Open in app

Sign in

Write

Sign in

A Guide to Window and Ubuntu Integration with Wazuh-Manager

Wazuh Agent Installation

Rumaisa Niazi
4 min readSep 22, 2021

Wazuh is an open-source end-point security platform for threat and anomaly detection. It addresses the growing demand for continuous monitoring, detection, and response to advanced threats.

The platform helps the Security Analyst perform log monitoring, malware detection, system configuration assessment (SCA), compliance management, etc by collecting, aggregating, indexing, and analyzing data.

You can find detail on its architecture from the official Wazuh documentation.

The article provides a step-by-step guide on how to install and configure the Wazuh server. We also demonstrate the Windows integration via GUI and CLI with the Wazuh Manager, followed by Wazuh agent installation in Ubuntu.

Getting Started

Download the Wazhu virtual image .ova file from the Wazhu official website. The OVA file contains all the necessary pre-configured components to work in the first go. Import the virtual image in any of the virtualization compatible systems. For this tutorial, import the image in VMware and set the network settings to NAT.

Click ‘OK’ and start the Wazhu virtual machine. Enter the default username ‘root‘ and password ‘wazuh‘ to log in to the Wazuh manager.

Check for the machine IP address using the ‘ip add‘ command as follows:

Start the Kibana and Elasticsearch services:

systemctl start kibana
systemctl start elasticsearch

Go to the browser and type Wazhu Ip address to view its interface and enter the default username and password ‘wazuh‘:

Agent Installation

Wazuh-agent runs on multiple platforms and is developed while considering the requirement of a variety of platforms. It contains modules such as command execution, system inventory, log monitoring, active response, etc. Run the agent on the machine you want to monitor and deliver encrypted data via SSL/TLS to Wazuh Manager.

This section demonstrates Wazuh agent installation for Windows and Ubuntu.

Windows:

There are three ways to install the Wazuh agent in Windows. In this tutorial, we will only demonstrate agent installation in two ways that are GUI and CLI.

GUI

To integrate Windows with the Wazuh server, download the installer/agent from the official website. Run the executable and accept the license to continue the installation.

Search the Wazuh-Mange Application in Windows Search bar and double click to add Managers IP address and authentication key.

Note: If you run into a Windows error requiring administrative privileges. Go to the C:\Program Files (x86)\ossec-agent directory to run the wazuh-agent application. Now move to the Windows search bar to run the Windows Manage application to view the above window.

Select Manage and click on start to receive the authentication key.

Save and close the above window and move to the Wazuh console to verify the active windows agent.

Perform some failed login attempts to verify log monitoring. Go to Modules->Agent->Security Monitoring to view successful monitoring and generated alerts.

CLI

For a command-line interface, run the command prompt with administrative privileges and cd into the downloaded wazuh-agent folder to run the following command:

wazuh-agent-4.2.1–1.msi /q WAZUH_MANAGER=”192.168.120.133" WAZUH_REGISTRATION_SERVER=”192.168.120.133" 
<SNIP> 
. 
. 
Preparing to unpack …/wazuh-agent_4.2.1–1_amd64.deb … 
Unpacking wazuh-agent (4.2.1–1) … 
Setting up wazuh-agent (4.2.1–1) 
. 
. 
<SNIP>

Ubuntu

Download the curl utility to install the GPG key and add the repository as follows:

ubuntu@ubuntu:~$ sudo apt-get update ubuntu@ubuntu:~$ sudo apt-get install curl ubuntu@ubuntu:~$ sudo su root@ubuntu:~# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - OK root@ubuntu:~# echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | tee -a /etc/apt/sources.list.d/wazuh.list deb https://packages.wazuh.com/4.x/apt/ stable main root@ubuntu:~# apt-get update

Reload the daemon, enable the service to start as soon as the system boots, and start the agent.

root@ubuntu:~# systemctl daemon-reload root@ubuntu:~# systemctl enable wazuh-agent root@ubuntu:~# systemctl start wazuh-agent

Move to the server to verify successful integration:

Now make some authentication failure attempts to generate alerts. Go to Wazuh->Agents->Ubuntu->Security Events:

Thank you for reading and following the guide this far. You can place your queries and concerns in the comment section below.

Happy Learning!

Wazuh
Wazuh Manager
Agents
Windows
Ubuntu

--

--

Rumaisa Niazi

Written by Rumaisa Niazi

22 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams