Wazuh SIEM

What is Wazuh SIEM?

Wazuh is an open-source, security information and event management (SIEM) platform that helps organizations detect threats, monitor compliance, and respond to security incidents. It integrates security monitoring, log data collection, file integrity checking, vulnerability detection, and intrusion detection in a single solution. Originally a fork of OSSEC, Wazuh extends its capabilities with advanced features like full security event logging, real-time alerting, and seamless integration with other security tools.

As a SIEM system, Wazuh focuses on log data analysis, intrusion detection, and incident response, making it a robust solution for security monitoring. Wazuh can help you identify potential security incidents, analyze threat data, and improve the overall visibility of your infrastructure’s security.

Key Features and Capabilities of Wazuh SIEM

• Log Data Collection and Analysis
  Wazuh collects logs from various data sources, including servers, endpoints, cloud services, and network devices. It can normalize and analyze logs to detect anomalies, such as failed login attempts, system misconfigurations, and potential breaches.
• Intrusion Detection System (IDS)
  Wazuh includes an IDS capability that monitors the network and endpoints for suspicious activities. It utilizes signature-based detection, anomaly detection, and behavioral analysis to identify attacks such as SQL injection, brute force attacks, or malicious file activities.
• File Integrity Monitoring (FIM)
  Wazuh monitors critical system files and directories for unauthorized changes. If a file is modified or deleted unexpectedly, Wazuh generates an alert, allowing security teams to identify potential malware infections or unauthorized system changes.
• Vulnerability Detection
  By integrating with vulnerability scanning tools like OpenVAS and Nessus, Wazuh can detect vulnerabilities in your infrastructure, including missing patches and misconfigurations. Wazuh helps track vulnerabilities, prioritize fixes, and reduce exposure to cyber threats.
• Security Monitoring of Cloud Environments
  Wazuh provides native integration with cloud platforms like AWS, Azure, and Google Cloud to monitor the security of cloud resources. It collects cloud logs and performs security analysis to detect potential risks and compliance issues in cloud environments.
• Compliance Reporting
  Wazuh helps organizations meet compliance standards such as PCI-DSS, GDPR, HIPAA, and SOC 2 by providing automated compliance reporting and continuous monitoring. It ensures that your systems adhere to regulatory frameworks and helps you pass audits.
• Alerting and Visualization
  Wazuh uses Elasticsearch and Kibana to store, search, and visualize log data. Through dashboards in Kibana, security teams can analyze trends, track alerts, and gain insights into potential security incidents.
• Real-Time Security Event Monitoring
  Wazuh offers real-time alerting to help security teams respond promptly to emerging threats. It sends notifications based on predefined or customized rules and can trigger automated responses to mitigate risks.
• Active Responses
  Wazuh provides automated active responses to security incidents. For example, if an attack is detected, Wazuh can isolate the affected system, block an IP address, or stop malicious processes to prevent further damage.

Wazuh Architecture

Wazuh follows a client-server architecture with three primary components:

• Wazuh Manager
  The Wazuh Manager is the central server that processes log data, generates alerts, and stores event information. It communicates with all Wazuh Agents and receives data from them for analysis.
• Wazuh Agents
  Wazuh Agents are installed on endpoints, servers, or network devices to collect logs and send them to the Wazuh Manager. The agents perform log analysis locally before sending results to the manager.
• Wazuh API
  The Wazuh API provides access to the data stored in the Wazuh Manager. It can be used to automate tasks, integrate with other platforms, or build custom tools for your security operations.
• Kibana Dashboard
  Kibana is used for visualizing and analyzing the data collected by Wazuh. It provides a user-friendly interface to explore logs, search for specific events, and create custom reports.

Getting Started with Wazuh: A Step-by-Step Tutorial

This tutorial will walk you through setting up Wazuh on a Linux system, installing the necessary components, and using the platform to monitor your environment.

Step 1️⃣: Install Wazuh Manager

Install the Wazuh Manager
First, ensure that your server is running a supported version of Linux (e.g., CentOS, Ubuntu). Log in to your server and install the Wazuh Manager using the following commands.

For Ubuntu:

curl -s https://packages.wazuh.com/4.x/apt/doc/apt-key.gpg | sudo apt-key add - 
sudo apt-add-repository "deb https://packages.wazuh.com/4.x/apt/ stable main"
sudo apt-get update 
sudo apt-get install wazuh-manager

For CentOS:

curl -s https://packages.wazuh.com/4.x/yum/doc/rpm/packages-wazuh-4.x.repo | sudo tee /etc/yum.repos.d/wazuh.repo 
sudo yum install wazuh-manager

Start the Wazuh Manager
After installing the manager, start the service with the following command:

sudo systemctl start wazuh-manager 

Enable the service to start on boot:

sudo systemctl enable wazuh-manager

Step 2️⃣: Install Wazuh Agent

Install the Wazuh Agent
on the target machine (the machine you want to monitor):

For Ubuntu:

sudo apt-get install wazuh-agent

For CentOS:

sudo yum install wazuh-agent

Configure the Wazuh Agent
After installation, you need to configure the agent to communicate with the Wazuh Manager. Edit the configuration file:

sudo nano /var/ossec/etc/ossec.conf

Set the Wazuh Manager’s IP address in the <server> section:

<server>
  <address>your_manager_ip</address>
</server>

Start the Wazuh Agent:
Once configured, start the agent:

sudo systemctl start wazuh-agent

Enable the agent to start on boot:

sudo systemctl enable wazuh-agent

Step 3️⃣: Integrate Wazuh with Kibana

Install Kibana
If Kibana is not installed, you can install it with the following commands. Make sure to install the version compatible with the Wazuh version you are using.

For Ubuntu:

sudo apt-get install kibana

For CentOS:

sudo yum install kibana

Install Wazuh Plugin for Kibana
Install the Wazuh plugin for Kibana to allow it to integrate with the Wazuh Manager.

sudo /usr/share/kibana/bin/kibana-plugin install wazuh

Configure Kibana
Modify the Kibana configuration to enable the Wazuh plugin by editing the kibana.yml file:

sudo nano /etc/kibana/kibana.yml

Add:

server.host: "0.0.0.0"

Start Kibana

sudo systemctl start kibana
sudo systemctl enable kibana

Step 4️⃣: Use Wazuh for Security Monitoring

Access the Kibana Dashboard
After installing and configuring Kibana, navigate to http://your_kibana_ip:5601 to access the Kibana web interface.

View Wazuh Alerts
In Kibana, go to the Wazuh App to view the alerts generated by Wazuh. These alerts can be filtered by severity, source, and other parameters.

Create Custom Dashboards
Use Kibana’s powerful dashboard features to create custom visualizations of your log data. For example, you can create graphs showing the number of failed login attempts or visualize traffic anomalies.

Step 5️⃣: Set Up Alerts and Responses

Configure Wazuh Alerts
Wazuh comes with pre-configured rules, but you can customize alert rules in the /var/ossec/etc/rules/ directory. For instance, you can set up alerts for specific attack types or unusual system activity.

Define Active Responses
Wazuh allows you to define active responses for specific threats. For example, if a brute force attack is detected, you can configure Wazuh to block the attacking IP address by adding response rules to the /var/ossec/etc/ossec.conf file.

Wazuh is a powerful open-source SIEM platform that offers comprehensive security monitoring, threat detection, and incident response capabilities. With its focus on log collection, intrusion detection, file integrity monitoring, and vulnerability management