#
Wazuh
#
Server install
(Taken from the quick start guide)
curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -aAs install finishes, keep an eye out for your default admin password. If you miss it:
sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
#
Make groups for your endpoints to drop into
/var/ossec/bin/agent_groups -a -g Windows -q
/var/ossec/bin/agent_groups -a -g macOS -q
/var/ossec/bin/agent_groups -a -g Linux -q
#
Add agents
Head to https://your.wazuh-server.com/app/endpoints-summary#/agents-preview/deploy to fill out the connection info to generate an install file for the appropriate OS.
#
Check if Wazuh is running
systemctl status wazuh-manager
#
Main config file to edit
sudo nano /var/ossec/etc/ossec.conf
#
Review server logs/statuses
systemctl status wazuh-manager
systemctl status wazuh-indexer
sudo tail -f /var/ossec/logs/ossec.log
sudo cat wazuh-indexer/wazuh-cluster.log
sudo filebeat test output
#
Starting/restarting services if necessary
sudo systemctl restart wazuh-indexer
sudo systemctl restart wazuh-manager
#
Reset all passwords
sudo ./wazuh-passwords-tool.sh -a -v
sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore remove opensearch.password --allow-root
sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.password --allow-root
sudo systemctl restart wazuh-dashboard
#
Agents
#
Starting/restarting services
Linux:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo tail -f /var/ossec/logs/ossec.logMacs:
sudo /Library/Ossec/bin/wazuh-control restartWindows:
NET STOP WazuhSvc
NET START WazuhSvc