# Building a SIEM - 2 - Building the Wazuh Server 04-15-2025 Tags: #Wazuh #SIEM Links: [[Building a SIEM - 1 - Understanding the Parts]], [[Building a SIEM - 3 - Installing Graylog]] --- **Table of Contents** - [[#Getting Started|Getting Started]] - [[#The Big Three for Wazuh|The Big Three for Wazuh]] - [[#The Big Three for Wazuh#Wazuh- Indexer|Wazuh- Indexer]] - [[#The Big Three for Wazuh#Wazuh-Manager|Wazuh-Manager]] - [[#The Big Three for Wazuh#Wazuh-Dashboard|Wazuh-Dashboard]] - [[#Installing Wazuh|Installing Wazuh]] - [[#Completing the Installation|Completing the Installation]] - [[#Completing the Installation#Deploying an Agent|Deploying an Agent]] - [[#Wazuh Features and Things to Look Out For|Wazuh Features and Things to Look Out For]] - [[#Finishing Up|Finishing Up]] - [[#References|References]] --- ## Getting Started So you want to build a SIEM do ya?? Think watching computers, waiting for some sneak thief to come take your sweet roll is fun? Good! Then follow along as we build a SIEM for ourselves. Wazuh is very cool: it has real-time detections, can do file integrity monitoring (you can even watch for changes to registry keys!), you can scan software for known CVE's, get reports and alerts based on compliance and....well it's free! That's pretty great. We are using a VM Ubuntu 22.04 as our primary machine; I'm building the VM on Virtualbox. Go ahead and spin up a machine, making sure to `sudo apt update && sudo apt upgrade`, and of course, never forget take a snapshot (Never Forgeeeeeet!......) You can also follow along with DFIR's video [here](https://www.youtube.com/watch?v=YxpUx0czgx4) Ok Let's get started! ## The Big Three for Wazuh When we talk about Wazuh, we're actually installing 3 main components that make up the Wazuh SIEM. 1. The **Wazuh Indexer** - The primary backend that will store collected security logs 2. The **Wazuh Manager** - The brain of Wazuh, collecting and analyzing logs with rules and triggers. 3. The **Wazuh Dashboard** - Our visualization, reporting, etc. It's built on top of Opensearch Dashboards. Installing the Wazuh components can be piecemeal (that is, each component is on its own server) , or on a single server using the Quickstart Guide, which is what we're doing in this post.. Performing the installation piece by piece could give us more flexibility and customization with the installation, allowing us to set up the certificates ourselves, and allowing us to use different machines for each of the components. This would be preferred if we are planning to use this in production, since we can ensure that components like the Indexer have enough resources like space, memory, and are configured to perform log rotation. ### Wazuh- Indexer Our core backend. The indexer organizes (indexes) all of our event data that is collected and makes it *searchable*. It's based on OpenSearch, a fork of Elasticsearch. ### Wazuh-Manager This is the brain of Wazuh — it collects logs from agents and writes them to `alerts.json`, analyzes logs with rules, triggers alerts, and manages configuration. ### Wazuh-Dashboard This is the web interface where you visualize alerts, logs, compliance reports, and threat data. It's built on top of OpenSearch Dashboards. It's similar to the Kibana and Grafana dashboards, but the Wazuh-Dashboard is limited to the security alerts. Grafana is a good option to pair alongside with Wazuh-Dashboard if you want other metrics like system performance for your machines. The Quickstart guide is going to set up **ALL** of three of these components for us, and even do us the favor of setting the TLS certificates between them. The certificates are important for secure communications between each of the components, make sure that the data flow between each piece is locked down. ## Installing Wazuh Since this is for testing purposes, we'll be following the Quickstart procedures, found [here](https://documentation.wazuh.com/current/quickstart.html). 1. Install via Wazuh Installation Assistant `curl -sO https://packages.wazuh.com/4.11/wazuh-install.sh && sudo bash ./wazuh-install.sh -a` 2. Once the assistant finishes the install, make a note of the access credentials, which will be your admin username and password. From the Wazuh Quickstart documentation: ``` INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS> User: admin Password: <ADMIN_PASSWORD> INFO: Installation finished. ``` *Note*: If you need it, the passwords for all the Wazuh indexer/API users are found in *wazuh-passwords.txt* within wazuh-install-files.tar. We can view them, if necessary with `sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt` ## Completing the Installation Just like that, we have Wazuh! Now we can login to Wazuh, and check out all the different, cool (did I say free?) features. ![[wazuh_empty_dashboard.png]] ### Deploying an Agent We don't have any agents up yet, but it's *ridiculously* easy to deploy one; Wazuh has a step-by-step agent builder to let you create agents based on what kind of hardware you have, whether it's Linux or Windows, etc. We're won't be deploying an agent at this point, we're going to move on to installing Graylog first, but don't worry, we'll get there! ### Integrating VirusTotal Let's add VirusTotal, just because it's so easy. I'm following these instructions at Wazuh's [page](https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/virus-total-integration.html#virustotal-integration). Below is an example of settings you must add to the `/var/ossec/etc/ossec.conf` file on the Wazuh server: ``` <integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration> ``` I snagged a VirusTotal API key by creating a free account at https://www.virustotal.com/gui/home/upload. Save the configuration, restart Wazuh-manager, and bingo-bango, you have VirusTotal integration. ## Wazuh Features and Things to Look Out For Some of the standout features you’ll eventually be able to take advantage of include **active responses** (automatic reactions to threats like blocking malicious IPs) and **direct integrations** like Slack alerts for real-time notifications. Wazuh also offers **compliance reporting**, **threat intelligence integration**, and **vulnerability detection**, making it a very full-featured option for many environments. However, it’s worth noting: - Wazuh can become **resource-intensive** at scale, especially with a large number of agents or heavy alerting. - **Fine-tuning rules** is important — out-of-the-box, you might see a _flood_ of alerts, some of which may not be critical. We'll be installing Sysmon with a specialized repo to help curtail a lot of these extra alerts. - While powerful, Wazuh’s interface and rule management can have a **learning curve**, especially if you’re new to SIEMs. ## Finishing Up Overall, Wazuh is an aweseme starting point — but like any serious SIEM, it rewards teams that invest time into tuning and understanding it. Thanks for joining me in this post! Next up, let’s dive into building out **Graylog** to supplement and strengthen what Wazuh is already bringing to the table. ## References >MyDFIR, *"SOC Automation Project (Home Lab) | Part 2"*: https://www.youtube.com/watch?v=YxpUx0czgx4 >*"Wazuh Website - Quickstart Installation Guide"*: https://documentation.wazuh.com/current/quickstart.html