{"id":651,"date":"2017-10-04T03:19:23","date_gmt":"2017-10-04T01:19:23","guid":{"rendered":"https:\/\/blog.unetresgrossebite.com\/?p=651"},"modified":"2017-10-05T01:21:13","modified_gmt":"2017-10-04T23:21:13","slug":"wazuh","status":"publish","type":"post","link":"https:\/\/blog.unetresgrossebite.com\/?p=651","title":{"rendered":"Wazuh"},"content":{"rendered":"<p>As a follow-up to our previous <a href=\"https:\/\/blog.unetresgrossebite.com\/?p=111\">OSSEC<\/a> post, and to complete the one on <a href=\"https:\/\/blog.unetresgrossebite.com\/?p=510\">Fail2ban &amp; ELK<\/a>, we&#8217;ll review today Wazuh.<\/p>\n<div id=\"attachment_654\" style=\"width: 542px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-netstat-alerts.png\"><img aria-describedby=\"caption-attachment-654\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-654 size-full\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-netstat-alerts.png\" alt=\"netstat alerts\" width=\"532\" height=\"98\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-netstat-alerts.png 532w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-netstat-alerts-300x55.png 300w\" sizes=\"(max-width: 532px) 100vw, 532px\" \/><\/a><p id=\"caption-attachment-654\" class=\"wp-caption-text\">netstat alerts<\/p><\/div>\n<p>As their documentation states it, &#8220;<em>Wazuh is a security detection, visibility, and compliance open source project. It was born as a fork of OSSEC HIDS, later was integrated with Elastic Stack and OpenSCAP evolving into a more comprehensive solution<\/em>&#8220;. We could remark that OSSEC packages used to be distributed on some Wazuh repository, while Wazuh is still listed as OSSEC official training, deployment and assistance services provider. You might still want to clean up some defaults, as you would soon end up receiving notifications for any connection being established or closed &#8230;<\/p>\n<p>OSSEC is still maintained, last commit to their GitHub project was a couple days ago <a href=\"https:\/\/github.com\/ossec\/ossec-hids\/commits\/master\" target=\"_blank\" rel=\"noopener\">as of writing this post<\/a>, while other commits are being pushed to <a href=\"https:\/\/github.com\/wazuh\/wazuh\/commits\/master\" target=\"_blank\" rel=\"noopener\">Wazuh repository<\/a>. If both products are still active, my last attempts configuring Kibana integration with OSSEC was a failure, due to Kibana5 not being supported. Considering Wazuh offers enterprise support, we could assume their sample configuration &amp; ruleset are at least as relevant as those you&#8217;ld find with OSSEC.<\/p>\n<div id=\"attachment_652\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-mgr-status.png\"><img aria-describedby=\"caption-attachment-652\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-652\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-mgr-status-300x96.png\" alt=\"wazuh manager status\" width=\"300\" height=\"96\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-mgr-status-300x96.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-mgr-status-768x245.png 768w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-mgr-status-1024x327.png 1024w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-mgr-status.png 1366w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-652\" class=\"wp-caption-text\">wazuh manager status<\/p><\/div>\n<p>Wazuh <a href=\"https:\/\/documentation.wazuh.com\/current\/getting-started\/index.html\" target=\"_blank\" rel=\"noopener\">documentation is pretty straight-forward<\/a>, a new service wazuh-api (NodeJS) would be required on your managers, which would then be used by Kibana querying Wazuh status. Debian packages were renamed from ossec-hids &amp; ossec-hids-agent to wazuh-manager &amp; wazuh-agent respectively. Configuration is somewhat similar, although you won&#8217;t be able to re-use those you could have installed alongside OSSEC. Note the wazuh-agent package would install an empty key file: you would need to drop it, prior to registering against your manager.<\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_653\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-agents.png\"><img aria-describedby=\"caption-attachment-653\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-653\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-agents-300x146.png\" alt=\"wazuh-agents\" width=\"300\" height=\"146\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-agents-300x146.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-agents-768x373.png 768w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-agents-1024x498.png 1024w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/ossec-agents.png 1364w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-653\" class=\"wp-caption-text\">wazuh agents<\/p><\/div>\n<p>Configuring Kibana integration, note Wazuh documentation misses some important detail, <a href=\"https:\/\/github.com\/wazuh\/wazuh-kibana-app\/pull\/28\" target=\"_blank\" rel=\"noopener\">as reported on GitHub<\/a>. That&#8217;s the single surprise I had reading through their documentation, the rest of their instructions work as expected: having installed and started wazuh-api service on your manager, then installed Kibana wazuh plugin on your all your Kibana instances, you would find some Wazuh menu showing on the left. Make sure your wazuh-alerts index is registered in the Management section, then go to Wazuh.