Wazuh
Install
(Taken from the quick start guide)
curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
As install finishes, keep an eye out for your default admin password. If you miss it:
sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
Make groups for your endpoints to drop into
/var/ossec/bin/agent_groups -a -g Windows -q
/var/ossec/bin/agent_groups -a -g macOS -q
/var/ossec/bin/agent_groups -a -g Linux -q
Add agents
Head to https://your.wazuh-server.com/app/endpoints-summary#/agents-preview/deploy
to fill out the connection info to generate an install file for the appropriate OS.
Check if Wazuh is running
systemctl status wazuh-manager
Main config file to edit
sudo nano /var/ossec/etc/ossec.conf
Review server logs/statuses
systemctl status wazuh-manager
systemctl status wazuh-indexer
sudo tail -f /var/ossec/logs/ossec.log
sudo cat wazuh-indexer/wazuh-cluster.log
sudo filebeat test output
Starting/restarting services if necessary
sudo systemctl restart wazuh-indexer
sudo systemctl restart wazuh-manager