-
SuggestedSuggested
- How It Works Streama© is the foundation of Coralogix's stateful streaming data platform, based on our 3 “S” architecture – source, stream, and sink.
- How Monday.com Improved Monitoring to Spend Less Time Searching for Issues Monday.com uses Coralogix to centralize and standardize their logs so they can easily search their logs across the entire stack.
- Creating a Free Data Lake with Coralogix Like many cool tools out there, this project started from a request made by a customer of ours. Having recently migrated to our service, this customer...
Oh no!
Oh no!We didn’t find anything for “”,
please try a different search
Breaking News from AWS re:Invent
Coralogix receives AWS Rising Star award!
Back to All Docs
Wazuh Alerts Overview 
Processes on Wazuh agents 
File Integrity Monitor
How to connect a Wazuh agent to the STA
Last Updated: Mar. 23, 2023
Wazuh, a fork of the famous OSSEC project, is an agent-based solution for the detection of malicious activity at the host level. It can detect rootkits, malicious processes running on the host, and many other types of malicious network activities. The Coralogix STA can function as a Wazuh manager, allowing Wazuh agents to connect to it, pull policies from it, and forward their logs to it. These logs will be enriched and forwarded to Coralogix for further processing.
Once you have successfully installed the STA in your environment, you can configure Wazuh agents to connect to it by completing the following steps:
- Find out the relevant Wazuh NLB name (relevant only for cloud installations):
- If you have installed the STA by using CloudFormation, open your AWS CloudFormation console and locate the stack you have deployed. In the list of the resources that were deployed (in the “Resources” tab) locate the ID of the “WazuhNLB” that was deployed (should be something like ‘arn:aws:elasticloadbalancing:eu-west-1:746123456762:loadbalancer/net/STA-N-Wazuh-UJZ0XTYPZR41/1773e22e13f084de’)
- If you have installed the STA by using Terraform, run the following command in the folder you applied the Terraform template from:
terraform state show 'module.sta_ng.module.sta_ng-spotfleet-small-wazuh1-eip1[0].aws_lb.WazuhNLB'. Take note of the id of the NLB. (should be something like ‘arn:aws:elasticloadbalancing:eu-west-1:746123456762:loadbalancer/net/STA-N-Wazuh-UJZ0XTYPZR41/1773e22e13f084de’)
- Find out the relevant Wazuh NLB DNS name:
- If you have installed the STA using either CloudFormation or Terraform, open your AWS EC2 console and navigate to the Load Balancers section and then search for the value you took note of at the previous step. Copy the DNS name of that load balancer (Should be something like STA-N-Wazuh-UXYZXYZXYR41-1234e12e12f064ed.elb.eu-west-1.amazonaws.com)
- If you are using the STA in an on-prem environment just use the STA’s host name
- WAZUH_MANAGER environment variable is the value you took a note of at the previous step (the STA’s Wazuh NLB DNS name). make sure to set
WAZUH_MANAGERwhen encountered in next steps. - Install the Wazuh agent on the relevant machines:
- In case you mirroring traffic using Virtual Tap and
Wazuhwasn’t disabled, skip this step - In case you mirroring traffic using Virtual Tap and
Wazuhwas disabled, update docker command with the following code (for additional information regardingCONFIGURATION_S3andTAP_INTERFACEsee Virtual Tap’s URL):
docker run -d –name sta-wazuh_manager \ -e "WAZUH_MANAGER=<EXTRACTED_WAZUH_NLB_DNS_NAME>" \ -e “STA_SNIFFING_NLB=s3://<CONFIGURATION_S3>” \ -e “TAP_INTERFACE=<TAP_INTERFACE>” \ -e ‘STA_SNIFFING_FILTER=not dst port 4789’ \ –privileged –net host coralogixrepo/sta-virtual-tap-docker
- To install using Virtual Tap installation but only
Wazuhwithout mirroring traffic:
docker run -d –name sta-wazuh_manager \ -e "WAZUH_MANAGER=<ADD_EXTRACTED_WAZUH_NLB_DNS_NAME>" \ -e "STA_DISABLE_TAP=TRUE" \ –privileged –net host coralogixrepo/sta-virtual-tap-docker
- To install
Wazuhusing bare metal installation, run the following code:- in AWS/AZURE this should be set as the instances’ user-data
- in GCP this should be set as the instance’s startup script
Ubuntu/Debian:
#!/bin/bash export WAZUH_MANAGER="<ADD_EXTRACTED_WAZUH_NLB_DNS_NAME>" wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10-1_amd64.deb sudo -E dpkg -i wazuh-agent_4.3.10-1_amd64.deb echo 'wazuh_command.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf echo 'logcollector.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf echo 'sca.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf sudo mkdir -p /wazuh-custom-commands echo 'IyEvYmluL2Jhc2gKCmRmIC1oIHwgZ3JlcCAtdiAnXi9kZXYvbG9vcFswLTldJyB8IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lOwpkbwogIGVjaG8gImRpc2stdXNhZ2U6ICIkbGluZQpkb25lCg==' | base64 -d | sudo tee /wazuh-custom-commands/custom-df.sh echo 'IyEvYmluL2Jhc2gKCnBzIC1lZmwgfCB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsKZG8KICBlY2hvICJwcm9jZXNzZXMtbGlzdDogIiRsaW5lCmRvbmUK' | base64 -d | sudo tee /wazuh-custom-commands/custom-ps.sh sudo chmod +x /wazuh-custom-commands/custom-df.sh sudo chmod +x /wazuh-custom-commands/custom-ps.sh sudo systemctl daemon-reload sudo systemctl enable wazuh-agent.service sudo service wazuh-agent start sleep 60 sudo service wazuh-agent restart
RedHat:
#!/bin/bash export WAZUH_MANAGER="<ADD_EXTRACTED_WAZUH_NLB_DNS_NAME>" sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH sudo echo [wazuh] > /etc/yum.repos.d/wazuh.repo sudo echo gpgcheck=1 >> /etc/yum.repos.d/wazuh.repo sudo echo gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH >> /etc/yum.repos.d/wazuh.repo sudo echo enabled=1 >> /etc/yum.repos.d/wazuh.repo sudo echo name=EL-Wazuh >> /etc/yum.repos.d/wazuh.repo sudo echo baseurl=https://packages.wazuh.com/4.x/yum/ >> /etc/yum.repos.d/wazuh.repo sudo echo protect=1 >> /etc/yum.repos.d/wazuh.repo sudo -E yum install wazuh-agent audit -y echo 'wazuh_command.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf echo 'logcollector.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf echo 'sca.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf sudo mkdir -p /wazuh-custom-commands echo 'IyEvYmluL2Jhc2gKCmRmIC1oIHwgZ3JlcCAtdiAnXi9kZXYvbG9vcFswLTldJyB8IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lOwpkbwogIGVjaG8gImRpc2stdXNhZ2U6ICIkbGluZQpkb25lCg==' | base64 -d | sudo tee /wazuh-custom-commands/custom-df.sh echo 'IyEvYmluL2Jhc2gKCnBzIC1lZmwgfCB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsKZG8KICBlY2hvICJwcm9jZXNzZXMtbGlzdDogIiRsaW5lCmRvbmUK' | base64 -d | sudo tee /wazuh-custom-commands/custom-ps.sh sudo chmod +x /wazuh-custom-commands/custom-df.sh sudo chmod +x /wazuh-custom-commands/custom-ps.sh sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
Windows (Powershell):
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile wazuh-agent.msi -UseBasicParsing ` wazuh-agent.msi /quiet WAZUH_MANAGER=<ADD_EXTRACTED_WAZUH_NLB_DNS_NAME> ` Start-Sleep -Seconds 30 ` Start-Service -ServiceName WazuhSvc
- Connect to the STA via SSH using the key pair you specified during the installation of the STA.
- Run the command
sta-wazuh-list-agents. You should get something like this with the hostname of the monitored instance:Available agents:
ID: 001, Name: ip-192-168-1-2, IP: any - You should be able to see logs from the monitored instance that indicate interesting actions that took place on the monitored instance as recorded by Wazuh.
- You can review the data from Wazuh by using the Wazuh alerts and Wazuh file integrity monitor dashboards:
Good luck (:
If you have any questions or need any additional help, please contact our support team via our 24/7 in-app chat!