Wazuh SIEM Installation and Configuration

Wazuh is a comprehensive, open-source security information and event management (SIEM) system that provides centralized threat detection, compliance monitoring, and incident response capabilities. Wazuh combines log analysis, file integrity monitoring, vulnerability assessment, and threat intelligence into a unified platform for enterprise security operations. This guide covers installing the Wazuh stack (indexer, server, dashboard), deploying agents across infrastructure, creating custom rules and decoders, implementing compliance checks, and enabling vulnerability detection.

Table of Contents

System Requirements

Wazuh requires specific hardware and software specifications for optimal operation:

  • 64-bit processor (4+ cores recommended for production)
  • 8 GB RAM minimum (16 GB+ for large deployments)
  • 100 GB disk space (more for long-term log storage)
  • Linux kernel 3.10 or newer
  • Stable network connectivity
  • Java 11 or later (for Elasticsearch/OpenSearch)

Verify system resources:

uname -r
nproc
free -h
df -h /
java -version

Architecture Overview

The Wazuh platform consists of three main components:

  1. Indexer: Stores and indexes log data (based on Elasticsearch/OpenSearch)
  2. Manager/Server: Central analysis engine that processes logs and generates alerts
  3. Dashboard: Web UI for visualization and management

Agents deployed on monitored systems send data to the manager, which processes and stores it in the indexer for analysis and visualization.

Wazuh Indexer Installation

Install the indexer that stores and indexes all security events.

For Ubuntu/Debian:

sudo apt-get update
sudo apt-get install -y curl gnupg apt-transport-https
curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
sudo apt-get install -y wazuh-indexer

For CentOS/RHEL:

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo "[wazuh]
name=Wazuh repository
baseurl=https://packages.wazuh.com/4.x/yum/
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH" | sudo tee /etc/yum.repos.d/wazuh.repo
sudo yum install -y wazuh-indexer

Generate indexer certificates:

sudo bash /usr/share/wazuh-indexer/certs/indexer-security-init.sh -a

When prompted:

Node name: node1
IP address: 192.168.1.100
All Certificated generated!

Start indexer:

sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer

Verify indexer health:

curl -u admin:admin -k https://localhost:9200/_cluster/health

Should return:

{
  "cluster_name": "wazuh-cluster",
  "status": "green",
  "timed_out": false
}

Wazuh Manager Installation

Install the central analysis and management server.

For Ubuntu/Debian:

sudo apt-get install -y wazuh-manager

For CentOS/RHEL:

sudo yum install -y wazuh-manager

Enable and start the manager:

sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager

Verify manager status:

sudo systemctl status wazuh-manager
sudo /var/ossec/bin/wazuh-control status

Check manager logs:

tail -f /var/ossec/logs/ossec.log

Configure manager settings:

sudo nano /var/ossec/etc/ossec.conf

Key configuration sections:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>yes</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>smtp.example.com</smtp_server>
    <email_from>[email protected]</email_from>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <ruleset>
    <decoder_dir>decoders</decoder_dir>
    <rule_dir>rules</rule_dir>
    <rule_exclude>0710_sid_before_ossec3.14_upgrade.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
  </ruleset>
</ossec_config>

Restart manager to apply changes:

sudo systemctl restart wazuh-manager

Wazuh Dashboard

Install the web interface for visualization and management.

For Ubuntu/Debian:

sudo apt-get install -y wazuh-dashboard

For CentOS/RHEL:

sudo yum install -y wazuh-dashboard

Generate dashboard certificates:

sudo bash /usr/share/wazuh-dashboard/certs/dashboard-security-init.sh -a

Enable and start dashboard:

sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard

Access the dashboard at https://localhost:443:

firefox https://localhost:443 &

Default credentials:

  • Username: admin
  • Password: SecurePassword123

Configure dashboard settings:

sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml

Key settings:

server.host: "0.0.0.0"
server.port: 443
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]

Restart dashboard:

sudo systemctl restart wazuh-dashboard

Agent Deployment

Deploy Wazuh agents on systems to be monitored.

Download agent installer:

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.6.0-1_amd64.deb

For Ubuntu/Debian:

sudo dpkg -i wazuh-agent_4.6.0-1_amd64.deb

For CentOS/RHEL:

sudo rpm -ivh wazuh-agent-4.6.0-1.x86_64.rpm

Configure agent to connect to manager:

sudo nano /var/ossec/etc/ossec.conf

Set manager IP:

<client>
  <server>
    <address>192.168.1.100</address>
    <port>1514</port>
    <protocol>tcp</protocol>
  </server>
  <notify_time>10</notify_time>
  <time-reconnect>60</time-reconnect>
  <auto_restart>yes</auto_restart>
  <crypto_method>aes</crypto_method>
</client>

Add monitoring directories:

<agent_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access.log</location>
  </localfile>

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/application/app.log</location>
  </localfile>

  <syscheck>
    <directories check_all="yes">/etc</directories>
    <directories check_all="yes">/usr/bin</directories>
    <directories check_all="yes">/usr/sbin</directories>
  </syscheck>
</agent_config>

Enable and start agent:

sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Verify agent registration on manager:

sudo /var/ossec/bin/agent_control -l

Monitor agent status:

sudo /var/ossec/bin/agent_control -i 001 -s

Rules and Decoders

Create custom rules and decoders for specific threat detection.

