A Cyber Journey

Wazuh: WALKTHROUGH

r0tZ
Wazuh: WALKTHROUGH

[INCOMPLETE]

Created in 2015, Wazuh is an open-source, freely available and extensive EDR solution. It can be used in all scales of environments. Wazuh operates on a management and agent module. Simply, a device is dedicated to running Wazuh named a manager, where Wazuh operates on a management and agent model where the manager is responsible for managing agents installed on the devices you’d like to monitor. Let’s look at this model in the diagram below:

We can see logs from three Agents being sent to the Wazuh server.

ACTION – Wait for server to boot up and connect, took 8 mins. Login using provided details, I didn’t need to select Global Tenant it logged straight in

Devices that record the events and processes of a system are called agents. Agents monitor the processes and events that take place on the device, such as authentication and user management. Agents will offload these logs to a designated collector for processing, such as Wazuh.

In order for Wazuh to be populated, agents need to be installed onto devices to log such events. Wazuh can guide you through the agent deployment process provided you fill out some pre-requisites such as::

  • Operating System
  • The address of the Wazuh server that the agent should send logs to (this can be a DNS entry or an IP address)
  • What group the agent will be under – you can sort agents into groups within Wazuh if you wish

This wizard can be launched by navigating to the following location on the Wazuh server: Wazuh -> Agents -> Deploy New Agent as illustrated in this screenshot below:

Once you navigate to this display, the intuitive wizard will be available to you. I have shared screenshots of using the wizard to install Wazhur’s agent on both Windows and Debian/Ubuntu. At stage 4, you are given a command to copy and paste to your clipboard which will install & configure the agent on the device that you wish to collect logs from.

Installing the Wazuh agent on Windows:

Installing the Wazuh agent on Debian/Ubuntu:

Dropped off the note taking and just completed. Learnt how to shortcut to a quote though…

 See Wazuh in action in this Walkthrough: https://lindsayedwardsit.com/challengemonday-monitor-walkthrough/

r0tZ Avatar
r0tZ

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Latest Posts

Latest Comments

Categories

Archives

Tags

Cyber Defense Cyber Investigation Cyber Kill Chain Cybersecurity Cybersecurity Tools Cyber Threat Hunting Cyber Threat Intelligence Data Recovery Data Visualization DFIR Digital Forensics Email Security Event Correlation Evidence Collection Evidence Preservation Forensic Analysis Forensic Artifacts Incident Handling Incident Response KAPE Log Analysis Malware Analysis Memory Analysis Network Forensics Network Monitoring Network Security Open Source Security OSINT Packet Analysis Security Automation Security Investigation Security Monitoring Security Operations Security Tools SIEM Social Engineering Threat Analysis Threat Detection Threat Hunting Threat Intelligence Wazuh Windows Forensics Windows Logs Windows Registry Wireshark