In today’s cybersecurity landscape, having a robust and flexible security information and event management (SIEM) system is crucial.
Wazuh, an open-source security platform, offers comprehensive solutions for threat detection, integrity monitoring, incident response, and compliance.
Wazuh has an interesting history. In 2015, the Wazuh team decided to fork OSSEC, an open-source host-based Intrusion Detection System (IDS), to expand its core functionalities with additional features, enhancements, and a user-friendly interface.
Wazuh has grown significantly since its inception. It is now a comprehensive, open-source security platform that provides unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities. The platform is designed to monitor infrastructures, detect threats, respond to incidents, and ensure regulatory compliance.
This blog will guide you through setting up Wazuh in a lab environment, focusing on its basic capabilities in Extended Detection and Response (XDR) and SIEM.
Whether you’re a cybersecurity professional or an enthusiast, this step-by-step guide will help to get started with Wazuh to secure your systems effectively.
We start with the defaults to make the lab-setup not more complex as necessary.
My Lab-env is as follows:
| Host | IP | OS |
| Wazuh-Server | 10.50.100.76 | Ubuntu 24 LTS |
| Wazuh-Agent | 10.50.100.110 | RHEL 9 |
| Wazuh-Agent | 10.50.100.111 | RHEL 9 |
| Wazuh-Agent | 10.50.100.201 | Windows |
Basic setup of Wazuh-Server
with root rights execute curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Example output:
30/01/2025 08:07:17 INFO: Starting Wazuh installation assistant. Wazuh version: 4.10.1
30/01/2025 08:07:17 INFO: Verbose logging redirected to /var/log/wazuh-install.log
30/01/2025 08:07:22 INFO: Verifying that your system meets the recommended minimum hardware requirements.
30/01/2025 08:07:22 INFO: Wazuh web interface port will be 443.
30/01/2025 08:07:27 INFO: --- Dependencies ----
30/01/2025 08:07:27 INFO: Installing apt-transport-https.
30/01/2025 08:07:30 INFO: Installing debhelper.
30/01/2025 08:07:43 INFO: Wazuh repository added.
30/01/2025 08:07:43 INFO: --- Configuration files ---
30/01/2025 08:07:43 INFO: Generating configuration files.
30/01/2025 08:07:44 INFO: Generating the root certificate.
30/01/2025 08:07:44 INFO: Generating Admin certificates.
30/01/2025 08:07:44 INFO: Generating Wazuh indexer certificates.
30/01/2025 08:07:44 INFO: Generating Filebeat certificates.
30/01/2025 08:07:44 INFO: Generating Wazuh dashboard certificates.
30/01/2025 08:07:45 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
30/01/2025 08:07:45 INFO: --- Wazuh indexer ---
30/01/2025 08:07:45 INFO: Starting Wazuh indexer installation.
30/01/2025 08:08:23 INFO: Wazuh indexer installation finished.
30/01/2025 08:08:23 INFO: Wazuh indexer post-install configuration finished.
30/01/2025 08:08:23 INFO: Starting service wazuh-indexer.
30/01/2025 08:08:35 INFO: wazuh-indexer service started.
30/01/2025 08:08:35 INFO: Initializing Wazuh indexer cluster security settings.
30/01/2025 08:08:38 INFO: Wazuh indexer cluster security configuration initialized.
30/01/2025 08:08:38 INFO: Wazuh indexer cluster initialized.
30/01/2025 08:08:38 INFO: --- Wazuh server ---
30/01/2025 08:08:38 INFO: Starting the Wazuh manager installation.
30/01/2025 08:10:10 INFO: Wazuh manager installation finished.
30/01/2025 08:10:10 INFO: Wazuh manager vulnerability detection configuration finished.
30/01/2025 08:10:10 INFO: Starting service wazuh-manager.
30/01/2025 08:10:22 INFO: wazuh-manager service started.
30/01/2025 08:10:22 INFO: Starting Filebeat installation.
30/01/2025 08:10:28 INFO: Filebeat installation finished.
30/01/2025 08:10:28 INFO: Filebeat post-install configuration finished.
30/01/2025 08:10:28 INFO: Starting service filebeat.
30/01/2025 08:10:30 INFO: filebeat service started.
30/01/2025 08:10:30 INFO: --- Wazuh dashboard ---
30/01/2025 08:10:30 INFO: Starting Wazuh dashboard installation.
30/01/2025 08:11:22 INFO: Wazuh dashboard installation finished.
30/01/2025 08:11:22 INFO: Wazuh dashboard post-install configuration finished.
30/01/2025 08:11:22 INFO: Starting service wazuh-dashboard.
30/01/2025 08:11:23 INFO: wazuh-dashboard service started.
30/01/2025 08:11:24 INFO: Updating the internal users.
30/01/2025 08:11:27 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
30/01/2025 08:11:35 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
30/01/2025 08:12:00 INFO: Initializing Wazuh dashboard web application.
30/01/2025 08:12:01 INFO: Wazuh dashboard web application initialized.
30/01/2025 08:12:01 INFO: --- Summary ---
30/01/2025 08:12:01 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
User: admin
Password: PblablablablaB7n3vfwq
30/01/2025 08:12:01 INFO: Installation finished.Please note the autogenerated User/Password to get later access to the Dashboard.
Linux: Basic setup of Wazuh-Agent
with root rights execute:
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
run the Agent installer (10.50.100.76 = Wazuh-Server)
WAZUH_MANAGER="10.50.100.76" yum install wazuh-agentexample output:
[root@rhel-wazuh-agent ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
[root@rhel-wazuh-agent ~]# WAZUH_MANAGER="10.50.100.76" yum install wazuh-agent
Updating Subscription Management repositories.
EL-9 - Wazuh 19 MB/s | 32 MB 00:01
Last metadata expiration check: 0:00:09 ago on Thu 30 Jan 2025 11:33:51 AM CET.
Dependencies resolved.
=================================================================================================
Package Architecture Version Repository Size
=================================================================================================
Installing:
wazuh-agent x86_64 4.10.1-1 wazuh 8.9 M
Transaction Summary
=================================================================================================
Install 1 Package
Total download size: 8.9 M
Installed size: 26 M
Is this ok [y/N]: y
Downloading Packages:
wazuh-agent-4.10.1-1.x86_64.rpm 15 MB/s | 8.9 MB 00:00
-------------------------------------------------------------------------------------------------
Total 15 MB/s | 8.9 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: wazuh-agent-4.10.1-1.x86_64 1/1
Installing : wazuh-agent-4.10.1-1.x86_64 1/1
Running scriptlet: wazuh-agent-4.10.1-1.x86_64 1/1
Verifying : wazuh-agent-4.10.1-1.x86_64 1/1
Installed products updated.
Installed:
wazuh-agent-4.10.1-1.x86_64
Complete!
[root@rhel-wazuh-agent ~]#Start the Wazuh-Agent and check the status:
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
systemctl status wazuh-agentexample output:
[root@rhel-wazuh-agent ~]# systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service.
[root@rhel-wazuh-agent ~]# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: disabled)
Active: active (running) since Thu 2025-01-30 11:37:47 CET; 17s ago
Process: 5702 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status>
Tasks: 33 (limit: 10886)
Memory: 430.5M
CPU: 6.436s
CGroup: /system.slice/wazuh-agent.service
├─5730 /var/ossec/bin/wazuh-execd
├─5742 /var/ossec/bin/wazuh-agentd
├─5755 /var/ossec/bin/wazuh-syscheckd
├─5770 /var/ossec/bin/wazuh-logcollector
├─5787 /var/ossec/bin/wazuh-modulesd
├─6312 /bin/sh active-response/bin/restart.sh agent
├─6316 /bin/sh /var/ossec/bin/wazuh-control restart
└─6407 expr 29 + 1
Jan 30 11:37:40 rhel-wazuh-agent systemd[1]: Starting Wazuh agent...
