Wazuh SIEM Instalación and Configuración

Wazuh is a comprehensive, open-source security information and event management (SIEM) system that proporciona centralized threat detection, compliance monitoring, and incident response capabilities. Wazuh combines log analysis, file integrity monitoring, vulnerability assessment, and threat intelligence into a unified platform for enterprise security operations. Esta guía cubre installing the Wazuh stack (indexer, server, dashboard), deploying agents across infrastructure, creating custom rules and decoders, implementing compliance checks, and enabling vulnerability detection.

Tabla de Contenidos

System Requirements

Wazuh requires specific hardware and software specifications for optimal operation:

  • 64-bit processor (4+ cores recommended for production)
  • 8 GB RAM minimum (16 GB+ for large deployments)
  • 100 GB disk space (more for long-term log almacenamiento)
  • Linux kernel 3.10 or newer
  • Stable red connectivity
  • Java 11 or later (for Elasticsearch/OpenSearch)

Verifica system resources:

uname -r
nproc
free -h
df -h /
java -version

Architecture Descripción General

The Wazuh platform consists of three main components:

  1. Indexer: Stores and indexes log data (based on Elasticsearch/OpenSearch)
  2. Manager/Server: Central analysis engine that processes logs and generates alerts
  3. Dashboard: Web UI for visualization and management

Agents deployed on monitored systems send data to the manager, which processes and stores it in the indexer for analysis and visualization.

Wazuh Indexer Instalación

Instala the indexer that stores and indexes all security events.

For Ubuntu/Debian:

sudo apt-get update
sudo apt-get install -y curl gnupg apt-transport-https
curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
sudo apt-get install -y wazuh-indexer

For CentOS/RHEL:

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo "[wazuh]
name=Wazuh repositorio
baseurl=https://packages.wazuh.com/4.x/yum/
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH" | sudo tee /etc/yum.repos.d/wazuh.repo
sudo yum install -y wazuh-indexer

Generate indexer certificates:

sudo bash /usr/share/wazuh-indexer/certs/indexer-security-init.sh -a

When prompted:

Nodo name: node1
IP address: 192.168.1.100
All Certificated generated!

Inicia indexer:

sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer

Verifica indexer health:

curl -u admin:admin -k https://localhost:9200/_cluster/health

Should return:

{
  "cluster_name": "wazuh-cluster",
  "status": "green",
  "timed_out": false
}

Wazuh Manager Instalación

Instala the central analysis and management server.

For Ubuntu/Debian:

sudo apt-get install -y wazuh-manager

For CentOS/RHEL:

sudo yum install -y wazuh-manager

Habilita and start the manager:

sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager

Verifica manager status:

sudo systemctl status wazuh-manager
sudo /var/ossec/bin/wazuh-control status

Check manager logs:

tail -f /var/ossec/logs/ossec.log

Configura manager settings:

sudo nano /var/ossec/etc/ossec.conf

Key configuration sections:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>yes</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>smtp.example.com</smtp_server>
    <email_from>[email protected]</email_from>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <remote>
    <connection>secure</connection>
    <puerto>1514</puerto>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <ruleset>
    <decoder_dir>decoders</decoder_dir>
    <rule_dir>rules</rule_dir>
    <rule_exclude>0710_sid_before_ossec3.14_upgrade.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
  </ruleset>
</ossec_config>

Reinicia manager to apply changes:

sudo systemctl restart wazuh-manager

Wazuh Dashboard

Instala the web interface for visualization and management.

For Ubuntu/Debian:

sudo apt-get install -y wazuh-dashboard

For CentOS/RHEL:

sudo yum install -y wazuh-dashboard

Generate dashboard certificates:

sudo bash /usr/share/wazuh-dashboard/certs/dashboard-security-init.sh -a

Habilita and start dashboard:

sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard

Access the dashboard at https://localhost:443:

firefox https://localhost:443 &

Default credentials:

  • Username: admin
  • Password: SecurePassword123

Configura dashboard settings:

sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml

Key settings:

server.host: "0.0.0.0"
server.puerto: 443
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]

Reinicia dashboard:

sudo systemctl restart wazuh-dashboard

Agent Despliegue

Despliega Wazuh agents on systems to be monitored.

Download agent installer:

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.6.0-1_amd64.deb

For Ubuntu/Debian:

sudo dpkg -i wazuh-agent_4.6.0-1_amd64.deb

For CentOS/RHEL:

sudo rpm -ivh wazuh-agent-4.6.0-1.x86_64.rpm

Configura agent to connect to manager:

sudo nano /var/ossec/etc/ossec.conf

Set manager IP:

<client>
  <server>
    <address>192.168.1.100</address>
    <puerto>1514</puerto>
    <protocol>tcp</protocol>
  </server>
  <notify_time>10</notify_time>
  <time-reconnect>60</time-reconnect>
  <auto_restart>yes</auto_restart>
  <crypto_method>aes</crypto_method>
</client>

Add monitoring directories:

<agent_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access.log</location>
  </localfile>

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/application/app.log</location>
  </localfile>

  <syscheck>
    <directories check_all="yes">/etc</directories>
    <directories check_all="yes">/usr/bin</directories>
    <directories check_all="yes">/usr/sbin</directories>
  </syscheck>
</agent_config>

Habilita and start agent:

sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Verifica agent registration on manager:

sudo /var/ossec/bin/agent_control -l

Monitorea agent status:

sudo /var/ossec/bin/agent_control -i 001 -s

Rules and Decoders

Crea custom rules and decoders for specific threat detection.

