing the button Accepting the Risk
          Figure 11 – Accepting the risk
      2. You’ll be met with a loading screen that may take a minute or two to load (it should be under a minute)
        Picture of the Wazuh loading screen
        Figure 12 – Picture of the Wazuh Loading Screen
      3. Eventually you will see a login screen. The credentials are:
        USERNAME: admin
        PASSWORD: admin

        Wazuh login screen
        Figure 13 – Wazuh Login Screen
      4. A successful login will greet you with a brief loading screen and a dashboard
        Login underway screen
        Figure 14 – Login underway

         

        Wazuh Dashboard
        Figure 15 – Wazuh dashboard

Phase II – Navigating the Dashboard

The Wazuh dashboard is very intuitive. You can click around and see what tools are available.  In this phase, we will share a few basic navigation tips to practice.

  1. On the dashboard, look at the upper left and see the Agents Summary. It should indicate one active agent – our Kali VMkali
    Agents summary
    Figure 16 – Agents summary
  2. Clicking on “Active (1)” affords you the following view
    Agents
    Figure 17 – Agent Stats
  3. Take some time to navigate around the dashboard before moving on to Phase III

Phase III – Adding a deliberately vulnerable machine on our network

We are going to add a deliberately vulnerable machine to our network. Metasploitable 3 Windows edition will give us some interesting results.

  1. We will use the Wazuh dashboard to create the installation command needed to install the client on a Windows machine
    1. Navigate back to Endpoints Dashboard screen as we did earlier
    2. In the middle of the page, there is a horizontal menu. Locate that and click on “Deploy new agent”
    3. Since we are going to install an Agent on Windows, perform the following steps:
      1. Select Windows
        Showing the selectiono f Windows
        Figure 18 – Showing the selection of Windows
      2. Put in the server address (this is the IP address for the Wazuh VM)
        Showing the input of the Wazuh VM address
        Figure 19 – Inputting the Wazuh VM IP address
      3. Choose a UNIQUE name for this agent and use the default group
      4. These selections will generate a unique agent installation CLI command. Copy this command or write it down. In our example, the exam generated was:

        Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.11.0-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER=’56.148.10.249′ WAZUH_AGENT_NAME=’Metasploitable’ ”

        Tool generates the command you will need for the windows VM
        Figure 20 – The generated command is produced for us
    4. Navigate back to the VirtualBok manager
    5. Change the network settings on the Windows Metasploitable3 machine to NAT
    6. Launch your Windows Metasploitable3 VM (it should not be in GNS3) from Virtualbox
    7. The logon credentials are:
      USER: vagrant
      PASSWORD: vagrant
    8. Open Windows Powershell
      1. Wait for the Powershell to start
      2. Type or Paste the Wazuh Installation Command into Powershell
      3. If the command was successful, you should be able to see a new program (manage agent) in the Windows start menu
        Windows start menu
        Figure 21 – Windows start menu
      4. Start it to verify that its pointing towards your Wazuh VM’s ip
        running the windows agnet
        Figure 22 – Running the Windows agent to verify the IP address
      5. Take a VM snapshot of the Metaspolitable 3 VM
      6. Turn off the Metasploitable3 VM
    9. Navigate to VirtualBox manager
    10. Change the Metasploitable3 VM network settings from NAT to Generic Driver (UDPTunnel)
    11. Import the Metasploitable3 VM  into your GNS3 environment
    12. Attach it to switch port ether10, it is going to simulate a device in the VLAN20 – Cyber Shop
    13. Your network should now look similar to this:
      A picture of the network environment of GNS3
      Figure 23 – The GNS3 environment from this example. Yours may be different.
    14. Start your Windows Metasploitable
    15. Navigate to the Windows Metasploitable3 VM
    16. Open Powershell and run

      NET START WazuhSvc

    17. You should get a response similar to the figure below indicating that it’s operational
      A picture of powershell
      Figure 24 – Powershell command and response from Metasploitable3 Windows

Phase IV – Dashboard Insights

At this point in time, your environment should now be staged and fully operational. We will now explore Wazuh’s vulnerability assessment feature, as well as its reporting capabilities by triggering some alarms.

  1. Let’s return to Kali to see the Wazuh Dashboard
  2. The Wazuh Dashboard should now display two active agents
    New updated dashboard
    Figure 24 – Wazuh Dashboard showing two active agents
  3. Let’s delve into the Windows Metasploitable3 agent and view the results by clicking on the name
  4. You should see something similar to this
    Wazuh dashboard results for Metasploitable3 Windows
    Figure 25 – Wazuh results for Metasploitable3-Windows VM
  5. Scroll down until you get to the vulnerability detection area
  6. By default, when an agent is deployed, it will automatically conduct a vulnerability assessment within its endpoint and relay findings to the Wazuh dashboard for your inspection. This action facilitates patching (or exploitation, should the dashboard fall into the wrong hands)
    Vulnerabilities detected
    Figure 26 – Vulnerabilities in our target VM by Wazuh agents
  7. Click on CRITICAL, which brings you to the following view
    list of critical vulnerabilities
    Figure 27 – List of critical vulnerabilities
  8. Select INVENTORY
    Inventory of critical vulnerabilities
    Figure 28 – Inventory of critical vulnerabilities
  9. Click on any of the vulnerability details for a more intimate glance (little magnifying glass to the left of each entry). They should look similar to this
    Showing critical vulnerability details
    Figure 28 – Details of one of the critical vulnerabilities
  10. Shifting gears, click on the menu icon (top left of the screen, the three lines, click on the EXPLORE menu, then select DISCOVER)
    Discover menue
    Figure 29 – Discover Menu
  11. The resulting screen from discover should look simial to this
    The results of the discover menu
    Figure 30 – The results of the Discover menu
  12. Observe that there are a lot of alerts. We will apply a filter so we can focus on what we need
    1. Click the plus sign (+) next to Add Filter
    2. You are going to use the mouse and scroll wheel to make the following selections:
      FIELD – agent.name
      OPERATOR – is
      VALUE – metasploitable (or whatever you named your agent)
    3. Click save. This ensures only events related to our metasploitable machine are visible, which is what we’ll be “attacking” to generate log alerts
      Creating a filer rule
      Figure 31 – Create a basic filtering rule
  13. Open another terminal on the Kali VM
  14. We are going to try a quick and simple SSH login “attack” against the Windows Metasploitable VM (you can try whatever username/password convo you’d like against it, it doesn’t matter){Editor’s Note- integrate Hydra here instead once we finalize the lab for it) try to ssh a couple times – Homework?)
    Showing ssh login attempts
    Figure 32 – Showing SSH login attempts
  15. Please return to the Wazuh dashboard where our filter is working
  16. Hit the refresh button, and you’ll see several events have been noted
    Showing details about the login attempts
    Figure 33 – Showing details about login attempts
  17. Click on the little drop-down arrow on the left-hand side to expand the alert’s context for specifics (expanded document will become visible)
    Expanded results shown
    Figure 34 – Expanded alert details shown
  18. Scroll down the now expanded metadata until you find the “data.win.system/message” header, and click on the little drop down arrow that appears when hovering over it. You can see the failed login attempts
    Showing Failed login attempts
    Figure 35 – Showing the details of the failed login attempts

 

Deliverables

3 Screenshots are recommended to receive credit for completing the guided walk-through:
  • Dashboard summary displaying two Wazuh agents are operational
  • Metasploitable machine vulnerability details
  • Expanded metadata for SSH alert

Homeworks

Assignment 1 – Add another device to Wazuh monitoring.
  • Replace an existing VPCS with another VM running a Linux or Windows operating system
  • Install the Wazuh agent on the new machine and perform a scan
  • Allow SSH on the new VM and make sure that failed SSH logins also provide Wazuh alerts like the example above
Assignment 2 – Configure the MikroTik Router to send log information tot he Wazuh server

Use the same grading criteria as the walk through.

End of Lab

License

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Mastering Enterprise Networks 2e Copyright © 2024 by Mathew J. Heath Van Horn is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book