Saturday, August 21, 2021

Monday, July 19, 2021

Wazuh on Windows using docker

You can ignore the memory instructions athttps://documentation.wazuh.com/current/docker/wazuh-container.html and just bring up a git bash shell from https://git-scm.com/download/win

git clone https://github.com/wazuh/wazuh-docker.git - b v4.1.5 --depth=1
cd wazuh-docker
docker-compose up

You'll need to install an agent on the host and point it to localhost. Here's the command that the "Add agent" gives you for a privileged PowerShell: 

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER='localhost' WAZUH_REGISTRATION_SERVER='localhost' WAZUH_AGENT_GROUP='default'

If the agent doesn't seem to register, do:

C:\Program Files (x86)\ossec-agent\agent-auth.exe' -m localhost

Check the log for errors etc via:

more 'C:\Program Files (x86)\ossec-agent\ossec.log'

If you need to remove an existing agent to try again, do:

msiexec.exe /x wazuh-agent.msi /qn 

Tuesday, June 29, 2021

Monday, June 28, 2021

Wazuh on Windows



 


Download an OVA from: https://documentation.wazuh.com/current/virtual-machine/virtual-machine.html

Fire up VirtualBox and choose File, Import Appliance:

Find the file you downloaded:

 

 Accept the settings and import:


 Make sure you are using the Bridged Adapter. Start the VM it should look like:

 The login is root/wazuh. You need to find the IP address via "ip a":

It's been my experience that elasticsearch doesn't always come up, so check via "systemctl status elastic.service". If it's not up, do "systemctl restart elastic.service" and check via status again.



Now, you should be able to get the login screen via your browser at https://<the IP address of the VM>. You will get the warning; this is one of the few times you should accept the risk as it's a VM on your own machine with a self-signed certificate.



You can now login to Wazuh with admin/admin

After some checks, you'll see the home screen. It shows zero agents, so you'll need to "Add agent".


Choose Windows, the IP address from before and the default group.

This will give you a command you need to issue in PowerShell, which you have to run as administrator.

Paste the command, a number of shells will pop up briefly as the client is installed.

Now, you should be able to go to the Wazuh home screen and see that the agent is communicating.

A good place to start is the "Security configuration assessment" for the agent.