Tutorial: Wazuh SIEM - Installation and Configuration (Complete Steps)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi there I'll come back to channel so in this session I'm gonna show you the steps of installing and configuring the wazzle SI m or the security information and event management so let's without further ado let's begin with wuzzle so this is wuzzle the open-source security platform and it has quite a lot of features starting from security analytics intrusion detection and we have love data analysis file integrity monitoring vulnerability detection configuration assessment Incident Response regulatory compliance cloud security as well as container security ok so to start with wazoo you can actually go to the website so calm and from there you can actually select install wazoo this when you click this it will bring you to the installation what I call this page and you can download or look at the installation guide yeah and you have to settle so the first thing to do is to install what manager yeah go to the installation guide to get more information about how to actually install wazoo and then the second step would be installing wazzle agent which could be Linux Windows and Mac OS and the integration with plastic stack yeah this is actually optional yeah ok so let's go to the installation guide or the was of manager and we have several options specifically related to operating system to be used for a zoo if you don't want to I would say use the list operating systems here because it will take a while to actually do the installation yeah let's just go to Ubuntu 12.10 org reader and you can look at the installation from packages this will install the server from the packages and you can follow the step by steps here adding what repository installing volume manager and so on and so forth right but for me I personally like to use the virtual machine ready-made or custom virtual machines yeah so was it provides a pre-built virtual machine image OVA the OVA that can eat that you can actually use directly to import this wazzle as the virtual machine by utilizing virtual box as well as let's say VMware Workstation yeah and to download you can go to the virtual appliance here you can just click the link here which contains the following components so this will actually download the OVA file you know as you can see here it's downloading so it's downloading yeah so let's just cancel it because I've already installed already downloaded the power yeah so the downloaded file I have stored the downloaded file in my module directory or folder yeah I was all here and this is the file the OVA yeah you need to do to actually you know import this into your virtual box or VMware Workstation is right-click and select open with let's say VMware Workstation yeah of course you can select VirtualBox manager or VMware Player by default it allows you to open it with VMware Workstation click it yeah and then it will prompt me to actually import virtual machine so I'll just put the name Wazzu and then I will select the storage which should be on my D Drive just put it under the same directory wuzzle yeah yeah I can even you know create a new directory yeah okay let's just go to wahzoo go to directory we just call it as Wazzu and let's say click ok so just review this the name of the virtual machine is wizard and then storage is be wazoo wazzle and select import it's gonna take awhile to actually import this roughly around 30 to 45 minutes depending on the speed of your disk yeah so I'm gonna pause the video so that the installation process will finish that's that let's let us you know finish the importing and then oh it's quite fast in fact yeah so I'll just let it run come take maybe a few more minutes yeah if you have like SSD storage the importing process will take maybe less than 10 minutes now like mine I'm actually running my OS on the SSD disk a solid-state disk so important successfully so yeah several things that we need to actually set or configure is that we can actually know if we have more memory or larger memory you can select the memory here and do the adjustment by ok let's let's use 80 gigabyte and by default the malloc adapter that is going to be used by this one is nap so what I'm going to do is I will select bridge so that I can connect this to my you know physical network okay so step to bridge so 80 gigabyte network adapter bridge and there are some other settings here let's just go to the processors yeah number of processors being utilized as for number four processors one this is actually more than enough okay and that's fire up this was okay all right so this is Russell and the default login is a root and the password is was a small letter okay of course you can change this later on okay now once you have successfully log on to this was a manager what you need to do is let's check the IP address HP add by default I have this is my IP which is one nine two one six eight dot one dot eight okay that's my IP address or worse off now once we're done with this we can of course open up our browser yeah we can use like perhaps I'll use like this Firefox to make it easier for us to see the difference between you know different browsers yeah so just just the eight and in a few moments you will see what the manager so you you'll see this one warning potential security risk a hat so we just select advanced and then scroll down and select accept the risk to continue this is normal what's this consumer phone hmm okay maybe I have something with this let's just go through eight looks like this not running correctly let's open up using my Chrome on line two one six eight eight this is HTTP okay mom's yeah something wrong with my firefox anyway I'll be using this you know so I'm screaming with this help it it broke yes okay so yeah from here you can select on the left side application called wazoo okay so once we're done with our words of configuration actually we don't need to install from this from scratch because initially I did download the app virtual appliance so it is a lot easier rather than you know starting the installation from scratch yeah so once we're done with the import then we can move on to do the management yeah okay for testing purposes I'll be using Windows 10 as my client yeah so we put the snapshot and here is my Windows 10 and I'm going to copy this yeah so this one is actually from my previous body for this tutorial so I'll just copy this somewhere else so you won't distract me go to the download piece this one and then for the wazoo clients I've already downloaded Mizzou client version 3.0 12.2 so copy this to my download folder as well and then from here you can just double-click to install it accept the license yeah so very simple just like a normal you know installation of other windows told ya so once we're done with the installation we can go to this one click the finish button and live and run the setup wizard okay so y'all go and select run agent configuration interface right okay so here we have the wazzle agent manager here we need to input the manager's IP which is 1 & 2 1 6 8.1 of eight now how to get the application key now to get the application key what you need to do is you can go to this nozzle documentation select we just in a gel and let's see how we can actually install the agent or destroy the agent because we need to get the what we call this the was of authentication right so let's go to we just drink manual method registration manual method or Windows host for example okay so you have to go to the far All SEC bin manage agent this is where you can actually add negative in just right click and copy yeah so I'm gonna use the tool called patty to do remote access so I will type 1 and 2 1 6 8 . 1.8 and so like yes accept so this is where we log in as root and again same password wazoo now from here you just copy the command this is where we can actually manage the age that's Loras less effect plus being such matters Asian if we want to add an Asian what you need to do is you can go to and select a add agent and you can put any name of the agent like for example mine is win 10 DST I can just use win 10 DSP now check the IP address of your agent let's check the IP address of the agent this one is 10 so we need to put 10 so when I'm to 16.1 10 and confirm adding it yeah then the next step is to extract key for the agent select e and select ID which is 0 0 1 and what you need to do is you just copy this and put it here that's it safe and ok ok and then we can restart the Asian yeah refresh yeah so make sure that the status of the agent is running meaning that the agent has successfully able to communicate with the manager Mazal manager ok so once we're done with this we can just minimize and go back to was oh and refresh it you should actually see the agent has successfully added and yeah so this one we have total agent one at the Asian one select agent from the menu and yeah see we got wimp and est as the agent and it was automatically detected as Windows 10 Pro running Windows 10 Pro the agents running Windows 10 Pro version 10.04 1 0 24 0 and version of the Basel is 3.12 point oh yeah and if you want to test whether the agent yeah so I forgot to mention that the agent the the wazzle agent is actually used to be the old sack yeah I used to use the Oh sack yeah yeah so once of agent is actually the Oh sack tool yeah so it's the host IDs right now because we have already installed this was the agent on our win 10 DSP it should be able to actually give some report if there's any you know a pack or attacks we lead up to the agent yeah so ok let's try something let's just close this and open up command line tool and let's do the nmap - and - - script well that one line - one sixty eight dot one dot ten which is the agents IP address okay let me change the size of the phone and press Enter then you can check the agents status yeah so go to the agent select the management you can go to the overview or security events and yeah now we got something total is 435 7 to be more precise you can select the agent and from there you can look at the status active forget if you want to see the graphic what you need to do is you go to the security event yeah then from there you can look at the information about the Celsius one we got the top five agent roles we see what else integrity monitoring nothing our agent and check the agent okay okay now so go to the agents select the name of the registered agent and then go to the it will show you the real one or oh one ID the IP address and so on and select security events it will show you something like this yeah alright so you can also enable the let's go to the agent in typed MMC I will add the code policy oops sorry at the group policy or local computer and expand expand Windows settings expand your settings and you can go to the local policies okay while waiting for that that's it's just something for the display settings maybe like 35% bigger so that you can see the screen much better oh so double-click local policies you go to the audit policies this is where we need to you know modify so let's that's as you assume that because our audit logon events enabled success failure like apply.click ok maybe a common management yeah and audit system events ok click OK and then once you're done with this close it and then select no open mmm see sorry CMD and type in a GP updates slash force this will update the policy and we should be able to try you know like failed login yeah close let's log off and try to to do several invalid login ok put anything wrong password and see what happened in our what was recorded or what yeah whatever I recorded will be shown in fact yeah let's just refresh it yeah we got more information yeah okay so like we got windows car windows security authentication success subsystem and so on yeah can check integrity monitoring you can check the inventory data yeah and to get the overview of all age and you can just go to the overview and select security event alright so you can check for top agents groups the incidence yeah each one we got roles or windows logon success it's an event everything are recorded correctly okay this is good yeah all right so yeah that's how easy it is to actually configure Watsu as well as your agent okay alright so this is a very short term I would say tutorial on how to actually configure I would say in front configure one so as I am a I'll be you know giving you more tutorials about what so in the next tutorials or videos alright so that's all for now thank you very much and hope everything will be all right yeah stay safe bye bye

Info

Channel: Semi Yulianto

Views: 129,641

Rating: undefined out of 5

Keywords: tutorial, wazuh, siem, installation, configuration, installing, configuring, agent, windows, security platform, cybersecurity, os, operating, system, ossec

Id: kd5THDYTarM

Channel Id: undefined

Length: 26min 8sec (1568 seconds)

Published: Sat Apr 18 2020