Skip to content

Wazuh Cheatsheet

Wazuh is a comprehensive open-source security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. It combines intrusion detection, vulnerability assessment, configuration assessment, incident response, regulatory compliance, and cloud security monitoring in a single platform. ## Installation and Setup ### Server Installation (Manager) **Ubuntu/Debian Installation:** 
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb

# Update package information
sudo apt-get update

# Install Wazuh manager
sudo apt-get install wazuh-manager

# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
**CentOS/RHEL Installation:** 
# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo

# Install Wazuh manager
sudo yum install wazuh-manager

# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
### Agent Installation **Linux Agent:** 
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb

# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf

# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
**Windows Agent:** 
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"

# Start Wazuh agent service
NET START WazuhSvc
## Core Management Commands ### Manager Operations **Service Management:** 
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager

# Check service status
sudo systemctl status wazuh-manager

# View service logs
sudo journalctl -u wazuh-manager -f
**Agent Management:** 
# List all agents
sudo /var/ossec/bin/manage_agents -l

# Add new agent
sudo /var/ossec/bin/manage_agents -a

# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID

# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID

# Import agent key
sudo /var/ossec/bin/manage_agents -i
### Configuration Management **Main Configuration File:** 
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf

# Validate configuration
sudo /var/ossec/bin/ossec-logtest

# Reload configuration
sudo systemctl reload wazuh-manager
**Rules and Decoders:** 
# Custom rules location
/var/ossec/etc/rules/local_rules.xml

# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml

# Test rules and decoders
sudo /var/ossec/bin/ossec-logtest
## Log Analysis and Monitoring ### Real-time Log Monitoring **View Active Logs:** 
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log

# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json

# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID"
**Log Analysis Commands:** 
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log

# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log

# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log
### Custom Rules Creation **Basic Rule Structure:** 
<group name="custom_rules,">
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>192.168.1.0/24</srcip>
    <description>SSH connection from internal network</description>
    <group>authentication_success,pci_dss_10.2.5,</group>
  </rule>
</group>
**Advanced Rule Examples:** 
<rule id="100002" level="10" frequency="5" timeframe="300">
  <if_matched_sid>5716</if_matched_sid>
  <description>Multiple SSH authentication failures</description>
  <group>authentication_failures,pci_dss_11.4,</group>
</rule>

<rule id="100003" level="7">
  <if_sid>550</if_sid>
  <field name="file">/etc/passwd</field>
  <description>Critical system file modified</description>
  <group>syscheck,pci_dss_11.5,</group>
</rule>
## Vulnerability Assessment ### Vulnerability Detection Setup **Enable Vulnerability Detection:** 
<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <min_full_scan_interval>6h</min_full_scan_interval>
  <run_on_start>yes</run_on_start>

  <provider name="canonical">
    <enabled>yes</enabled>
    <os>trusty</os>
    <os>xenial</os>
    <os>bionic</os>
    <os>focal</os>
    <update_interval>1h</update_interval>
  </provider>
</vulnerability-detector>
**Vulnerability Scanning Commands:** 
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f

# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"

# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log
## File Integrity Monitoring (FIM) ### FIM Configuration **Basic FIM Setup:** 
<syscheck>
  <disabled>no</disabled>
  <frequency>43200</frequency>
  <scan_on_start>yes</scan_on_start>

  <directories>/etc,/usr/bin,/usr/sbin</directories>
  <directories>/bin,/sbin,/boot</directories>

  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>

  <directories realtime="yes">/etc</directories>
</syscheck>
**Advanced FIM Options:** 
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>
## Active Response ### Active Response Configuration **Basic Active Response:** 
<active-response>
  <disabled>no</disabled>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>5720</rules_id>
  <timeout>600</timeout>
</active-response>
**Custom Active Response Script:** 
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh

ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

case "$ACTION" in
  add)
    # Block IP address
    iptables -I INPUT -s $IP -j DROP
    echo "Blocked IP: $IP" >> /var/log/custom-response.log
    ;;
  delete)
    # Unblock IP address
    iptables -D INPUT -s $IP -j DROP
    echo "Unblocked IP: $IP" >> /var/log/custom-response.log
    ;;
esac
## API Management ### Wazuh API Usage **Authentication:** 
# Get authentication token
curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"

# Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
**Common API Endpoints:** 
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"
## Cluster Configuration ### Multi-node Setup **Master Node Configuration:** 
<cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>NODE_IP</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
**Worker Node Configuration:** 
<cluster>
  <name>wazuh</name>
  <node_name>worker-node</node_name>
  <node_type>worker</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>MASTER_IP</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
## Performance Tuning ### Optimization Settings **Manager Performance:** 
<global>
  <logall>no</logall>
  <logall_json>no</logall_json>
  <email_notification>no</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from>wazuh@localhost</email_from>
  <email_to>admin@localhost</email_to>
  <email_maxperhour>12</email_maxperhour>
  <email_log_source>alerts.log</email_log_source>
  <agents_disconnection_time>10m</agents_disconnection_time>
  <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
**Database Optimization:** 
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144

# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf
## Troubleshooting ### Common Issues **Agent Connection Problems:** 
# Check agent status
sudo /var/ossec/bin/agent_control -l

# Test connectivity
sudo /var/ossec/bin/agent_control -R 001

# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent"
**Performance Issues:** 
# Monitor resource usage
top -p $(pgrep -d',' wazuh)

# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*

# Monitor network connections
netstat -tulpn|grep wazuh
**Log Analysis:** 
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log

# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v

# Check rule compilation
sudo /var/ossec/bin/ossec-makelists
## Integration Examples ### SIEM Integration **Splunk Integration:** 
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf

# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart
**ELK Stack Integration:** 
# Filebeat configuration
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/ossec/logs/alerts/alerts.json
  json.keys_under_root: true
  json.add_error_key: true

output.elasticsearch:
  hosts: ["localhost:9200"]
  index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}"
## Security Best Practices ### Hardening Guidelines **SSL/TLS Configuration:** 
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /var/ossec/etc/sslmanager.key \
  -out /var/ossec/etc/sslmanager.cert

# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert
**Access Control:** 
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user

# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf
**Network Security:** 
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000

This comprehensive Wazuh cheatsheet covers installation, configuration, monitoring, and advanced features for effective security information and event management.