Decoders parse logs into structured data. Create custom decoders:

sudo nano /var/ossec/etc/decoders/custom_decoders.xml

Example decoder for application logs:

<decoder name="custom-app">
  <plugin_decoder>YES</plugin_decoder>
  <program_name>application</program_name>
</decoder>

<decoder name="custom-app-events">
  <parent>custom-app</parent>
  <regex>^(\w+): (\w+) - (.+)$</regex>
  <order>event_type, action, message</order>
</decoder>

Create detection rules:

sudo nano /var/ossec/etc/rules/custom_rules.xml

Example rules:

<group name="custom_app">
  <rule id="100001" level="3">
    <decoder>custom-app</decoder>
    <match>event_type: AUTH</match>
    <description>Application authentication event</description>
  </rule>

  <rule id="100002" level="5">
    <decoder>custom-app</decoder>
    <match>action: FAILED_LOGIN</match>
    <frequency>5</frequency>
    <timeframe>60</timeframe>
    <description>Multiple failed login attempts</description>
    <group>authentication,pci_dss_10.2.4,pci_dss_10.2.5</group>
  </rule>

  <rule id="100003" level="7">
    <decoder>custom-app</decoder>
    <match>action: PRIVILEGE_ESCALATION</match>
    <description>Privilege escalation attempt detected</description>
    <group>privilege_escalation</group>
  </rule>

  <rule id="100004" level="6">
    <decoder>custom-app</decoder>
    <match>action: CONFIG_CHANGE</match>
    <description>Critical configuration change</description>
    <group>configuration_change</group>
  </rule>
</group>

Test rule syntax:

sudo /var/ossec/bin/wazuh-logtest -c

Reload rules:

sudo systemctl restart wazuh-manager

Verify rules are loaded:

grep -c "<rule" /var/ossec/etc/rules/custom_rules.xml

Compliance Configuration

Configure compliance monitoring for regulatory requirements.

Enable CIS Benchmark checks:

sudo nano /var/ossec/etc/ossec.conf

Add:

<policy_monitoring>
  <enabled>yes</enabled>
  <eval_type>file</eval_type>
  <rootcheck_files>/var/ossec/etc/shared/cis_ubuntu_linux_2.1.1_l1_benchmark.yml</rootcheck_files>
</policy_monitoring>

Configure PCI DSS compliance:

<rootcheck>
  <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
  <system_audit>/var/ossec/etc/shared/cis_rhel_linux_benchmark.txt</system_audit>
</rootcheck>

View compliance events:

Dashboard → Compliance
Shows:
  - CIS Compliance
  - PCI DSS Status
  - HIPAA
  - NIST 800-53
  - GDPR
  - TSC

Run compliance scan manually:

sudo /var/ossec/bin/rootcheck_control -r

Check compliance status:

sudo /var/ossec/bin/wazuh-control info

Vulnerability Detection

Enable vulnerability detection for CVE identification.

Install vulnerability feed:

sudo apt-get install -y wazuh-manager-vulnerability-detection

Or compile from source:

cd /tmp
wget https://github.com/wazuh/wazuh-vulnerability-database/archive/main.zip
unzip main.zip
sudo cp -r wazuh-vulnerability-database-main/* /var/ossec/

Configure vulnerability feed updates:

sudo nano /var/ossec/etc/ossec.conf

Add:

<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60</feed-update-interval>
</vulnerability-detection>

Update feeds:

sudo /var/ossec/bin/wazuh-control stop
sudo rm /var/ossec/queue/db/*.db
sudo /var/ossec/bin/wazuh-control start

Monitor vulnerability detection:

Dashboard → Vulnerability Detection
Shows:
  - Detected vulnerabilities
  - Severity distribution
  - Affected systems
  - CVE details

Query vulnerability data:

curl -u admin:password https://localhost:9200/.wazuh-vulnerability*/_search?size=10

Integration with External Tools

Integrate Wazuh with external systems and tools.

Forward logs to syslog:

sudo nano /var/ossec/etc/ossec.conf

Add:

<syslog_output>
  <server>192.168.1.100</server>
  <port>514</port>
</syslog_output>

Configure Slack notifications:

sudo nano /var/ossec/etc/ossec.conf

Add:

<slack_alerts>
  <enabled>yes</enabled>
  <hook_url>https://hooks.slack.com/services/YOUR/WEBHOOK/URL</hook_url>
</slack_alerts>

Integrate with PagerDuty:

<integration>
  <name>pagerduty</name>
  <enabled>yes</enabled>
  <hook_url>https://events.pagerduty.com/v2/enqueue</hook_url>
  <api_key>YOUR_PAGERDUTY_API_KEY</api_key>
</integration>

Setup email alerts:

<email_notification>
  <email_to>[email protected]</email_to>
  <level>7</level>
  <format>full</format>
</email_notification>

Conclusion

Wazuh provides comprehensive security information and event management capabilities for detecting and responding to security incidents. By following this guide, you've installed and configured the complete Wazuh stack (indexer, manager, dashboard), deployed agents across your infrastructure, created custom rules and decoders for threat detection, implemented compliance monitoring for regulatory requirements, enabled vulnerability detection for CVE identification, and integrated with external tools for comprehensive security operations. Regular monitoring, rule tuning, and feed updates ensure Wazuh remains effective at detecting sophisticated threats and maintaining security posture. Whether protecting small networks or large enterprises, Wazuh scales with flexible deployment options and comprehensive security capabilities.