Deploying Wazuh v.4.4.1 VM on VMware ESXi for testing purpose

[mauro....@cmcc.it]

Dear Users,

I would like to test Wazuh v.4.4.1 using the VM available for download from the official site.

I just downloaded it, but before going ahead, I would like to ask you some questions:

- can I deploy the VM on a VMware ESXi v.7.0 hypervisor?

- can I manually change the default IP address with a static IP? Is this a dangerous action for the integrity of the default configuration? 

- if I can change the default network configuration, is there anything else I must do in order t have a perfectly operating instance of Wazuh?

Last but not least. Since my target is to control the traffic on my pfSense instance, is there an updated guide to start monitoring  pfSense with Wazuh?

Thank you in advance,

Mauro 

[Mauricio Ruben Santillan]

Hello Mauro,

Answering your questions here...

- can I deploy the VM on a VMware ESXi v.7.0 hypervisor?

Yes, you can. The Wazuh OVA can be directly imported to VirtualBox or other OVA compatible virtualization systems. Just have in mind that this VM only runs on 64-bit systems.

- can I manually change the default IP address with a static IP? Is this a dangerous action for the integrity of the default configuration?

Yes, you can. the VM is a CentOS 7 with Wazuh on it. You just need to configure the OS network settings for this. Wazuh by default will "listen" on its assigned IP address and there's no specific setting for this in Wazuh.

- if I can change the default network configuration, is there anything else I must do in order t have a perfectly operating instance of Wazuh?

The Wazuh OVA, is prepared to work out-of-the-box. Still, have in mind that the OVA is not intended for high availability nor scalability (you should consider a distributed deployment for this).

Now about integrating pfSense with Wazuh, you would need to enable syslog ingestion in Wazuh as explained here so you can forward your pfSense events to it.

Although Wazuh already includes rules for pfSense events, you might want to add some additional custom rules. You can check default pfSense rules here.

I hope this helps. Let me know how it goes.

[mauro....@cmcc.it]

Hello Mauricio,

thanks to your help, I was able to start collecting logs from pfsense.

Now it works like a charm.

I can see the new entries in the Wazuh "Security Events" web page.

QUESTION 1: now, since the log file parsed by Wazuh is saved on the Wazuh VM in /var/log/pfsese/pfsense.log, the "Agent Name" mentioned in the "Security Events" section is always "wazuh-manager".

Is there a way to distinguish the security events related to PFSENSE from the ones actually related to WAZUH-MANAGER?

QUESTION 2: As you said, Wazuh already includes some rules for pfsense, but I noticed that they are few :) do you know if the number of pfsense rules will be increased in the future? Pfsense is one of the most used software firewall, a lot of people will be happy to integrate and monitor it  with Wazuh.

Thanks for your patience and support,

Mauro

Il giorno mercoledì 3 maggio 2023 alle 08:10:16 UTC+2 mauro....@cmcc.it ha scritto:

Hello Mauricio,

sorry for my late answer.

Thank you very much for your help and for your reply. It is very detailed and I really appreciated it.

I will try to follow your instructions starting from today and I will let you know.

Have a great day.

Mauro

[Mauricio Ruben Santillan]

Hello Mauro,

QUESTION 1: now, since the log file parsed by Wazuh is saved on the Wazuh VM in /var/log/pfsese/pfsense.log, the "Agent Name" mentioned in the "Security Events" section is always "wazuh-manager".

Is there a way to distinguish the security events related to PFSENSE from the ones actually related to WAZUH-MANAGER?

You can easily filter out events using their location field:

Just make sure to set the proper path into the field Value.

QUESTION 2: As you said, Wazuh already includes some rules for pfsense, but I noticed that they are few :) do you know if the number of pfsense rules will be increased in the future? Pfsense is one of the most used software firewall, a lot of people will be happy to integrate and monitor it  with Wazuh.

I could not confirm this for now (I don't see any related issue in our  Github repository). Have in mind that you can add as many custom rules as you need to your Wazuh, and you can also propose and share additional ones by creating a Feature Request in our Github repository.

I hope this helps!

[Mauro Tridici]

Hello Mauricio,

many thanks for your help and answer.

Last questions, if I can :)

1) Can I change the default "wazuh-user” linux user password (using passwd command?)

2) How can I change the default “admin” Wazuh UI user password?

3) Can I add a 2FA tu the Wazuh UI login page? If yes, how can I do it?

I did the first two “stupid” questions because I would like to avoid disrupting Wazuh configuration (changing the password).

Many thanks in advance,

Mauro

On 8 May 2023, at 21:11, 'Mauricio Ruben Santillan' via Wazuh mailing list <wa...@googlegroups.com> wrote:

Hello Mauro,

QUESTION 1: now, since the log file parsed by Wazuh is saved on the Wazuh VM in /var/log/pfsese/pfsense.log, the "Agent Name" mentioned in the "Security Events" section is always "wazuh-manager".

Is there a way to distinguish the security events related to PFSENSE from the ones actually related to WAZUH-MANAGER?

You can easily filter out events using their location field:

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/fumIeBZr_I8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/04e093c5-0194-42ad-b87b-dbe4461d64f3n%40googlegroups.com.
<firefox_0sGkI2saSK.png>

[Mauricio Ruben Santillan]

Hi Mauro,

Answering each question:

1) Can I change the default "wazuh-user” linux user password (using passwd command?)

The linux user wazuh is configured without the possibility of logging in by default. This is how it looks in /etc/passwd:

wazuh:x:998:998::/var/ossec:/sbin/nologin

What I mean is that you won't be able to log into your Linux box using  wazuh as a user. Still, I've tested this and there's apparently no issue after doing it.

2) How can I change the default “admin” Wazuh UI user password?

For this, you should use the script Wazuh provides here: https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html

Example of the needed command here: https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html#changing-the-password-for-single-user

3) Can I add a 2FA tu the Wazuh UI login page? If yes, how can I do it?

Although Wazuh Dashboard itself does not support 2FA, you can still use a 2FA through a supported SSO service. You would need to integrate Wazuh with any of them, and configure 2FA on your SSO.

I hope this helps.

[Mauro Tridici]

Thank you again Mauricio, 

I really appreciated your patience. 

Anyway, wazuh-user exists on the ready-to-go VM and I use it to log into the OS. 

If you have the Wazuh VM you can check it by yourself. 

Can I change the password of this user? 

Thanks, 

Mauro

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6ed7e4fa-cca8-4892-a1ff-b0a7143057bcn%40googlegroups.com.

[Mauricio Ruben Santillan]

Ahaha! That's because I'm used to install it instead using the OVA :)

Yes. You can change its password.

--

Mauricio Santillan IT Security Engineer - Support DRI The Open Source Security Platform