How to connect a Wazuh agent to the STA

Wazuh, a fork of the famous OSSEC project, is an agent-based solution for the detection of malicious activity at the host level. It can detect rootkits, malicious processes running on the host, and many other types of malicious network activities. The Coralogix STA can function as a Wazuh manager, allowing Wazuh agents to connect to it, pull policies from it, and forward their logs to it. These logs will be enriched and forwarded to Coralogix for further processing.

Once you have successfully installed the STA in your environment, you can configure Wazuh agents to connect to it by completing the following steps:

1. Find out the relevant Wazuh NLB name (relevant only for cloud installations):
   1. If you have installed the STA by using CloudFormation, open your AWS CloudFormation console and locate the stack you have deployed. In the list of the resources that were deployed (in the “Resources” tab) locate the ID of the “WazuhNLB” that was deployed (should be something like ‘arn:aws:elasticloadbalancing:eu-west-1:746123456762:loadbalancer/net/STA-N-Wazuh-UJZ0XTYPZR41/1773e22e13f084de’)
   2. If you have installed the STA by using Terraform, run the following command in the folder you applied the Terraform template from: terraform state show 'module.sta_ng.module.sta_ng-spotfleet-small-wazuh1-eip1[0].aws_lb.WazuhNLB'. Take note of the id of the NLB. (should be something like ‘arn:aws:elasticloadbalancing:eu-west-1:746123456762:loadbalancer/net/STA-N-Wazuh-UJZ0XTYPZR41/1773e22e13f084de’)
2. Find out the relevant Wazuh NLB DNS name:
   1. If you have installed the STA using either CloudFormation or Terraform, open your AWS EC2 console and navigate to the Load Balancers section and then search for the value you took note of at the previous step. Copy the DNS name of that load balancer (Should be something like STA-N-Wazuh-UXYZXYZXYR41-1234e12e12f064ed.elb.eu-west-1.amazonaws.com)
   2. If you are using the STA in an on-prem environment just use the STA’s host name
3. Install the Wazuh agent on the relevant machines by running the following code (in AWS this should be set as the instances’ user-data script). Just set the WAZUH_MANAGER environment variable (the bold value below) to the variable you took a note of at the previous step (the STA’s Wazuh NLB DNS name):

Ubuntu:

#!/bin/bash

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt-get update -y
export WAZUH_MANAGER="sta-p-Wazuh-12345678901-12345678901234567.elb.eu-west-1.amazonaws.com"
sudo -E apt-get install auditd wazuh-agent -y
echo 'wazuh_command.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf
echo 'logcollector.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf
sudo mkdir -p /wazuh-custom-commands
echo 'IyEvYmluL2Jhc2gKCmRmIC1oIHwgZ3JlcCAtdiAnXi9kZXYvbG9vcFswLTldJyB8IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lOwpkbwogIGVjaG8gImRpc2stdXNhZ2U6ICIkbGluZQpkb25lCg==' | base64 -d | sudo tee /wazuh-custom-commands/custom-df.sh
echo 'IyEvYmluL2Jhc2gKCnBzIC1lZmwgfCB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsKZG8KICBlY2hvICJwcm9jZXNzZXMtbGlzdDogIiRsaW5lCmRvbmUK' | base64 -d | sudo tee /wazuh-custom-commands/custom-ps.sh
sudo chmod +x /wazuh-custom-commands/custom-df.sh
sudo chmod +x /wazuh-custom-commands/custom-ps.sh
sudo systemctl enable wazuh-agent.service
sudo service wazuh-agent start
sleep 60
sudo service wazuh-agent restart

RedHat

#!/bin/bash 
 
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH    
sudo echo [wazuh] > /etc/yum.repos.d/wazuh.repo     
sudo echo gpgcheck=1 >> /etc/yum.repos.d/wazuh.repo  
sudo echo gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH >> /etc/yum.repos.d/wazuh.repo  
sudo echo enabled=1  >> /etc/yum.repos.d/wazuh.repo  
sudo echo name=EL-Wazuh >> /etc/yum.repos.d/wazuh.repo  
sudo echo baseurl=https://packages.wazuh.com/4.x/yum/  >> /etc/yum.repos.d/wazuh.repo  
sudo echo protect=1  >> /etc/yum.repos.d/wazuh.repo  
sudo WAZUH_MANAGER="sta-p-Wazuh-12345678901-12345678901234567.elb.eu-west-1.amazonaws.com" yum install wazuh-agent audit -y 
sudo echo 'wazuh_command.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf    
sudo echo 'logcollector.remote_commands=1' | sudo tee -a /var/ossec/etc/local_internal_options.conf    
sudo mkdir -p /wazuh-custom-commands    
echo 'IyEvYmluL2Jhc2gKCmRmIC1oIHwgZ3JlcCAtdiAnXi9kZXYvbG9vcFswLTldJyB8IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lOwpkbwogIGVjaG8gImRpc2stdXNhZ2U6ICIkbGluZQpkb25lCg==' | base64 -d | sudo tee /wazuh-custom-commands/custom-df.sh    
echo 'IyEvYmluL2Jhc2gKCnBzIC1lZmwgfCB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsKZG8KICBlY2hvICJwcm9jZXNzZXMtbGlzdDogIiRsaW5lCmRvbmUK' | base64 -d | sudo tee /wazuh-custom-commands/custom-ps.sh    
sudo chmod +x /wazuh-custom-commands/custom-df.sh    
sudo chmod +x /wazuh-custom-commands/custom-ps.sh    
sudo systemctl daemon-reload    
sudo systemctl enable wazuh-agent    
sudo systemctl start wazuh-agent    

Windows

<powershell>
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile wazuh-agent.msi -UseBasicParsing
wazuh-agent.msi /quiet WAZUH_MANAGER=sta-p-Wazuh-12345678901-12345678901234567.elb.eu-west-1.amazonaws.com 
Start-Sleep -Seconds 30
Start-Service -ServiceName WazuhSvc
</powershell>

2. Connect to the STA via SSH using the key pair you specified during the installation of the STA.
3. Run the command sta-wazuh-list-agents. You should get something like this with the hostname of the monitored instance:
   Available agents:
ID: 001, Name: ip-192-168-1-2, IP: any
4. You should be able to see logs from the monitored instance that indicate interesting actions that took place on the monitored instance as recorded by Wazuh.
5. You can review the data from Wazuh by using the Wazuh alerts and Wazuh file integrity monitor dashboards:

Good luck (:

If you have any questions or need any additional help, please contact our support team via our 24/7 in-app chat!