<\/p>\n<p>If uninitialized, you would be offered to enter your Wazuh backend URL, a port, a username and corresponding password, connecting to wazuh-api. Note that configuration would be saved into some new\u00a0<em>.wazuh<\/em>\u00a0index. Once configured, you would have some live view of your setup, which agents are connected, what alerts you&#8217;re receiving, &#8230; eventually, set up new dashboards.<\/p>\n<p>Comparing this to OSSEC PHP web interface, marked as deprecated since years, &#8230; Wazuh takes the lead!<\/p>\n<div id=\"attachment_656\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-cis-compliance.png\"><img aria-describedby=\"caption-attachment-656\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-656\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-cis-compliance-300x150.png\" alt=\"CIS compliance\" width=\"300\" height=\"150\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-cis-compliance-300x150.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-cis-compliance-768x385.png 768w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-cis-compliance-1024x513.png 1024w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-cis-compliance-720x360.png 720w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-cis-compliance.png 1348w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-656\" class=\"wp-caption-text\">CIS compliance<\/p><\/div>\n<div id=\"attachment_657\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-ossec-alerts.png\"><img aria-describedby=\"caption-attachment-657\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-657\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-ossec-alerts-300x150.png\" alt=\"OSSEC alerts\" width=\"300\" height=\"150\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-ossec-alerts-300x150.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-ossec-alerts-768x384.png 768w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-ossec-alerts-1024x512.png 1024w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-ossec-alerts-720x360.png 720w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-ossec-alerts.png 1353w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-657\" class=\"wp-caption-text\">OSSEC alerts<\/p><\/div>\n<div id=\"attachment_658\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-overview.png\"><img aria-describedby=\"caption-attachment-658\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-658\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-overview-300x149.png\" alt=\"Wazuh Overview\" width=\"300\" height=\"149\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-overview-300x149.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-overview-768x381.png 768w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-overview-1024x508.png 1024w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-overview-720x360.png 720w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-overview.png 1352w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-658\" class=\"wp-caption-text\">Wazuh Overview<\/p><\/div>\n<div id=\"attachment_659\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-pci-compliance.png\"><img aria-describedby=\"caption-attachment-659\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-659\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-pci-compliance-300x150.png\" alt=\"PCI Compliance\" width=\"300\" height=\"150\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-pci-compliance-300x150.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-pci-compliance-768x385.png 768w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-pci-compliance-1024x513.png 1024w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-pci-compliance-720x360.png 720w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2017\/10\/wazuh-pci-compliance.png 1350w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-659\" class=\"wp-caption-text\">PCI Compliance<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>As a follow-up to our previous OSSEC post, and to complete the one on Fail2ban &amp; ELK, we&#8217;ll review today Wazuh. As their documentation states it, &#8220;Wazuh is a security detection, visibility, and compliance open source project. It was born as a fork of OSSEC HIDS, later was integrated with Elastic Stack and OpenSCAP evolving [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,10,7,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/651"}],"collection":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=651"}],"version-history":[{"count":3,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/651\/revisions"}],"predecessor-version":[{"id":661,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/651\/revisions\/661"}],"wp:attachment":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}