//
Docs

Wazuh

docker setup

# clone repo by specifying target branch
> git clone https://github.com/wazuh/wazuh-docker.git -b v4.11.1

# change into single node folder
> cd wazuh-docker/single-node

# generate key material
> docker-compose -f generate-indexer-certs.yml run --rm generator

# bring up deployment
> docker-compose up -d

# watch out for logs
> docker-compose logs -f

change credentials

indexer users

default credentials

  • wazuh dashboard admin:SecretPassword
  • Wazuh indexer users kibanaserver:kibanaserver

Logout from webui and bring down docker deployment

> docker-compose down
# hash new passwords using blowfish
> docker run --rm -ti \
  wazuh/wazuh-indexer:4.11.1 \
  bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

change hash values for the user admin and kibanaserver in config/wazuh_indexer/internal_users.yml

to change all corresponding passwords in the docker-compose.yml we use sed

# admin user
> sed -i \
  's/INDEXER_PASSWORD=SecretPassword/INDEXER_PASSWORD=<NEW_PASSWORD>/g' \
  docker-compose.yml

# kibanaserver user
> sed -i \
  's/DASHBOARD_PASSWORD=kibanaserver/DASHBOARD_PASSWORD=<NEW_PASSWORD>/g' \
  docker-compose.yml

bring deployment up again

> docker-compose up -d

wait a few seconds until you acess the indexer container to populate the new passwords

> docker exec -it single-node-wazuh.indexer-1 bash

export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

> bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh \
  -cd /usr/share/wazuh-indexer/opensearch-security/ \
  -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl

  ...
  Done with success

when done with success login to dashboard

api users

Note

Note The password for Wazuh API users must be between 8 and 64 characters long. It must contain at least one uppercase and one lowercase letter, a number, and a symbol.

default credentials

  • wazuh api user wazuh-wui:MyS3cr37P450r.*-

change password in the wazuh.yml file

config/wazuh_dashboard/wazuh.yml
...
hosts:
  - 1513629884013:
      url: "https://wazuh.manager"
      port: 55000
      username: wazuh-wui
      password: "MyS3cr37P450r.*-"
      run_as: false
...

as well as in the docker-compose.yml

# change passwd using sed
> sed -i \
  s/MyS3cr37P450r\.\*\-/<NEW_PASSWD>/g \
  docker-compose.yml

# change file permissions
> chmod 0600 docker-compose.yml

bring up deployment again

> docker-compose up -d

agent authentication

Already registred clients are not affected by adding authentication

server side

open up osssec.conf from wazuh server and enable passwords

> edit config/wazuh_cluster/wazuh_manager.conf

  <auth>
    ...
    <use_password>yes</use_password>
    ...
  </auth>

check file pemission of ossec.conf and create a password file matching the same permissions

# check user+group
> ls -n /var/lib/docker/volumes/single-node_wazuh_etc/_data/ossec.conf
  ... 0:999 ...

create a password file mathing user + group from the file above

# set passwd
> echo "<AGENT_PASSWD>" > \
  /var/lib/docker/volumes/single-node_wazuh_etc/_data/authd.pass

# change ownership
> chown 0:999 \
  /var/lib/docker/volumes/single-node_wazuh_etc/_data/authd.pass

# change file permissions
> chmod 640 \
  /var/lib/docker/volumes/single-node_wazuh_etc/_data/authd.pass

restart wazuh manager

docker-compose restart wazuh.manager

client side

rollout client as usual but add an additional password file called authd.pass

linux

# set password
> echo "<AGENT_PASSWD>" > \
  /var/ossec/etc/authd.pass

# set permissions
> chmod 640 /var/ossec/etc/authd.pass
> chown root:wazuh /var/ossec/etc/authd.pass

# restart agent
> systemctl restart wazuh-agent

# check logs
> tail -f /var/ossec/logs/ossec.log

macos

# set password
> echo "<AGENT_PASSWD>" > \
  /Library/Ossec/etc/authd.pass
# set permissions
> chmod 640 /Library/Ossec/etc/authd.pass
> chown root:wazuh /Library/Ossec/etc/authd.pass

# restart agent
> /Library/Ossec/bin/wazuh-control restart

# check logs
> tail -f /Library/Ossec/logs/ossec.log

add agent

arch linux

installing agent

# clone repo and change into
> git clone https://github.com/wazuh/wazuh.git \
  && cd wazuh

# checkout target verion
> git checkout v4.11.1

# install agent
> sudo ./install.sh

client config

/var/ossec/etc/ossec.conf
  <client>
    <server>
      <address>SERVER_ADDRESS</address>
    ...
    <enrollment>
      <enabled>yes</enabled>
      <agent_name>HOSTNAME</agent_name>
      <groups>GROUP</groups>
      <authorization_pass_path>etc/authd.pass</authorization_pass_path>
    </enrollment>
  </client>

start and enable service

systemctl enable --now wazuh-agent

remove agent

interactive using cli

# list agents
> docker exec -it single-node-wazuh.manager-1 \                                                                                                                                                                                                  *[v4.11.1^0]
  /var/ossec/bin/manage_agents -l

# remove agent 007
> docker exec -it single-node-wazuh.manager-1 \
  /var/ossec/bin/manage_agents -r 007

as api call

# fetch auth token
TOKEN=$(curl -u wazu-wui:<PASSWORD> -k -X GET "https://127.0.0.1:55000/security/user/authenticate?raw=true")

# remove agent 005, 006, 007
curl -k -X DELETE \
  "https://127.0.0.1:55000/agents?pretty=true&older_than=0s&agents_list=005,006,007&status=all" \
   -H  "Authorization: Bearer $TOKEN"

suricata logs

on wazuh agent open /var/ossec/etc/ossec.conf to add eve.json

  <!-- Suricata -->
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
systemctl restart wazuh-agent

in suricata considre disabling fast.log since we only use eve.json

/etc/suricata/suricata.yaml
outputs:
  - fast:
      enabled: no
systemctl restart suricata
Edit this page on Codeberg
Prev
Suricata
Next
Selinux