Using Wazuh for SIEM and vulnerability assessment
Jump to navigation
Jump to search
Install Wazuh
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Install Agents
- Log into portal
- Add agents
- In this environment is provided the following commands to install the agent (which gets added to the default group and communicates back with the wazuh master service)
curl -so wazuh-agent-4.3.10.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10-1_amd64.deb && sudo WAZUH_MANAGER='192.168.11.132' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.10.deb sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
Edit the configuration
# if you need to do on a client node (defaults should be good however) vi /var/ossec/etc/ossec.conf service wazuh-agent restart
Enable the vulnerability detection
On the Admin UI
- Management -> Configuration -> Edit Configuration
- Set vulnerability-detector to yes
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
Set the OS's to enabled that you want to check
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1d</update_interval>
</provider>