Installing Wazuh: A Step-by-Step Guide

Wazuh is a powerful open-source security information and event management (SIEM) tool that helps organizations detect and respond to security threats. In this guide, we’ll walk through the process of installing Wazuh on a Linux server. Specifically, we’ll cover the installation of the Wazuh manager and Wazuh agent.

Prerequisites

Before you begin, make sure you have the following:

• A Linux server (Ubuntu 18.04 LTS or later is recommended).
• Root or sudo access to the server.
• Basic knowledge of the Linux command line.

Step 1: Install Wazuh Manager

1. Add Wazuh repository:

   sudo apt-get install curl apt-transport-https lsb-release gnupg
   curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor > /usr/share/keyrings/wazuh-keyring.gpg
   echo "deb [signed-by=/usr/share/keyrings/wazuh-keyring.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list > /dev/null
   

2. Update package lists:

   sudo apt-get update
   

3. Install the Wazuh manager:

   sudo apt-get install wazuh-manager
   

4. Start the Wazuh manager service:

   sudo systemctl start wazuh-manager
   

5. Enable the Wazuh manager to start on boot:

   sudo systemctl enable wazuh-manager
   

Step 2: Install Wazuh Agent

1. Add the Wazuh repository:

   sudo apt-get install curl apt-transport-https lsb-release gnupg
   curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor > /usr/share/keyrings/wazuh-keyring.gpg
   echo "deb [signed-by=/usr/share/keyrings/wazuh-keyring.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list > /dev/null
   

2. Update package lists:

   sudo apt-get update
   

3. Install the Wazuh agent:

   sudo apt-get install wazuh-agent
   

4. Configure the Wazuh agent:

   sudo nano /var/ossec/etc/ossec.conf
   

   Update the <manager_ip> with the IP address of your Wazuh manager.

   <ossec_config>
       <client>
           <server-ip><manager_ip></server-ip>
       </client>
   </ossec_config>
   

5. Start the Wazuh agent service:

   sudo systemctl start wazuh-agent
   

6. Enable the Wazuh agent to start on boot:

   sudo systemctl enable wazuh-agent
   

Conclusion

Congratulations! You’ve successfully installed Wazuh on your server. You can now use the Wazuh manager to monitor and analyze security events, while the Wazuh agent on each monitored system sends logs to the manager for centralized security management. Explore the Wazuh documentation for advanced configurations and features. Happy monitoring!