Part 3. Wazuh Manager Install — Log Analysis

SOCFortress
6 min readOct 14, 2022

--

Best Open Source EDR Solution

Wazuh Documentation: https://documentation.wazuh.com/current/index.html

PART ONE: Backend Storage

PART TWO: Log Ingestion

Intro

In Parts One and Two, we deployed our backend that will ingest, normalize, and store our security logs. Now we need an EDR that will record the activities and events taking place on endpoints and all workloads, providing us with the visibility to uncover incidents that would otherwise remain invisible. An EDR solution needs to provide continuous and comprehensive visibility into what is happening on endpoints in real time.

EDRs are usually made up of two key pieces:

  • Endpoint Agent — Collects logs from Endpoints
  • Collection Manager — Receives logs from endpoints and analyzes for malicious activity
Basic Data Flow

Rather than having to log onto every endpoint to view security events like a noob, we now have a central collector that allows us to manage and scale out our endpoints.

But I Have AntiVirus, I’m Good Right?

Defense in depth is a must in today’s cyber climate. AV is designed to identify malware on a computer, but cyber threat actors are growing increasingly sophisticated. Additionally, malware developers are using various techniques such as fileless malware to evade detection by antivirus solutions.

EDR provides us with the ability to pull back the curtain from our endpoints and observe all activity happening on a box. We must make sense of activity occurring on our endpoints to accurately detect malicious activity. Gathering some of the below in great detail allow us to find that sneaky threat that an AntiVirus will not provide:

  • Network Connections
  • DNS Queries
  • Commands Ran
  • User Logins
  • Powershell Spawns
  • Process Spawns
  • And Much More!

Why Wazuh?

Wazuh is the best open source EDR currently available (in my opinion). Wazuh provides a platform that allows us monitor our endpoints, integrate with 3rd party applications, meet compliance standards, provide multi tenant support, and more! Wazuh supports the most common operating systems and provides the below features right out of the box!

  • Log Data Analysis
  • File Integrity Monitoring
  • Vulnerability Dection
  • CIS Benchmark Assessment
  • Regulatory Compliance
  • Container Security

Wazuh also allows us to create our own detection rules, integrations, and configurations to fit any use case. Open Source for the win!

Ingest Any Logs

Wazuh allows us to ingest logs from various applications and services, allowing us to get full visibility into our endpoints. Wazuh natively supports the ability to capture logs from Event Viewer, System messages, JSON, and much more! Wazuh’s flexibiltiy allows for us to create our own custom decoders and rules to be able to handle any type of log! Allow I still haven’t found a good solution for multi line json (why do vendors do this?!).

3rd Party Integrations

With so many useful cloud services available, it is more than likely that your organization is involved with at least one. Whether it be Office365, AWS, AntiVirus, a commercial security product (Rapid7, Sophos, SentinelOne, etc.), or a home grown application, we need to bring logs from these services into our security stack.

Wazuh’s built in Python library allows us to build our own integrations to bring events into the platform for more analysis! Don’t you love the customization Open Source provides :)?

API and Active Response

Wazuh provides a RESTful API that allows for interaction with the Wazuh Manager. These API endpoints allow us to automate, enrich, pull scan results, etc. which makes our lives much easier. More to come in future posts.

Wazuh’s active response allows us to run a script that is configured to execute when a specific alert, alert level, or rule group has been triggered on an endpoint. Active responses are either stateful or stateless responses and allow us to run defensive actions in real time!

Install

This installation details the setup and configuration of our Wazuh Manager. Wazuh Agents will be covered in our next post :).

  1. PREREQUISITES

2. WAZUH — Now install the Wazuh Manager:

apt-get -y install wazuh-manager
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Forwarding Logs To Graylog

Our Wazuh Manager is now installed, but we need to send the Wazuh alerts to Graylog so it can work its magic and write the logs to our Wazuh-Indexer for storage and searching.

Configure Graylog Input

  1. Log into Graylog WebUI and navigate to System->Inputs.
  2. Launch a new Raw/Plaintext TCP input.

3. Leave at default settings and select save. Graylog is now accepting TCP messages on port 5555.

Install Fluent-Bit on Wazuh Manager

  1. Wazuh Agent collects endpoint logs and sends to Manager.
  2. Manager compares received logs against its rulesets. If there is a match, the log is written to /var/ossec/logs/alerts/alerts.json .
/var/ossec/logs/alerts/alerts.json

3. Fluent Bit reads the alerts.json file and sends its entries to our Graylog input.

curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh

Edit the /etc/fluent-bit/fluent-bit.conf to collect the alerts.json file and send it to Graylog:

systemctl enable fluent-bitsystemctl start fluent-bit

Wazuh Manager Configurations

Let’s tune our Wazuh install up a bit for better security and features.

Registration Via Password

Agents will need to register with our Wazuh Manager prior to sending their logs. By default, any Wazuh Agent will be able to register with the Manager. Let’s change that so that only agents under our control will be able to connect to our Manager.

  1. Enable the password authentication option by adding the configuration highlighted below to the <auth> section of the manager configuration file /var/ossec/etc/ossec.conf.
<auth>
<use_password>yes</use_password>
</auth>

2. Setting your own password. This is done by creating the file /var/ossec/etc/authd.pass on the manager with your password.

  • Replace <CUSTOM_PASSWORD> with your chosen agent enrollment password and run the following command:
echo "<CUSTOM_PASSWORD>" > /var/ossec/etc/authd.pass

3. Change the authd.pass file permissions and ownership.

chmod 640 /var/ossec/etc/authd.pass
chown root:wazuh /var/ossec/etc/authd.pass

Enable Vulnerability Detection

In order to use Wazuh to run a vulnerability assessment on our endpoints, we must enable it via the Wazuh Managers /var/ossec/etc/ossec.conf file.

Further Reading

Configure Agent Group Files

Wazuh gives us the ability to manage the configuration of our endpoint agents from a central location. Configurations such as enabled wodles, FIM collection, log collection, etc. are stored here. I like to break my groups up according to the OS of my endpoints.

Linux Group:

Windows Group:

Restart Wazuh Manager.

systemctl restart wazuh-manager

Add Advanced Detection Rules

The SOCFortress team has put together a public repo filled with advanced detection rules for the community to benefit from. Any contributions you make are greatly appreciated.

POST: FREE Advanced Wazuh Detection Rules

Access Repo — Don’t forget to give the project a star 😄

Run the rule configuration script:

Next Steps

With our Wazuh Manager now installed, we need to deploy our Wazuh Agents. Wazuh Agent deployment will be the topic of our next post.

Conclusion

In my opinion, Wazuh is the best open source EDR currently available. With so many features available out of the box, plus the ability to write our own customizations, Wazuh provides a solid EDR platform to fit any organization. Happy Defending 😄.

Need Help?

The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Professional Services: https://www.socfortress.co/ps.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Responses (3)