Wazuh Cheatsheet
Wazuh is a comprehensive open-source security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. It combines intrusion detection, vulnerability assessment, configuration assessment, incident response, regulatory compliance, and cloud security monitoring in a single platform.
## Installation and Setup
### Server Installation (Manager)
**Ubuntu/Debian Installation:**
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb
# Update package information
sudo apt-get update
# Install Wazuh manager
sudo apt-get install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo
# Install Wazuh manager
sudo yum install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb
# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf
# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"
# Start Wazuh agent service
NET START WazuhSvc
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager
# Check service status
sudo systemctl status wazuh-manager
# View service logs
sudo journalctl -u wazuh-manager -f
# List all agents
sudo /var/ossec/bin/manage_agents -l
# Add new agent
sudo /var/ossec/bin/manage_agents -a
# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID
# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID
# Import agent key
sudo /var/ossec/bin/manage_agents -i
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf
# Validate configuration
sudo /var/ossec/bin/ossec-logtest
# Reload configuration
sudo systemctl reload wazuh-manager
# Custom rules location
/var/ossec/etc/rules/local_rules.xml
# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml
# Test rules and decoders
sudo /var/ossec/bin/ossec-logtest
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log
# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json
# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID"
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log
# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log
# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log
<group name="custom_rules,">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>192.168.1.0/24</srcip>
<description>SSH connection from internal network</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
</group>
<rule id="100002" level="10" frequency="5" timeframe="300">
<if_matched_sid>5716</if_matched_sid>
<description>Multiple SSH authentication failures</description>
<group>authentication_failures,pci_dss_11.4,</group>
</rule>
<rule id="100003" level="7">
<if_sid>550</if_sid>
<field name="file">/etc/passwd</field>
<description>Critical system file modified</description>
<group>syscheck,pci_dss_11.5,</group>
</rule>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f
# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"
# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<directories realtime="yes">/etc</directories>
</syscheck>
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720</rules_id>
<timeout>600</timeout>
</active-response>
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
case "$ACTION" in
add)
# Block IP address
iptables -I INPUT -s $IP -j DROP
echo "Blocked IP: $IP" >> /var/log/custom-response.log
;;
delete)
# Unblock IP address
iptables -D INPUT -s $IP -j DROP
echo "Unblocked IP: $IP" >> /var/log/custom-response.log
;;
esac
# Get authentication token
curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"
# Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"
<cluster>
<name>wazuh</name>
<node_name>master-node</node_name>
<node_type>master</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
<cluster>
<name>wazuh</name>
<node_name>worker-node</node_name>
<node_type>worker</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>MASTER_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
<global>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>wazuh@localhost</email_from>
<email_to>admin@localhost</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144
# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf
# Check agent status
sudo /var/ossec/bin/agent_control -l
# Test connectivity
sudo /var/ossec/bin/agent_control -R 001
# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent"
# Monitor resource usage
top -p $(pgrep -d',' wazuh)
# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*
# Monitor network connections
netstat -tulpn|grep wazuh
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log
# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v
# Check rule compilation
sudo /var/ossec/bin/ossec-makelists
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf
# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart
# Filebeat configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/ossec/logs/alerts/alerts.json
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["localhost:9200"]
index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}"
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /var/ossec/etc/sslmanager.key \
-out /var/ossec/etc/sslmanager.cert
# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user
# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000
This comprehensive Wazuh cheatsheet covers installation, configuration, monitoring, and advanced features for effective security information and event management.