Agent on Native Linux, Server on WLS (Windows Linux Subsystem)
544 views
Skip to first unread message
ed...@mattermedia.com
Jul 8, 2018, 1:08:11 PM7/8/18
to Wazuh mailing list
Newbie here. I used to run Atomicorp.
I'm managing a single machine to start, but I'd rather not have the server run on the same box as the agent.
I'd like to run the server on Ubuntu 16.04 in Windows Linux Subsystem.
1) Is it possible to run it in WLS?
2) If yes to 1: since the server wouldn't be running at all times, would the agent queue sending info to the server and send it all at once the server comes online?
3) If no to 1:
a) any plans to release a server for Windows?
b) my last resort would be to install it all in the monitored machine. how easy is it to purge everything installed by Wazuh when i decide to move the server to its own dedicated machine?
Message has been deleted
Message has been deleted
ed...@mattermedia.com
Jul 8, 2018, 2:39:42 PM7/8/18
to Wazuh mailing list
For now I am running everything inside a docker container.
How do I expose kibana to the private IP address held by the physical interface on the machine so that I can access it from windows? I would then use ufw to lock access from the LAN only, or even my windows machine LAN address. Or should I tunnel SSH to the kibana interface?
I would also like to have all logs retained by Wazuh on a separate partition. I don't want the logs to fill up the boot partition.
How do I expose kibana to the private IP address held by the physical interface on the machine so that I can access it from windows? I would then use ufw to lock access from the LAN only, or even my windows machine LAN address. Or should I tunnel SSH to the kibana interface?
I would also like to have all logs retained by Wazuh on a separate partition. I don't want the logs to fill up the boot partition.
TIA
Miguelangel Freitas
Jul 9, 2018, 8:47:01 AM7/9/18
to ed...@mattermedia.com, Wazuh mailing list
Hi,
You can use the official Docker compose file here: https://github.com/wazuh/wazuh-docker/blob/master/docker-compose.yml. This docker-compose file will expose by default the TCP/443 or HTTPS with a Nginx container providing HTTP Basic authentication for Kibana, the default credentials are foo:bar.
In case you need to use the default Kibana port TCP/5601 you can just uncomment these lines in the Docker compose file: https://github.com/wazuh/wazuh-docker/blob/master/docker-compose.yml#L66-L67
For the log retention, you can uncomment these two lines: https://github.com/wazuh/wazuh-docker/blob/master/docker-compose.yml#L17-L18. One caveat here is this will only work at the first Wazuh container startup and will create a bound volume to store important files related to settings and logs in the host.
I hope this helps, please not hesitate to contact us again.
Best Regards,
Miguelangel Freitas.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b2845e61-9ec9-45ec-a6d2-3efff649075e%40googlegroups.com.
ed...@mattermedia.com
Jul 9, 2018, 2:48:21 PM7/9/18
to Wazuh mailing list
ed...@mattermedia.com
Jul 9, 2018, 3:12:30 PM7/9/18
to Wazuh mailing list
Not sure I understand the implications of the caveat. What happens on the 2nd startup?
Wouldn't it be easier to symlink /var/lib/docker/overlay2/4051910fc84164975d6928d2b0aca7f153f277daa137cb0ea9030a3a627f7b13/diff/var/ossec/data to a folder on the other partition? or does the long hex string part of the path change frequently?
Wouldn't it be easier to symlink /var/lib/docker/overlay2/4051910fc84164975d6928d2b0aca7f153f277daa137cb0ea9030a3a627f7b13/diff/var/ossec/data to a folder on the other partition? or does the long hex string part of the path change frequently?
Thank you
Miguelangel Freitas
Jul 11, 2018, 5:50:19 PM7/11/18
to ed...@mattermedia.com, Wazuh mailing list
Hi Eddie,
On the first run, the Wazuh Manager container will run move and symlink some folders in order to have a useful bounded path for the chroot environment.
A good approach in order to have a persistent data with Docker containers is by using bouned volumes, for that reason I suggest you that option. Also, the hex folder you see on the /var/lib/docker path can change among releases. For example:
root@wazuh-host:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
wazuh/wazuh latest 637aee3695b1 8 hours ago 812MB
wazuh/wazuh 3.3.1_6.3.0 e3720e00c456 9 days ago 805MB
root@
wazuh-host
:~# find /var/lib/docker/overlay2/ -name "data" -type d|grep ossec
/var/lib/docker/overlay2/98cc3f41a768d0588fd99fc20562337a447b2fee4deeb2bca75b5fa2daa89009/diff/var/ossec/data
/var/lib/docker/overlay2/2a8c5cd97470530e18ca8199e779f852c4efe1ad6319c38f9901621af07523c8/diff/var/ossec/data
Those paths are more related to the docker image layer.
Best Regards,
Miguelangel Freitas.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a2907901-108d-4873-b146-31735d39dd9e%40googlegroups.com.
Miguelangel Freitas
Jul 11, 2018, 6:23:26 PM7/11/18
to ed...@mattermedia.com, Wazuh mailing list
Hi,
I have not tested before to run the Wazuh Manager in a WLS, but according to Microsoft is not recommended to run that kind of services in WSL: https://docs.microsoft.com/en-us/windows/wsl/faq#can-i-run-all-linux-apps-in-wsl
The Wazuh agent is multiplatform and can be installed in the different OS (Linux, Windows, AIX, Solaris, MacOS etc.) The agent is very lightweight and it only collects information to send it over to the analysis engine, what we called the manager. The manager needs to be a standalone Linux server. It does not run in Windows. To sum up, you can definitely monitor Windows hosts without any issue, installing an agent in that particular host. However the Manager should be installed in a Linux machine, we offer pre-built packages for DEB/RPM-based distros: https://documentation.wazuh.com/current/installation-guide/packages-list/index.html
The default installation path of the Wazuh Manager/Agent is in /var/ossec, no extra files are saved in the hosts outside this folder.
I hope this helps, please not hesitate to contact us again. Thanks!
Best Regards,
Best Regards,
Miguelangel Freitas.
On Mon, Jul 9, 2018 at 1:48 PM, <ed...@mattermedia.com> wrote:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4f5d5517-af29-4fb5-9abc-72c21a16c7eb%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages