Wazuh, a fork of the famous OSSEC project, is an agent-based solution for the detection of malicious activity at the host level. It can detect rootkits, malicious processes running on the host, and many other types of malicious network activities. The Coralogix STA can function as a Wazuh manager, allowing Wazuh agents to connect to it, pull policies from it, and forward their logs to it. These logs will be enriched and forwarded to Coralogix for further processing.
Once you have successfully installed the STA in your environment, you can configure Wazuh agents to connect to it by completing the following steps:
Find out the relevant Wazuh NLB name (relevant only for cloud installations):
If you have installed the STA by using CloudFormation, open your AWS CloudFormation console and locate the stack you have deployed. In the list of the resources that were deployed (in the “Resources” tab) locate the ID of the “WazuhNLB” that was deployed (should be something like ‘arn:aws:elasticloadbalancing:eu-west-1:746123456762:loadbalancer/net/STA-N-Wazuh-UJZ0XTYPZR41/1773e22e13f084de’)
If you have installed the STA by using Terraform, run the following command in the folder you applied the Terraform template from: terraform state show 'module.sta_ng.module.sta_ng-spotfleet-small-wazuh1-eip1.aws_lb.WazuhNLB'. Take note of the id of the NLB. (should be something like ‘arn:aws:elasticloadbalancing:eu-west-1:746123456762:loadbalancer/net/STA-N-Wazuh-UJZ0XTYPZR41/1773e22e13f084de’)
Find out the relevant Wazuh NLB DNS name:
If you have installed the STA using either CloudFormation or Terraform, open your AWS EC2 console and navigate to the Load Balancers section and then search for the value you took note of at the previous step. Copy the DNS name of that load balancer (Should be something like STA-N-Wazuh-UXYZXYZXYR41-1234e12e12f064ed.elb.eu-west-1.amazonaws.com)
If you are using the STA in an on-prem environment just use the STA’s host name
WAZUH_MANAGER environment variable is the value you took a note of at the previous step (the STA’s Wazuh NLB DNS name). make sure to set WAZUH_MANAGER when encountered in next steps.
Install the Wazuh agent on the relevant machines:
In case you mirroring traffic using Virtual Tap and Wazuh wasn’t disabled, skip this step
In case you mirroring traffic using Virtual Tap and Wazuh was disabled, update docker command with the following code (for additional information regarding CONFIGURATION_S3 and TAP_INTERFACE see Virtual Tap’s URL):