Jan 30 11:37:40 rhel-wazuh-agent env[5702]: Starting Wazuh v4.10.1...
Jan 30 11:37:41 rhel-wazuh-agent env[5702]: Started wazuh-execd...
Jan 30 11:37:42 rhel-wazuh-agent env[5702]: Started wazuh-agentd...
Jan 30 11:37:43 rhel-wazuh-agent env[5702]: Started wazuh-syscheckd...
Jan 30 11:37:44 rhel-wazuh-agent env[5702]: Started wazuh-logcollector...
Jan 30 11:37:45 rhel-wazuh-agent env[5702]: Started wazuh-modulesd...
Jan 30 11:37:47 rhel-wazuh-agent env[5702]: Completed.
Jan 30 11:37:47 rhel-wazuh-agent systemd[1]: Started Wazuh agent.
[root@rhel-wazuh-agent ~]#Windows: Basic setup of Wazuh-Agent
Download the Agent-Installer and execute the command with admin-rights:
wazuh-agent-4.10.1-1.msi /q WAZUH_MANAGER="10.50.100.76"
NET START Wazuhexample-output:
C:\Windows\System32>cd C:\Users\ugu5ma\Downloads
C:\Users\ugu5ma\Downloads>dir
Verzeichnis von C:\Users\ugu5ma\Downloads
30.01.2025 12:06 <DIR> .
13.01.2025 09:41 <DIR> ..
30.01.2025 12:07 5.378.048 wazuh-agent-4.10.1-1.msi
1 Datei(en), 5.378.048 Bytes
2 Verzeichnis(se), 709.868.328.448 Bytes frei
C:\Users\ugu5ma\Downloads>wazuh-agent-4.10.1-1.msi /q WAZUH_MANAGER="10.50.100.76"
C:\Users\ugu5ma\Downloads>C:\Users\ugu5ma\Downloads>NET START Wazuh
Wazuh wird gestartet.
Wazuh wurde erfolgreich gestartet.
C:\Users\ugu5ma\Downloads>Access the Dashboard
open a Browser and access: https://10.50.100.76
Don’t be surprised that the connection is interested, we use the default certs.
We see the default Dashboard:
Wazuh is shipped with default rules.
In a productive environment the real work would start now:
Create/adapt rules that are suitable for the required purposes and environment.
We will start with fixing the first (easy) vulnerability finding.
Fix a chrony-finding/vulnerability
Lets pick an RHEL-Agent and check the details of the chrony-finding:
- Navigate to Configuration Assesment
- Select an Agent
- Agent ID 02 looks as a good candidate
- filter the findings for chrony
- click on the failed check
- read carefully the finding and check the settings on the Agent to get it fixed
get the chrony finding fixed
The crony process is not executed by user chrony, let’s get it fixed:
[root@rhel-wazuh-agent ~]# cat /etc/sysconfig/chronyd
# Command-line options for chronyd
OPTIONS="-F 2"
[root@rhel-wazuh-agent ~]# sudo sed -i 's/OPTIONS="-F 2"/OPTIONS="-F 2 -u chrony"/' /etc/sysconfig/chronyd
[root@rhel-wazuh-agent ~]# cat /etc/sysconfig/chronyd
# Command-line options for chronyd
OPTIONS="-F 2 -u chrony"
[root@rhel-wazuh-agent ~]# ps -eo user,comm | grep chronyd
chrony chronyd
[root@rhel-wazuh-agent ~]# systemctl restart chronyd
[root@rhel-wazuh-agent ~]# systemctl restart wazuh-agentTo force a new assessment a restart of the Wazuh-agent is necessary.
Go back to the Dashboard/finding-screen and check again the chrony-finding:
Chrony looks good now, just another 82 findings to fix 
In one of the next sessions I will go into the details of Wazuh, it is a great product.
You must be logged in to post a comment.