Configuring Wazuh and Kibana to Monitor Endpoints

Contents

Introduction

Wazuh is a host intrusion detection system (HIDS) that is capable of performing log analysis, integrity checking, Windows registry monitoring, rootkit detection, and generating alerts based of a set of predefined rules.

The following picture shows the different components that will be needed on this setup, this picture was found on an article related to this subject. The picture is more specific to OSSEC, however, that is alright since Wazuh is based on OSSEC.

In order to setup Wazuh you will need to have a already running instance of ELK, instructions for this can be found in another post .

The OSSEC Manager (which will be the Wazuh Manager) is the core component which will interact with the endpoint and send logs to Logstash. There will also be a RESTful API interface installed for a Wazuh Kibana plugin to connect to in order to visualize all of this. The OSSEC Agent is the component that is installed on the endpoint, in this case the agent will be the Wazuh agent which will be installed on Windows.

For more information and resources where all this information was found please consult the references section.

Wazuh Configuration

Configuring Wazuh Base

This section will configure the core of Wazuh by installing the Wazuh Manager and Wazuh API component. Begin by importing the GPG key that all the Wazuh packages use.

1
[user@ELKServer ~]$ sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Next, add the Wazuh repository as seen below.

1
2
3
4
5
6
7
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1

Run the following commands which will install the Wazuh Manager and enable the service so it will start up on boot.

1
2
[user@ELKServer ~]$ sudo yum install wazuh-manager
[user@ELKServer ~]$ sudo systemctl enable wazuh-manager

The Wazuh API component provides a RESTful API interface for applications to communicate with Wazuh, this is what the Kibana Wazuh Plugin will use.

The Wazuh API component runs using NodeJS, run the following commands in order to install it.

1
2
[user@ELKServer ~]$ sudo curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
[user@ELKServer ~]$ sudo yum install nodejs

And finally install and enable the Wazuh API component.

1
2
[user@ELKServer ~]$ sudo yum install wazuh-api
[user@ELKServer ~]$ sudo systemctl enable wazuh-api

Shipping Logs to Elasticsearch

The next step is to send the logs from Wazuh to Elasticsearch in order to be able to query and view them from Kibana. The Wazuh Manager stores some of the logs on the filesystem in text files, for examples when alerts are generated they will be stored in the /var/ossec/logs/alerts/ folder.

In order to ship these text files we will use Filebeat to send them to Elasticsearch. Begin by installing Filebeat.

1
[user@ELKServer ~]$ sudo yum install filebeat-7.5.1

Next, use curl to download a premade Filebeat configuration to the proper directory and set the permissions. Please note, you must enter the filebeat.yml file and add the IP address of your Elasticsearch instance.

1
2
[user@ELKServer ~]$ sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/filebeat/7.x/filebeat.yml
[user@ELKServer ~]$ sudo chmod go+r /etc/filebeat/filebeat.yml

The following wazuh-templates.json file will be used as a template for alerts, download it and place it in the correct directory along with the correct permissions.

1
2
3
[user@ELKServer ~]$ sudo curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/elasticsearch/7.x/wazuh-template.json

[user@ELKServer ~]$ sudo chmod go+r /etc/filebeat/wazuh-template.json

Filebeat will also need to be configured to use some custom modules from Wazuh.

1
[user@ELKServer ~]$ sudo curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Lastly, start and enable the Filebeat service.

1
2
3
[user@ELKServer ~]$ sudo systemctl daemon-reload
[user@ELKServer ~]$ sudo systemctl enable filebeat.service
[user@ELKServer ~]$ sudo systemctl start filebeat.service

The Wazuh Manager server will itself send some logs to Elasticsearch while will result in a created index within Elasticsearch. Check the Elasticsearch indexes in order to confirm one has been created.

Adding Wazuh Plugin to Kibana

Wazuh has created a Kibana Plugin which takes the form of a custom dashboard. The installation instructions for this where found in the Github for this project.

Run the following command and restart Kibana in order to install this plugin. When Kibana restarts it may take a few seconds for it to startup completely.

1
2
[user@ELKServer ~]$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.0_7.5.1.zip
[user@ELKServer ~]$ sudo systemctl restart kibana

After Kibana is started you will notice a new section for Wazuh.

Windows Endpoint Configuration

Now it is time to configure a Windows machine with the Wazuh Agent in order to be able to monitor the endpoint for alerts. Begin by downloading the Wazuh Agent MSI , or heading over to the download page to look for the newest version.

Now run the MSI with the ADDRESS and AUTHD_SERVER parameters set to your Wazuh Manager IP address. It should be registered almost immediately.

The service responsible for the Wazuh Agent can also be viewed under the name OssecSvc.

1
2
3
4
5
6
7
8
9
PS C:\Users\Administrator\Downloads> .\wazuh-agent-3.10.2-1.msi /q ADDRESS="10.0.0.2" AUTHD_SERVER="10.0.0.2"
PS C:\Users\Administrator\Downloads> Get-Service -Name OssecSvc
 
Status   Name               DisplayName
------   ----               -----------
Running  OssecSvc           Wazuh
 
 
PS C:\Users\Administrator\Downloads>

References