Wazuh setup
882 views
Skip to first unread message
Kalvin Lee
May 2, 2023, 5:22:11 AM5/2/23
to Wazuh mailing list
Hi Sir,
I installed Wazuh trial version yesterday on a Kali Linux VM to carry out some school work.
Tried adding agent on severals VMs (Unbuntus/Kali/Win7) but was not successful, although I followed the steps closely from Wazuh platform.
On the VMs (Ubuntu/Kali), though it shows that agents are successfully installed on these VMs it is still showing there isn't any agent set up on Wazuh platform.
Can anyone help me?
br
Kalvin
Antonio Kim
May 2, 2023, 5:43:13 AM5/2/23
to Wazuh mailing list
Hi Kalvin
Thanks for using Wazuh.
In order to help.
1. Can you tell me which version of wazuh are you installing and how many clusters/agents (indexers, manager, workers, agents) are you keeping in mind to configure?
2. Would you let me know the steps you have done in each agent?
3. Did you configured the proper IP address in each agent in (/var/ossec/etc/ossec.conf) in linux, (C:\Program Files (x86)\ossec-agent\ossec.conf) in windows?
Antonio
Thanks for using Wazuh.
In order to help.
1. Can you tell me which version of wazuh are you installing and how many clusters/agents (indexers, manager, workers, agents) are you keeping in mind to configure?
2. Would you let me know the steps you have done in each agent?
3. Did you configured the proper IP address in each agent in (/var/ossec/etc/ossec.conf) in linux, (C:\Program Files (x86)\ossec-agent\ossec.conf) in windows?
Antonio
Kalvin Lee
May 2, 2023, 6:04:48 AM5/2/23
to Wazuh mailing list
Dear Antonio,
1. Can you tell me which version of wazuh are you installing and how many clusters/agents (indexers, manager, workers, agents) are you keeping in mind to configure?
I have installed version 4.3.10 and I would like to have 1 indexer (installed in Kali Linux) and 2 to 3 agents (to be installed in various Ubuntu/kali/ win 7 vms)
2. Would you let me know the steps you have done in each agent?
I did the following to install on a Ubuntu VM and Kali.
i) installing and enrolling agent with below command:
curl -so wazuh-agent-4.3.10.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10-1_amd64.deb && sudo WAZUH_MANAGER='REMOVED' WAZUH_REGISTRATION_PASSWORD='REMOVED' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.10.deb
ii) starting the agent:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo systemctl status wazuh-agent (for checking if agent is active)
iii)
for the installing of agent in a win7 vm, I have encounter some issues that indicate "invoke-webrequest is not recognized"
After carrying out the steps in (i) and (ii), I return to the wazuh platform to check but everytime it is showing that no agent has been added. For (iii) I wasn't able to carry on due to the issue.
curl -so wazuh-agent-4.3.10.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10-1_amd64.deb && sudo WAZUH_MANAGER='yh5ykvj6mg0c.cloud.wazuh.com' WAZUH_REGISTRATION_PASSWORD='hwdkm4yMQIMWMwOXv2JbAXLtjv1UdxWD' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.10.debcurl -so wazuh-agent-4.3.10.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10-1_amd64.deb && sudo WAZUH_MANAGER='yh5ykvj6mg0c.cloud.wazuh.com' WAZUH_REGISTRATION_PASSWORD='hwdkm4yMQIMWMwOXv2JbAXLtjv1UdxWD' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.10.deb
curl -so wazuh-agent-4.3.10.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10-1_amd64.deb && sudo WAZUH_MANAGER='yh5ykvj6mg0c.cloud.wazuh.com' WAZUH_REGISTRATION_PASSWORD='hwdkm4yMQIMWMwOXv2JbAXLtjv1UdxWD' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.10.deb
3. Did you configured the proper IP address in each agent in (/var/ossec/etc/ossec.conf) in linux, (C:\Program Files (x86)\ossec-agent\ossec.conf) in windows?
I am not sure about this step.
from /var/ossec/etc/ossec.conf:
10.0.2.42
1514
tcp
kali, kali2022, kali2022.2
10
60
yes
aes
yes
default
no
5000
500
no
yes
yes
yes
yes
yes
yes
yes
43200
etc/shared/rootkit_files.txt
etc/shared/rootkit_trojans.txt
yes
yes
1800
1d
yes
wodles/java
wodles/ciscat
yes
yes
/var/log/osquery/osqueryd.results.log
/etc/osquery/osquery.conf
yes
no
1h
yes
yes
yes
yes
yes
yes
yes
10
yes
yes
12h
yes
no
43200
yes
/etc,/usr/bin,/usr/sbin
/bin,/sbin,/boot
/etc/mtab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/random.seed
/etc/adjtime
/etc/httpd/logs
/etc/utmpx
/etc/wtmpx
/etc/cups/certs
/etc/dumpdates
/etc/svc/volatile
.log$|.swp$
/etc/ssl/private.key
yes
yes
yes
yes
10
100
yes
5m
1h
10
command
df -P
360
full_command
netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\
\+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\
\([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g
| sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
netstat listening ports
360
full_command
last -n 20
360
no
etc/wpk_root.pem
yes
plain
apache
/var/log/nginx/access.log
apache
/var/log/nginx/error.log
apache
/var/log/apache2/error.log
apache
/var/log/apache2/access.log
syslog
/var/ossec/logs/active-responses.log
syslog
/var/log/messages
syslog
/var/log/auth.log
syslog
/var/log/syslog
syslog
/var/log/dpkg.log
syslog
/var/log/kern.log
br
K
Antonio Kim
May 2, 2023, 6:27:53 AM5/2/23
to Wazuh mailing list
Hi Kalvin.
Each step seems to be ok.
When I asked for /var/ossec/etc/ossec.conf IP setting:
<ossec_config>
<client>
<server>
<address><wazuh-manager></address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>debian, debian10</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
It is really important to have your wazuh-manager cluster IP added in "address" field.
which I am not sure because when you copied and pasted the ossec.conf, html took the tags and it is showing me this:
10.0.2.42 1514 tcp kali, kali2022, kali2022.2 10 60 yes aes yes default no 5000 500 no yes yes yes yes yes yes yes 43200 etc/shared/rootkit_files.txt etc/shared/rootkit_trojans.txt yes yes 1800 1d yes wodles/java wodles/ciscat yes yes /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes no 1h yes yes yes yes yes yes yes 10 yes yes 12h yes no 43200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/random.seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile .log$|.swp$ /etc/ssl/private.key yes yes yes yes 10 100 yes 5m 1h 10 command df -P 360 full_command netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d netstat listening ports 360 full_command last -n 20 360 no etc/wpk_root.pem yes plain apache /var/log/nginx/access.log apache /var/log/nginx/error.log apache /var/log/apache2/error.log apache /var/log/apache2/access.log syslog /var/ossec/logs/active-responses.log syslog /var/log/messages syslog /var/log/auth.log syslog /var/log/syslog syslog /var/log/dpkg.log syslog /var/log/kern.log
If the IP address is OK.
Try restarting your agent with systemctl restart wazuh-agent in each agent (UNIX), NET RESTART WazuhSvc (windows) and being in wazuh-manager, please show me the result of:
/var/ossec/bin/manage_agents -l
The answer should be something like:
Available agents:
ID: 001, Name: wazuh-agent1, IP: any
Antonio
Each step seems to be ok.
When I asked for /var/ossec/etc/ossec.conf IP setting:
<ossec_config>
<client>
<server>
<address><wazuh-manager></address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>debian, debian10</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
It is really important to have your wazuh-manager cluster IP added in "address" field.
which I am not sure because when you copied and pasted the ossec.conf, html took the tags and it is showing me this:
10.0.2.42 1514 tcp kali, kali2022, kali2022.2 10 60 yes aes yes default no 5000 500 no yes yes yes yes yes yes yes 43200 etc/shared/rootkit_files.txt etc/shared/rootkit_trojans.txt yes yes 1800 1d yes wodles/java wodles/ciscat yes yes /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes no 1h yes yes yes yes yes yes yes 10 yes yes 12h yes no 43200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/random.seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile .log$|.swp$ /etc/ssl/private.key yes yes yes yes 10 100 yes 5m 1h 10 command df -P 360 full_command netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d netstat listening ports 360 full_command last -n 20 360 no etc/wpk_root.pem yes plain apache /var/log/nginx/access.log apache /var/log/nginx/error.log apache /var/log/apache2/error.log apache /var/log/apache2/access.log syslog /var/ossec/logs/active-responses.log syslog /var/log/messages syslog /var/log/auth.log syslog /var/log/syslog syslog /var/log/dpkg.log syslog /var/log/kern.log
Try restarting your agent with systemctl restart wazuh-agent in each agent (UNIX), NET RESTART WazuhSvc (windows) and being in wazuh-manager, please show me the result of:
/var/ossec/bin/manage_agents -l
The answer should be something like:
Available agents:
ID: 001, Name: wazuh-agent1, IP: any
Antonio
Kalvin Lee
May 2, 2023, 7:29:31 AM5/2/23
to Wazuh mailing list
Dear Antonio,
<port>1514</port>
<protocol>tcp</protocol>
</server>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
please find info for /var/ossec/etc/ossec.conf IP setting which I retrieve from the machine of the agent:
<ossec_config>
<client>
<server>
<address>10.0.2.42</address>
<client>
<server>
<address>10.0.2.42</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>kali, kali2022, kali2022.2</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
<enrollment>
<enabled>yes</enabled>
<groups>default</groups>
</enrollment>
</client>
<enabled>yes</enabled>
<groups>default</groups>
</enrollment>
</client>
It doesn't look correct as it is indicating its own address instead of the manager.
br
Kalvin
Antonio Kim
May 2, 2023, 8:04:49 AM5/2/23
to Wazuh mailing list
Perfect Kalvin.
Then :
1. Replace that address with the Worker/Manager cluster address.
2. Try restarting your agent with systemctl restart wazuh-agent in each agent (UNIX), NET RESTART WazuhSvc (windows) and being in wazuh-manager.
3. Check /var/ossec/bin/manage_agents -l
Please, let me know if the agents are appearing in the list.
Antonio
Then :
1. Replace that address with the Worker/Manager cluster address.
2. Try restarting your agent with systemctl restart wazuh-agent in each agent (UNIX), NET RESTART WazuhSvc (windows) and being in wazuh-manager.
3. Check /var/ossec/bin/manage_agents -l
Please, let me know if the agents are appearing in the list.
Antonio
Antonio Kim
May 2, 2023, 4:35:49 PM5/2/23
to Wazuh mailing list
Regarding:
Dear Antonio,
Dear Antonio,
I managed to get an active deployment for agent id:001 in the website.
But when I try checking /var/ossec/bin/manage_agents -l in the manager machine, I cannot locate the file.
br
Kalvin
---------------------------------------------------------------------------------------
This command is to be run in wazuh-manager:
/var/ossec/bin/manage_agents -l
This command is to be run in wazuh-manager:
/var/ossec/bin/manage_agents -l
I am not sure if you tried to run it in the agent.
It is a file that is part of basic binaries of wazuh.
Antonio
It is a file that is part of basic binaries of wazuh.
Antonio
Kalvin Lee
May 3, 2023, 9:42:27 AM5/3/23
to Wazuh mailing list
Dear Antonio,
For the setup on Win10-32bit VM, I have done the following but it is still replying error.
key in below into powershell:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='yh5ykvj6mg0c.cloud.wazuh.com' WAZUH_REGISTRATION_SERVER='yh5ykvj6mg0c.cloud.wazuh.com' WAZUH_REGISTRATION_PASSWORD='hwdkm4yMQIMWMwOXv2JbAXLtjv1UdxWD' WAZUH_AGENT_GROUP='default'
Thereafter I key in the below:
NET START WazuhSvc
Error message:
"The Service name is invalid"
"More help is available by typing NET HELPMSG 2185"
br
Kalvin
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='yh5ykvj6mg0c.cloud.wazuh.com' WAZUH_REGISTRATION_SERVER='yh5ykvj6mg0c.cloud.wazuh.com' WAZUH_REGISTRATION_PASSWORD='hwdkm4yMQIMWMwOXv2JbAXLtjv1UdxWD' WAZUH_AGENT_GROUP='default'
Reply all
Reply to author
Forward
0 new messages