Let's dissect Wazuh. Part 1: Basic Installation

The topic of open source SIEM solutions constantly appears on the Internet. Some are interested in SIEM systems as such, and want to understand the solutions of this class, but at the same time do not want to deal with heavy and beyond the pale expensive commercial SIEMs. Others aren't sure they need a SIEM at all. Still others want to leave foreign solutions that are not officially supported in Russia. And finally, many organizations do not have a sufficient budget to purchase a commercial SIEM (do not forget that in addition to SIEM licenses, we will also need to spend money on support licenses and invest significantly in hardware).

Not many articles have been written about the Wazuh open source system on the Russian-language Internet, and most of them are of a general, descriptive nature and do not delve into the technical features of deploying and operating this solution.

With this article we begin a series dedicated to working with Wazuh. Today we will look at various options for deploying Wazuh, and in subsequent articles we will talk about connecting sources running Linux and Windows, working with correlation rules and other main points related to using this solution as a SIEM.

Requirements for software and hardware

Before you start installing anything, you need to familiarize yourself with the requirements that the deployed system places on the operating system, application software and hardware.

Of course, for those who just want to “play around,” deploying an all-in-one configuration and connecting a couple of sources with a test set of events, I would advise them to simply deploy Ubuntu 22.04 with 4 RAM and 100 GB and indulge in nothing.

But industrial SIEM deployments require a much more responsible approach to resource planning. Thus, hardware requirements strongly depend on the number of connected sources, the number of events and the time during which it is planned to store events.

If we want to deploy all SIEM components on one node, then from the table below we can find out what hardware resources we will need to connect up to 100 sources and store collected events for 90 days.

However, 100 sources is not so much, in addition, the intensity of events may turn out to be quite high, and sooner or later there will be a need for scaling. In that case, let's first look at what components make up Wazuh.

Wazuh's architecture is based on agents running on monitored endpoints that forward security data to a central server. Agentless devices such as firewalls, switches, routers, and access points are supported and can actively send log data via syslog, SSH, or using their API. The central server decodes and analyzes incoming information and transmits the results to Wazuh indexer for indexing and storage.

A Wazuh indexer cluster is a collection of one or more nodes that communicate with each other to perform index read and write operations. Small Wazuh deployments that do not require large amounts of data processing can be easily handled by a single-node cluster. Multi-node clusters are recommended when you have a large number of monitored endpoints, when a large volume of data is expected, or when high availability is required. For production environments, it is recommended to deploy Wazuh server and Wazuh indexer on different hosts.

Wazuh dashboard is a set of dashboards that visually display statistics on alert triggering, events of various types, charts, etc.

The figure below shows the Wazuh deployment architecture. It shows the components of the solution and how the Wazuh server and Wazuh indexer nodes can be configured as clusters, providing load balancing and high availability.

When deploying a solution consisting of several nodes, the question traditionally arises about the list of network ports that need to be opened. Below is a list of ports that must be opened for nodes to communicate correctly.

As for the OS requirements, at the time of writing, the official resource suggested using Amazon Linux 2, CentOS (7, 8), Red Hat Enterprise Linux (7, 8, 9), Ubuntu (16.04, 18.04, 20.04, 22.04).

I think everything is clear with the resource requirements. Next, let's look at the deployment process itself.

All in one

For educational purposes, I would recommend deploying Wazuh in an all-in-one configuration. After the ritual apt-get update apt-get upgrade, download and run the installation file.

$ curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Then the installation process will proceed automatically, but it is important after the (successful) completion of the installation not to forget to save the generated password.

INFO: --- Summary ---

INFO: You can access the web interface https://<wazuh-dashboard-ip>

    User: admin

    Password: <ADMIN_PASSWORD>

INFO: Installation finished.

After that, simply open the browser at https://Wazuh nodename.

We put it separately

It is proposed to install Wazuh components separately in the following order: Wazuh Indexer, Wazuh server, Wazuh dashboard. The requirements for deploying Indexer will be as follows:

Since the indexer is responsible for storing events, disk space is critical for it. Wazuh, when calculating the flow of events, suggests that one server on average sends 0.25 events, a workstation 0.1, and a network device 0.5. So, for example, for an environment with 80 workstations, 10 servers and 10 network devices, the amount of storage required on the Wazuh indexer server for 90 days is 230 GB. But in reality, the number of events may differ significantly.

First, download the necessary files:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh

curl -sO https://packages.wazuh.com/4.7/config.yml

Next, edit ./config.yml and replace the hostnames and IP values ​​with the appropriate names and IP addresses. You need to do this for all Wazuh server, Wazuh indexer and Wazuh dashboard nodes. Add as many node fields as needed. For example:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"

Run the Wazuh installation assistant with the –generate-config-files option to generate the Wazuh cluster key, certificates, and passwords required for installation. You can find these files in ./wazuh-install-files.tar.

bash wazuh-install.sh --generate-config-files

Copy the wazuh-install-files.tar file to all distributed deployment servers, including the Wazuh server, Wazuh indexer, and Wazuh dashboard nodes.

Next, run the Wazuh installation assistant with the –wazuh-indexer parameter and the hostname to install and configure Wazuh indexer. The node name must match the name used in config.yml for the initial configuration, for example, node-1. Also, make sure that the copy of wazuh-install-files.tar created during the initial setup step is placed in your working directory.

bash wazuh-install.sh --wazuh-indexer node-1

Next, we launch the cluster.

bash wazuh-install.sh --start-cluster

Run the following command to verify the installation was successful. Replace with the password you obtained from the previous command. Replace with the configured Wazuh Indexer IP address:

curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200

At the output we should get something similar:

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

To install the server, first download the installation file as usual and then run it, specifying the correct name from the config.yml that we filled in earlier.

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh

bash wazuh-install.sh --wazuh-server wazuh-1

Installing the Dashboard component is also quite simple. We start the installation with the correct name Dashboard.

bash wazuh-install.sh --wazuh-dashboard dashboard

As a result of successful installation, we will receive a message containing the generated password for the admin account.

To check the operation, let's go to the Wazuh console under this account.

Conclusion

In this article, we looked at various options for installing Wazuh. Our SIEM is currently deployed, but there are no sources connected to it yet and it is largely useless. But in the next article we will fix this by connecting multiple sources to it.

I would like to invite you to the free lessons of the “SIEM Implementation Specialist” course. Registration for classes is available using the links below:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *