turn kali tweaks to https mode
update
upgrade
install jq
install curl
go to quickstart wazuh download page
copy first curl command for the install manager
paste and enter in terminal
it loaded
go to firefox browser and enter localhost at top and enter
wazuh will load and ask for user name and pswd
which is given at the end of the install in the terminal
copy it out of the terminal and save it
paste it into the browser and wazuh will start
open ports 1515,1514
I use opnsense router with suricata and it has a wazuh agent install plugin
I set up the plugin so it will send logs and alerts to wazuh in the kali computer
It can be setup also in the kali computer amd run suricata and firewall logs
I havnt checked yet to see if it will auto detect the keys for data transfer
But I can do the keys manually also
If anyone wants to know how thats done let me know
yes
i want to know and i want that as well
ok first get it installed and set up the agent(also on the wazuh page) either in your router or separate computer. Do not setup agent on same computer as wazuh, its not necessary. Just setup ossec.conf file if its all on one computer. See if it will auto detect communications. The wazuh main page in your browser will tell you when you have a live agent, ports 1515,1514 if its external. Can do a packet capture or monitor errors in wazuh to see what its doing. Ill find how to manual agent setup keys and paste it here for an external agent. Ive already written it elsewhere. Can install suricata on kali purple and send alerts to wazuh on same computer. Or an external computer with wazuh agent. Also your firewall logs, syslog logs, etc. Wazuh also monitors endpoints and can be set up to be offensive.
Ive gotten wazuh siem server working on kali linux purple on a box and opnsense as an agent on another box
On Kali Purple wazuh server:
On the server which is kali purple I did an update and make sure it has jq and curl installed.
Then I used wazuh quickstart for ubuntu and followed the directions on their documentation page
Which was cut and paste one line, its a curl command and runs a script
Takes a while maybe 30 minutes to download and install everything depending on computer speed.
Note:Put lan ip in browser and wazuh server page should come up, or localhost
Open a terminal on the server and go to /var/ossec/bin
command line ./manage_agents this will create a new agent
Type A for add and enter hostname of opnsense router or other computer and its IP; then quit
then run command again and type L for List
Then type I to get a key for that agent, copy and save it, then exit
On the computer with wazuh agent running:
Next on the opnsense box, or computer with the agent, I install wazuh agent from plugins or from the wazuh dowmload and install page.
Reboot and enable wazuh-agent, set manager hostname…IP of wazuh server on lan, which is lan address, do this on the agent
For authentication password is your hostname on opnsense which is opnsense.somethingdomain or whatever you changed it to, same on computer
It is your hostname in the opnsense dashboard, and at the top right on the wazuh agent gui page
It is also what you set as name of the wazuh-agent on the wazuh server on the other box
From the wazuh server Kali purle computer:
Then ssh into opnsense and go to /var/ossec/bin, or the agent computer
on command line enter ./manage_agents
your agent will show up and it will ask if you want to enter key, paste the key from the server here. exit, reboot
remember to open tcp ports 1515 and 1514 on both the server box and opnsense box, or computer box
Reboot operating system
Power up wazuh, open gui dashboard which is lan IP in the top browser window
Give it time to connect for the first time
It is ingesting the current logs from the first time it connected to opnsense or the agent computer, all alerts blocks, its tracking all files on opnsense or computer with the agent installed, and server, checks for rootkits, does shasum on both systems
Hope this helps if it has trouble auto detecting the key, thats what authenticates communication between the server and agent.
Wazuh SIEM, suricata, firewall logs, syslogs, monitoring endpoints, file monitoring, can all be setup on one computer running Kali Purple, no agent, as I mentioned before.