Building Own SIEM Environment using Opensource Tools (Part 4)

 

Building Own SIEM Environment using Opensource Tools (Part 4)

Wazuh Server

As per last blog, we are going to install Wazuh server and Wazuh agents on different clients. we are going to build an environment for  120 workstations, 15 servers, and 10 network devices with 2-3 year logs for view.  Following are software and hardware, that we used  for Wazuh server & ELK Server

We go to deploy following method for log collection from Wazuh agent (Windows, Mac OS & Linux-Ubuntu ) and shifted to Wazuh server and then synchronize these logs with ELK server. Following diagram show the detail of this,

 Wazuh installation guide give you two method of deployment. Following are these methods

• All-in-one Deployment
• Distributed Deployment

All-in-Deployment:-

In this we installed Wazuh Server and Elastic Stack on same server. This type of deployment only support small network or testing environment. 

All-in-one

As per above diagram, you see that Wazuh manager, Filebeat, Elasticsearch and Kibana all on same node.

Distributed Deployment:-

In this we installed Wazuh Server and ELK on separate server. We follow the Distributed deployment, because we going to build a production environment   for  120 workstations, 15 servers, and 10 network devices.

As per above diagram, you can see that Wazuh server installed on different cluster and ELK on different.

Lets go to install Wazuh manger on Wazuh Server,

# 192.168.0.161 | wazuh.kccl.com # Wazuh Manager

For Check System Status

# hostnamectl status

 

For Checking  Operating System

# cat /etc/redhat-release

 

 We need to add following ports in firewall to communicate with agents and API.

• 514/UDP/TCP - Syslog
• 1514/UDP/TCP - To get events from the agent.
• 1515/TECP - Port Used for agent Registration.
• 1516/TCP - Wazuh Cluster communications.
• 55000/TCP - Wazuh API port for incoming requests.

 For adding to  ports in firewall

# firewall-cmd --permanent --add-port={514,1514,1515,1516,55000}/tcp

# firewall-cmd --permanent --add-port={514,1514}/udp

# firewall-cmd --reload

# firewall-cmd --list-all

 For installation of Wazuh manger,

# curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

After installation of Wazuh server, you write down admin user name and password for enter on Wazuh. Now you open your browser and enter IP and give username admin and password you noted

After password you see following screen

After successful login you see following screen,

Now you explore it and next blog  we going to install  Wazuh agent install on different OS.

If you have any question, you cam ask in comments section. and if you not read early parts of this blog. just click on following links,

for  you miss part 1, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-using-opensource-tools.html

for  you miss part 2, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-environment-using.html

for  you miss part 3, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-environment-using_18.html