Use Wazuh with Linode for System Monitoring
This article will cover installation and deployment of the Wazuh IDS platform using Linode to host the deployment. Wazuh is a free, open-source Intrusion Detection System. Wazuh is simple to use and increases the security posture of your network exponentially. Linode is a cloud platform provider which makes the deployment and maintenance of this utility simple and scalable. Wazuh can also be deployed with other cloud providers, using Docker, on a local server, or with a .ova file virtual image using VirtualBox.
Linode
First, we will create a Linode account on linode.com. Creating the account is free, and like other cloud platforms you only pay for the resources you use while running the machines you deploy.
Once we have created an account, we will be on the dashboard page:
Next, click Create
in the top left of the screen, select Linode
, select Marketplace
, type “wazuh” in the search field, and Wazuh should appear on the screen:
Next we will select the Wazuh tab on the screen, and scroll down to the configuration section. We will then enter our email, sudo user name and password, select the most recent Ubuntu distribution, choose a region close to our location, and then select shared CPU. We will need to use the 4GB option in order to have the resource necessary to host Wazuh. In my case, this is $24 a month.
Scroll down a little further and enter a root password, then click Launch Linode in the bottom left. The machine will take some time to spin up completely, but we should be able to connect relatively quickly.
Connecting to Wazuh
Once the VM is running, we can connect using a secure SSH connection. Copy the SSH Access command and past it to any terminal and it will open a connection to the VM. Remember your root password, you will need it to complete the connection.
Once the connection has been opened, we can run htop
to see the running processes, and if Wazuh is still installing:
Installation could take up to 15 minutes. Once htop is no longer showing installation information, we are ready to log in to Wazuh. Use CTRL + C
to exit htop
, and then ls -al
to view the contents of the current directory, including hidden files. You should see the .deployment-secrets.txt
file:
This file has our usernames and passwords in it. We will run cat
on this file to display the contents to the terminal:
The first username and password will be the admin user. Next, we will go back to Linode in our browser and go to the Network tab. Scrolling down the page we will see a “reverse DNS” column. We will copy the IP address from this column and paste it in our browser to access Wazuh:
Add https://
to the address and paste it in the browser. Use the admin user and password from the .deployment-secrets.txt file to login. Once logged in, the application may do a health check:
The dashboard should look like this once everything is initialized:
Adding Agents for Monitoring
We will now start adding agents for logging and monitoring. At the top of the dashboard you will see blue text that says Add agent
. We will click on this, and start configuring the agent:
We will use the Linode URL as the server address, select default group, and then Wazuh provides us with a single command to install the agent on the host machine:
Now we will run the installation command from the local machine:
Next, we will run the systemctl
commands to start the Wazuh service:
I was getting this error: Job for wazuh-agent.service failed because the control process exited with error code.
See “systemctl status wazuh-agent.service” and “journalctl -xeu wazuh-agent.service” for details.
This was the output for systemctl status wazuh-agent.service:
Running sudo nano /var/ossec/etc/ossec.conf and changing the server URL to not include https allowed the command to run:
Refreshing on the Wazuh page now displays the Ubuntu machine as an agent:
Windows Agents
The process is the same for adding Windows agents to Wazuh. The only real difference is that you will be using Powershell in Windows, and you will need to make sure to run your Powershell instance as administrator because you will need escalated privileges.
Once you have copied the initialization command to Powershell and everything has installed, you will run NET START WazuhSvc
to start the Wazuh agent.
Viewing the Dashboard
If we go to the Agents screen in Wazuh and click on an agent from the list, we will open a dashboard screen for the agent. The dashboard will have different tables for different sets of data:
On the right we can also see the Generate report
button we can use to run reports, and we can also view events on the Events tab.
Wuzah is a very powerful open-source security monitoring tool. I highly recommend you research further and learn how to elverage this tool to secure your networks.