Decoders parse logs into structured data. Crea custom decoders:

sudo nano /var/ossec/etc/decoders/custom_decoders.xml

Example decoder for application logs:

<decoder name="custom-app">
  <plugin_decoder>YES</plugin_decoder>
  <program_name>application</program_name>
</decoder>

<decoder name="custom-app-events">
  <parent>custom-app</parent>
  <regex>^(\w+): (\w+) - (.+)$</regex>
  <order>event_type, action, message</order>
</decoder>

Crea detection rules:

sudo nano /var/ossec/etc/rules/custom_rules.xml

Example rules:

<group name="custom_app">
  <rule id="100001" level="3">
    <decoder>custom-app</decoder>
    <match>event_type: AUTH</match>
    <description>Application authentication event</description>
  </rule>

  <rule id="100002" level="5">
    <decoder>custom-app</decoder>
    <match>action: FAILED_LOGIN</match>
    <frequency>5</frequency>
    <timeframe>60</timeframe>
    <description>Multiple failed login attempts</description>
    <group>authentication,pci_dss_10.2.4,pci_dss_10.2.5</group>
  </rule>

  <rule id="100003" level="7">
    <decoder>custom-app</decoder>
    <match>action: PRIVILEGE_ESCALATION</match>
    <description>Privilege escalation attempt detected</description>
    <group>privilege_escalation</group>
  </rule>

  <rule id="100004" level="6">
    <decoder>custom-app</decoder>
    <match>action: CONFIG_CHANGE</match>
    <description>Critical configuration change</description>
    <group>configuration_change</group>
  </rule>
</group>

Prueba rule syntax:

sudo /var/ossec/bin/wazuh-logtest -c

Reload rules:

sudo systemctl restart wazuh-manager

Verifica rules are loaded:

grep -c "<rule" /var/ossec/etc/rules/custom_rules.xml

Compliance Configuración

Configura compliance monitoring for regulatory requirements.

Habilita CIS Benchmark checks:

sudo nano /var/ossec/etc/ossec.conf

Add:

<policy_monitoring>
  <enabled>yes</enabled>
  <eval_type>file</eval_type>
  <rootcheck_files>/var/ossec/etc/shared/cis_ubuntu_linux_2.1.1_l1_benchmark.yml</rootcheck_files>
</policy_monitoring>

Configura PCI DSS compliance:

<rootcheck>
  <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
  <system_audit>/var/ossec/etc/shared/cis_rhel_linux_benchmark.txt</system_audit>
</rootcheck>

View compliance events:

Dashboard → Compliance
Shows:
  - CIS Compliance
  - PCI DSS Status
  - HIPAA
  - NIST 800-53
  - GDPR
  - TSC

Ejecuta compliance scan manually:

sudo /var/ossec/bin/rootcheck_control -r

Check compliance status:

sudo /var/ossec/bin/wazuh-control info

Vulnerability Detection

Habilita vulnerability detection for CVE identification.

Instala vulnerability feed:

sudo apt-get install -y wazuh-manager-vulnerability-detection

Or compile from source:

cd /tmp
wget https://github.com/wazuh/wazuh-vulnerability-database/archive/main.zip
unzip main.zip
sudo cp -r wazuh-vulnerability-database-main/* /var/ossec/

Configura vulnerability feed updates:

sudo nano /var/ossec/etc/ossec.conf

Add:

<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60</feed-update-interval>
</vulnerability-detection>

Actualiza feeds:

sudo /var/ossec/bin/wazuh-control stop
sudo rm /var/ossec/queue/db/*.db
sudo /var/ossec/bin/wazuh-control start

Monitorea vulnerability detection:

Dashboard → Vulnerability Detection
Shows:
  - Detected vulnerabilities
  - Severity distribution
  - Affected systems
  - CVE details

Query vulnerability data:

curl -u admin:password https://localhost:9200/.wazuh-vulnerability*/_search?size=10

Integration with External Tools

Integrate Wazuh with external systems and tools.

Forward logs to syslog:

sudo nano /var/ossec/etc/ossec.conf

Add:

<syslog_output>
  <server>192.168.1.100</server>
  <puerto>514</puerto>
</syslog_output>

Configura Slack notifications:

sudo nano /var/ossec/etc/ossec.conf

Add:

<slack_alerts>
  <enabled>yes</enabled>
  <hook_url>https://hooks.slack.com/servicios/YOUR/WEBHOOK/URL</hook_url>
</slack_alerts>

Integrate with PagerDuty:

<integration>
  <name>pagerduty</name>
  <enabled>yes</enabled>
  <hook_url>https://events.pagerduty.com/v2/enqueue</hook_url>
  <api_key>YOUR_PAGERDUTY_API_KEY</api_key>
</integration>

Configuración email alerts:

<email_notification>
  <email_to>[email protected]</email_to>
  <level>7</level>
  <format>full</format>
</email_notification>

Conclusión

Wazuh proporciona comprehensive security information and event management capabilities for detecting and responding to security incidents. By following this guide, you've installed and configured the complete Wazuh stack (indexer, manager, dashboard), deployed agents across your infrastructure, created custom rules and decoders for threat detection, implemented compliance monitoring for regulatory requirements, enabled vulnerability detection for CVE identification, and integrated with external tools for comprehensive security operations. Regular monitoring, rule tuning, and feed updates asegúrate de que Wazuh remains effective at detecting sophisticated threats and maintaining security posture. Whether protecting small redes or large enterprises, Wazuh scales with flexible deployment options and comprehensive security capabilities.