Skip to main content

Wazuh

Install

(Taken from the quick start guide)

curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

As install finishes, keep an eye out for your default admin password. If you miss it:

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Make groups for your endpoints to drop into

/var/ossec/bin/agent_groups -a -g Windows -q
/var/ossec/bin/agent_groups -a -g macOS -q
/var/ossec/bin/agent_groups -a -g Linux -q

Add agents

Head to https://your.wazuh-server.com/app/endpoints-summary#/agents-preview/deploy to fill out the connection info to generate an install file for the appropriate OS.

Check if Wazuh is running

systemctl status wazuh-manager

Main config file to edit

sudo nano /var/ossec/etc/ossec.conf

Review server logs/statuses

systemctl status wazuh-manager
systemctl status wazuh-indexer
sudo tail -f /var/ossec/logs/ossec.log
sudo cat wazuh-indexer/wazuh-cluster.log
sudo filebeat test output

Starting/restarting services if necessary

sudo systemctl restart wazuh-indexer
sudo systemctl restart wazuh-manager