Wazuh SIEM Instalación and Configuración
Wazuh is a comprehensive, open-source security information and event management (SIEM) system that proporciona centralized threat detection, compliance monitoring, and incident response capabilities. Wazuh combines log analysis, file integrity monitoring, vulnerability assessment, and threat intelligence into a unified platform for enterprise security operations. Esta guía cubre installing the Wazuh stack (indexer, server, dashboard), deploying agents across infrastructure, creating custom rules and decoders, implementing compliance checks, and enabling vulnerability detection.
Tabla de Contenidos
- System Requirements
- Architecture Descripción General
- Wazuh Indexer Instalación
- Wazuh Manager Instalación
- Wazuh Dashboard
- Agent Despliegue
- Rules and Decoders
- Compliance Configuración
- Vulnerability Detection
- Integration with External Tools
- Conclusión
System Requirements
Wazuh requires specific hardware and software specifications for optimal operation:
- 64-bit processor (4+ cores recommended for production)
- 8 GB RAM minimum (16 GB+ for large deployments)
- 100 GB disk space (more for long-term log almacenamiento)
- Linux kernel 3.10 or newer
- Stable red connectivity
- Java 11 or later (for Elasticsearch/OpenSearch)
Verifica system resources:
uname -r
nproc
free -h
df -h /
java -version
Architecture Descripción General
The Wazuh platform consists of three main components:
- Indexer: Stores and indexes log data (based on Elasticsearch/OpenSearch)
- Manager/Server: Central analysis engine that processes logs and generates alerts
- Dashboard: Web UI for visualization and management
Agents deployed on monitored systems send data to the manager, which processes and stores it in the indexer for analysis and visualization.
Wazuh Indexer Instalación
Instala the indexer that stores and indexes all security events.
For Ubuntu/Debian:
sudo apt-get update
sudo apt-get install -y curl gnupg apt-transport-https
curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
sudo apt-get install -y wazuh-indexer
For CentOS/RHEL:
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo "[wazuh]
name=Wazuh repositorio
baseurl=https://packages.wazuh.com/4.x/yum/
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH" | sudo tee /etc/yum.repos.d/wazuh.repo
sudo yum install -y wazuh-indexer
Generate indexer certificates:
sudo bash /usr/share/wazuh-indexer/certs/indexer-security-init.sh -a
When prompted:
Nodo name: node1
IP address: 192.168.1.100
All Certificated generated!
Inicia indexer:
sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer
Verifica indexer health:
curl -u admin:admin -k https://localhost:9200/_cluster/health
Should return:
{
"cluster_name": "wazuh-cluster",
"status": "green",
"timed_out": false
}
Wazuh Manager Instalación
Instala the central analysis and management server.
For Ubuntu/Debian:
sudo apt-get install -y wazuh-manager
For CentOS/RHEL:
sudo yum install -y wazuh-manager
Habilita and start the manager:
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
Verifica manager status:
sudo systemctl status wazuh-manager
sudo /var/ossec/bin/wazuh-control status
Check manager logs:
tail -f /var/ossec/logs/ossec.log
Configura manager settings:
sudo nano /var/ossec/etc/ossec.conf
Key configuration sections:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>smtp.example.com</smtp_server>
<email_from>[email protected]</email_from>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<remote>
<connection>secure</connection>
<puerto>1514</puerto>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<ruleset>
<decoder_dir>decoders</decoder_dir>
<rule_dir>rules</rule_dir>
<rule_exclude>0710_sid_before_ossec3.14_upgrade.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
</ruleset>
</ossec_config>
Reinicia manager to apply changes:
sudo systemctl restart wazuh-manager
Wazuh Dashboard
Instala the web interface for visualization and management.
For Ubuntu/Debian:
sudo apt-get install -y wazuh-dashboard
For CentOS/RHEL:
sudo yum install -y wazuh-dashboard
Generate dashboard certificates:
sudo bash /usr/share/wazuh-dashboard/certs/dashboard-security-init.sh -a
Habilita and start dashboard:
sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard
Access the dashboard at https://localhost:443:
firefox https://localhost:443 &
Default credentials:
- Username: admin
- Password: SecurePassword123
Configura dashboard settings:
sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml
Key settings:
server.host: "0.0.0.0"
server.puerto: 443
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
Reinicia dashboard:
sudo systemctl restart wazuh-dashboard
Agent Despliegue
Despliega Wazuh agents on systems to be monitored.
Download agent installer:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.6.0-1_amd64.deb
For Ubuntu/Debian:
sudo dpkg -i wazuh-agent_4.6.0-1_amd64.deb
For CentOS/RHEL:
sudo rpm -ivh wazuh-agent-4.6.0-1.x86_64.rpm
Configura agent to connect to manager:
sudo nano /var/ossec/etc/ossec.conf
Set manager IP:
<client>
<server>
<address>192.168.1.100</address>
<puerto>1514</puerto>
<protocol>tcp</protocol>
</server>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
Add monitoring directories:
<agent_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/var/log/application/app.log</location>
</localfile>
<syscheck>
<directories check_all="yes">/etc</directories>
<directories check_all="yes">/usr/bin</directories>
<directories check_all="yes">/usr/sbin</directories>
</syscheck>
</agent_config>
Habilita and start agent:
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Verifica agent registration on manager:
sudo /var/ossec/bin/agent_control -l
Monitorea agent status:
sudo /var/ossec/bin/agent_control -i 001 -s
Rules and Decoders
Crea custom rules and decoders for specific threat detection.
Decoders parse logs into structured data. Crea custom decoders:
sudo nano /var/ossec/etc/decoders/custom_decoders.xml
Example decoder for application logs:
<decoder name="custom-app">
<plugin_decoder>YES</plugin_decoder>
<program_name>application</program_name>
</decoder>
<decoder name="custom-app-events">
<parent>custom-app</parent>
<regex>^(\w+): (\w+) - (.+)$</regex>
<order>event_type, action, message</order>
</decoder>
Crea detection rules:
sudo nano /var/ossec/etc/rules/custom_rules.xml
Example rules:
<group name="custom_app">
<rule id="100001" level="3">
<decoder>custom-app</decoder>
<match>event_type: AUTH</match>
<description>Application authentication event</description>
</rule>
<rule id="100002" level="5">
<decoder>custom-app</decoder>
<match>action: FAILED_LOGIN</match>
<frequency>5</frequency>
<timeframe>60</timeframe>
<description>Multiple failed login attempts</description>
<group>authentication,pci_dss_10.2.4,pci_dss_10.2.5</group>
</rule>
<rule id="100003" level="7">
<decoder>custom-app</decoder>
<match>action: PRIVILEGE_ESCALATION</match>
<description>Privilege escalation attempt detected</description>
<group>privilege_escalation</group>
</rule>
<rule id="100004" level="6">
<decoder>custom-app</decoder>
<match>action: CONFIG_CHANGE</match>
<description>Critical configuration change</description>
<group>configuration_change</group>
</rule>
</group>
Prueba rule syntax:
sudo /var/ossec/bin/wazuh-logtest -c
Reload rules:
sudo systemctl restart wazuh-manager
Verifica rules are loaded:
grep -c "<rule" /var/ossec/etc/rules/custom_rules.xml
Compliance Configuración
Configura compliance monitoring for regulatory requirements.
Habilita CIS Benchmark checks:
sudo nano /var/ossec/etc/ossec.conf
Add:
<policy_monitoring>
<enabled>yes</enabled>
<eval_type>file</eval_type>
<rootcheck_files>/var/ossec/etc/shared/cis_ubuntu_linux_2.1.1_l1_benchmark.yml</rootcheck_files>
</policy_monitoring>
Configura PCI DSS compliance:
<rootcheck>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_benchmark.txt</system_audit>
</rootcheck>
View compliance events:
Dashboard → Compliance
Shows:
- CIS Compliance
- PCI DSS Status
- HIPAA
- NIST 800-53
- GDPR
- TSC
Ejecuta compliance scan manually:
sudo /var/ossec/bin/rootcheck_control -r
Check compliance status:
sudo /var/ossec/bin/wazuh-control info
Vulnerability Detection
Habilita vulnerability detection for CVE identification.
Instala vulnerability feed:
sudo apt-get install -y wazuh-manager-vulnerability-detection
Or compile from source:
cd /tmp
wget https://github.com/wazuh/wazuh-vulnerability-database/archive/main.zip
unzip main.zip
sudo cp -r wazuh-vulnerability-database-main/* /var/ossec/
Configura vulnerability feed updates:
sudo nano /var/ossec/etc/ossec.conf
Add:
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60</feed-update-interval>
</vulnerability-detection>
Actualiza feeds:
sudo /var/ossec/bin/wazuh-control stop
sudo rm /var/ossec/queue/db/*.db
sudo /var/ossec/bin/wazuh-control start
Monitorea vulnerability detection:
Dashboard → Vulnerability Detection
Shows:
- Detected vulnerabilities
- Severity distribution
- Affected systems
- CVE details
Query vulnerability data:
curl -u admin:password https://localhost:9200/.wazuh-vulnerability*/_search?size=10
Integration with External Tools
Integrate Wazuh with external systems and tools.
Forward logs to syslog:
sudo nano /var/ossec/etc/ossec.conf
Add:
<syslog_output>
<server>192.168.1.100</server>
<puerto>514</puerto>
</syslog_output>
Configura Slack notifications:
sudo nano /var/ossec/etc/ossec.conf
Add:
<slack_alerts>
<enabled>yes</enabled>
<hook_url>https://hooks.slack.com/servicios/YOUR/WEBHOOK/URL</hook_url>
</slack_alerts>
Integrate with PagerDuty:
<integration>
<name>pagerduty</name>
<enabled>yes</enabled>
<hook_url>https://events.pagerduty.com/v2/enqueue</hook_url>
<api_key>YOUR_PAGERDUTY_API_KEY</api_key>
</integration>
Configuración email alerts:
<email_notification>
<email_to>[email protected]</email_to>
<level>7</level>
<format>full</format>
</email_notification>
Conclusión
Wazuh proporciona comprehensive security information and event management capabilities for detecting and responding to security incidents. By following this guide, you've installed and configured the complete Wazuh stack (indexer, manager, dashboard), deployed agents across your infrastructure, created custom rules and decoders for threat detection, implemented compliance monitoring for regulatory requirements, enabled vulnerability detection for CVE identification, and integrated with external tools for comprehensive security operations. Regular monitoring, rule tuning, and feed updates asegúrate de que Wazuh remains effective at detecting sophisticated threats and maintaining security posture. Whether protecting small redes or large enterprises, Wazuh scales with flexible deployment options and comprehensive security capabilities.