Part 3. Wazuh Manager Install — Log Analysis
Best Open Source EDR Solution
Wazuh Documentation: https://documentation.wazuh.com/current/index.html
In Parts One and Two, we deployed our backend that will ingest, normalize, and store our security logs. Now we need an EDR that will record the activities and events taking place on endpoints and all workloads, providing us with the visibility to uncover incidents that would otherwise remain invisible. An EDR solution needs to provide continuous and comprehensive visibility into what is happening on endpoints in real time.
EDRs are usually made up of two key pieces:
- Endpoint Agent — Collects logs from Endpoints
- Collection Manager — Receives logs from endpoints and analyzes for malicious activity
Rather than having to log onto every endpoint to view security events like a noob, we now have a central collector that allows us to manage and scale out our endpoints.
But I Have AntiVirus, I’m Good Right?
Defense in depth is a must in today’s cyber climate. AV is designed to identify malware on a computer, but cyber threat actors are growing increasingly sophisticated. Additionally, malware developers are using various techniques such as fileless malware to evade detection by antivirus solutions.
EDR provides us with the ability to pull back the curtain from our endpoints and observe all activity happening on a box. We must make sense of activity occurring on our endpoints to accurately detect malicious activity. Gathering some of the below in great detail allow us to find that sneaky threat that an AntiVirus will not provide:
- Network Connections
- DNS Queries
- Commands Ran
- User Logins
- Powershell Spawns
- Process Spawns
- And Much More!
Wazuh is the best open source EDR currently available (in my opinion). Wazuh provides a platform that allows us monitor our endpoints, integrate with 3rd party applications, meet compliance standards, provide multi tenant support, and more! Wazuh supports the most common operating systems and provides the below features right out of the box!
- Log Data Analysis
- File Integrity Monitoring
- Vulnerability Dection
- CIS Benchmark Assessment
- Regulatory Compliance
- Container Security
Wazuh also allows us to create our own detection rules, integrations, and configurations to fit any use case. Open Source for the win!
Ingest Any Logs
Wazuh allows us to ingest logs from various applications and services, allowing us to get full visibility into our endpoints. Wazuh natively supports the ability to capture logs from Event Viewer, System messages, JSON, and much more! Wazuh’s flexibiltiy allows for us to create our own custom decoders and rules to be able to handle any type of log! Allow I still haven’t found a good solution for multi line json (why do vendors do this?!).
3rd Party Integrations
With so many useful cloud services available, it is more than likely that your organization is involved with at least one. Whether it be Office365, AWS, AntiVirus, a commercial security product (Rapid7, Sophos, SentinelOne, etc.), or a home grown application, we need to bring logs from these services into our security stack.
Wazuh’s built in Python library allows us to build our own integrations to bring events into the platform for more analysis! Don’t you love the customization Open Source provides :)?
API and Active Response
Wazuh provides a RESTful API that allows for interaction with the Wazuh Manager. These API endpoints allow us to automate, enrich, pull scan results, etc. which makes our lives much easier. More to come in future posts.
Wazuh’s active response allows us to run a script that is configured to execute when a specific alert, alert level, or rule group has been triggered on an endpoint. Active responses are either stateful or stateless responses and allow us to run defensive actions in real time!
This installation details the setup and configuration of our Wazuh Manager. Wazuh Agents will be covered in our next post :).
2. WAZUH — Now install the Wazuh Manager:
apt-get -y install wazuh-manager
systemctl enable wazuh-manager
systemctl start wazuh-manager
Forwarding Logs To Graylog
Our Wazuh Manager is now installed, but we need to send the Wazuh alerts to Graylog so it can work its magic and write the logs to our Wazuh-Indexer for storage and searching.
Configure Graylog Input
- Log into Graylog WebUI and navigate to System->Inputs.
- Launch a new
3. Leave at default settings and select save. Graylog is now accepting TCP messages on port 5555.
Install Fluent-Bit on Wazuh Manager
- Wazuh Agent collects endpoint logs and sends to Manager.
- Manager compares received logs against its rulesets. If there is a match, the log is written to
3. Fluent Bit reads the
alerts.json file and sends its entries to our Graylog input.
curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh
/etc/fluent-bit/fluent-bit.conf to collect the alerts.json file and send it to Graylog:
systemctl enable fluent-bitsystemctl start fluent-bit
Wazuh Manager Configurations
Let’s tune our Wazuh install up a bit for better security and features.
Registration Via Password
Agents will need to register with our Wazuh Manager prior to sending their logs. By default, any Wazuh Agent will be able to register with the Manager. Let’s change that so that only agents under our control will be able to connect to our Manager.
- Enable the password authentication option by adding the configuration highlighted below to the
<auth>section of the manager configuration file
2. Setting your own password. This is done by creating the file
/var/ossec/etc/authd.pass on the manager with your password.
<CUSTOM_PASSWORD>with your chosen agent enrollment password and run the following command:
echo "<CUSTOM_PASSWORD>" > /var/ossec/etc/authd.pass
3. Change the
authd.pass file permissions and ownership.
chmod 640 /var/ossec/etc/authd.pass
chown root:wazuh /var/ossec/etc/authd.pass
Enable Vulnerability Detection
In order to use Wazuh to run a vulnerability assessment on our endpoints, we must enable it via the Wazuh Managers
Configure Agent Group Files
Wazuh gives us the ability to manage the configuration of our endpoint agents from a central location. Configurations such as enabled wodles, FIM collection, log collection, etc. are stored here. I like to break my groups up according to the OS of my endpoints.
Restart Wazuh Manager.
systemctl restart wazuh-manager
Add Advanced Detection Rules
The SOCFortress team has put together a public repo filled with advanced detection rules for the community to benefit from. Any contributions you make are greatly appreciated.
Access Repo — Don’t forget to give the project a star 😄
Run the rule configuration script:
With our Wazuh Manager now installed, we need to deploy our Wazuh Agents. Wazuh Agent deployment will be the topic of our next post.
In my opinion, Wazuh is the best open source EDR currently available. With so many features available out of the box, plus the ability to write our own customizations, Wazuh provides a solid EDR platform to fit any organization. Happy Defending 😄.