Tuesday, June 29, 2021

Monday, June 28, 2021

Wazuh on Windows



 


Download an OVA from: https://documentation.wazuh.com/current/virtual-machine/virtual-machine.html

Fire up VirtualBox and choose File, Import Appliance:

Find the file you downloaded:

 

 Accept the settings and import:


 Make sure you are using the Bridged Adapter. Start the VM it should look like:

 The login is root/wazuh. You need to find the IP address via "ip a":

It's been my experience that elasticsearch doesn't always come up, so check via "systemctl status elastic.service". If it's not up, do "systemctl restart elastic.service" and check via status again.



Now, you should be able to get the login screen via your browser at https://<the IP address of the VM>. You will get the warning; this is one of the few times you should accept the risk as it's a VM on your own machine with a self-signed certificate.



You can now login to Wazuh with admin/admin

After some checks, you'll see the home screen. It shows zero agents, so you'll need to "Add agent".


Choose Windows, the IP address from before and the default group.

This will give you a command you need to issue in PowerShell, which you have to run as administrator.

Paste the command, a number of shells will pop up briefly as the client is installed.

Now, you should be able to go to the Wazuh home screen and see that the agent is communicating.

A good place to start is the "Security configuration assessment" for the agent.