-
Notifications
You must be signed in to change notification settings - Fork 521
Wazuh
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Wazuh.
Wazuh has replaced OSSEC:
https://blog.securityonion.net/2018/10/wazuh-361-elastic-641-and-associated.html
This page is based on the original OSSEC page:
https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC
From http://ossec.github.io/:
OSSEC watches it all, actively monitoring all aspects of system activity with file integrity monitoring, log monitoring, rootcheck, and process monitoring.
Security Onion uses Wazuh as a Host Intrusion Detection System (HIDS). Wazuh is monitoring and defending Security Onion itself and you can add Wazuh agents to monitor other hosts on your network as well.
Additionally, you may want to:
For more information about Wazuh, please see:
https://documentation.wazuh.com/3.7/
Sometimes, Wazuh may recognize legitimate activity as potentially malicious, and engage in Active Response to block a connection. This may result in unintended consequences and/or blacklisting of trusted IPs.
You can whitelist your IP address and change other settings in /var/ossec/etc/ossec.conf to prevent
this from occurring:
<global>
<white_list>desired_ip</white_list>
</global>
You can add new rules and modify existing rules in /var/ossec/rules/local_rules.xml.
Wazuh alerts of a level of 5 or greater will be populated in the Sguil database, and viewable via Sguil and/or Squert. If you would like to change the level for which alerts are sent to sguild, you can modify the value for OSSEC_AGENT_LEVEL in /etc/nsm/securityonion.conf and restart NSM services.
The Wazuh agent is cross platform and you can download agents for Windows/Unix/Linux/FreeBSD from the Wazuh website:
https://documentation.wazuh.com/3.7/installation-guide/packages-list/index.html
Please note! It is important to ensure that you download the agent that matches the version of your Wazuh server. For example, if your Wazuh server is version 3.7.2, then you will want to deploy Wazuh agent version 3.7.2.
Once you've installed the Wazuh agent on the host(s) to be monitored, then perform the steps defined here:
http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-management.html#managing-agents
You may need to run so-allow to allow traffic from the IP address of your Wazuh agent(s).
Security Onion is configured to support a maximum number of 14000 Wazuh agents reporting to a single Wazuh manager.
Wazuh includes ossec-authd:
https://documentation.wazuh.com/3.7/user-manual/reference/daemons/ossec-authd.html
You can download Wazuh agents here:
https://documentation.wazuh.com/3.7/installation-guide/packages-list/index.html
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs