Install Wazuh EDR
Download Wazuh
First, let go to this site to get our Wazuh:
https://documentation.wazuh.com/3.13/installation-guide/packages-list/index.html
Then click on the installer and install it. Don’t click Finish yet. Click on Run Agent Configuration interface
then click Finish and click Yes.
This is what you should have:
Connect it to whatever interface your SecurityOnion is on. Then SSH into your Security Onion.
Open another command promp and type ipconfig.
Take note of the ip address of your host/agent whatever you want to call it.
Mine is 10.10.10.13
Then we’re going execute the following command to add our agent in our SSH session
:
sudo so-wazuh-agent-manage -a 10.10.10.13
Then it will ask to insert the host name.
My window computer host name is: winvictim-1
This is what you should have:
Extract the Key
Since my agent ID is 002. I will use that information to get the key.
To do this, I will use the following command:
sudo so-wazuh-agent-manage -e 002
After that you should have the key. I can’t show you because it might be sensitive data. You have to trust me on this.
OSSEC Agent
Open a command prompt and make sure it Administrator, let go to Program Files x86 in our Windows Terminal. Then, cd into ossec-agent.
Then run the following command:
manage_agents.exe /?
Then press I for Import Key from the Server. Then paste in the key. It going ask you to confirm adding it. Enter Y. \
After that, we’re going to edit our config file.
Execute the following command:
notepad ossec.conf
At the <address>
, change the ip address to the IP of your security onion
Then, going back to our Wazuh Agent Manager application. Press Refresh and you should see the Manager IP filled in with the IP of your security onion and the authentication key filled in.
Then click Save.
Toggle Services
On the command prompt, execute services.msc
Then type wazuh
and it should direct us to the service. Right click on the service and click on Start
Now, we’re done.