Wazuh, a fork of the famous OSSEC project, is an agent-based solution for the detection of malicious activity at the host level. It can detect rootkits, malicious processes running on the host, and many other types of malicious network activities. The Coralogix STA can function as a Wazuh manager, allowing Wazuh agents to connect to it, pull policies from it, and forward their logs to it. These logs will be enriched and forwarded to Coralogix for further processing.
Once you have successfully installed the STA in your environment, you can configure Wazuh agents to connect to it by completing the following steps:
terraform state show 'module.sta_ng.module.sta_ng-spotfleet-small-wazuh1-eip1[0].aws_lb.WazuhNLB'
. Take note of the id of the NLB. (should be something like ‘arn:aws:elasticloadbalancing:eu-west-1:746123456762:loadbalancer/net/STA-N-Wazuh-UJZ0XTYPZR41/1773e22e13f084de’)Ubuntu:
#!/bin/bash
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt-get update -y
export WAZUH_MANAGER="sta-p-Wazuh-12345678901-12345678901234567.elb.eu-west-1.amazonaws.com"
sudo -E apt-get install auditd wazuh-agent -y
echo 'wazuh_command.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf
echo 'logcollector.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf
sudo mkdir -p /wazuh-custom-commands
echo 'IyEvYmluL2Jhc2gKCmRmIC1oIHwgZ3JlcCAtdiAnXi9kZXYvbG9vcFswLTldJyB8IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lOwpkbwogIGVjaG8gImRpc2stdXNhZ2U6ICIkbGluZQpkb25lCg==' | base64 -d | sudo tee /wazuh-custom-commands/custom-df.sh
echo 'IyEvYmluL2Jhc2gKCnBzIC1lZmwgfCB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsKZG8KICBlY2hvICJwcm9jZXNzZXMtbGlzdDogIiRsaW5lCmRvbmUK' | base64 -d | sudo tee /wazuh-custom-commands/custom-ps.sh
sudo chmod +x /wazuh-custom-commands/custom-df.sh
sudo chmod +x /wazuh-custom-commands/custom-ps.sh
sudo systemctl enable wazuh-agent.service
sudo service wazuh-agent start
sleep 60
sudo service wazuh-agent restart
RedHat
#!/bin/bash
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
sudo echo [wazuh] > /etc/yum.repos.d/wazuh.repo
sudo echo gpgcheck=1 >> /etc/yum.repos.d/wazuh.repo
sudo echo gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH >> /etc/yum.repos.d/wazuh.repo
sudo echo enabled=1 >> /etc/yum.repos.d/wazuh.repo
sudo echo name=EL-Wazuh >> /etc/yum.repos.d/wazuh.repo
sudo echo baseurl=https://packages.wazuh.com/4.x/yum/ >> /etc/yum.repos.d/wazuh.repo
sudo echo protect=1 >> /etc/yum.repos.d/wazuh.repo
sudo WAZUH_MANAGER="sta-p-Wazuh-12345678901-12345678901234567.elb.eu-west-1.amazonaws.com" yum install wazuh-agent audit -y
sudo echo 'wazuh_command.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf
sudo echo 'logcollector.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf
sudo mkdir -p /wazuh-custom-commands
echo 'IyEvYmluL2Jhc2gKCmRmIC1oIHwgZ3JlcCAtdiAnXi9kZXYvbG9vcFswLTldJyB8IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lOwpkbwogIGVjaG8gImRpc2stdXNhZ2U6ICIkbGluZQpkb25lCg==' | base64 -d | sudo tee /wazuh-custom-commands/custom-df.sh
echo 'IyEvYmluL2Jhc2gKCnBzIC1lZmwgfCB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsKZG8KICBlY2hvICJwcm9jZXNzZXMtbGlzdDogIiRsaW5lCmRvbmUK' | base64 -d | sudo tee /wazuh-custom-commands/custom-ps.sh
sudo chmod +x /wazuh-custom-commands/custom-df.sh
sudo chmod +x /wazuh-custom-commands/custom-ps.sh
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Windows
<powershell>
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile wazuh-agent.msi -UseBasicParsing
wazuh-agent.msi /quiet WAZUH_MANAGER=sta-p-Wazuh-12345678901-12345678901234567.elb.eu-west-1.amazonaws.com
Start-Sleep -Seconds 30
Start-Service -ServiceName WazuhSvc
</powershell>
sta-wazuh-list-agents
. You should get something like this with the hostname of the monitored instance:Available agents:
ID: 001, Name: ip-192-168-1-2, IP: any
Good luck (:
If you have any questions or need any additional help, please contact our support team via our 24/7 in-app chat!