Skip to content

Latest commit

 

History

History
71 lines (51 loc) · 6.15 KB

README.md

File metadata and controls

71 lines (51 loc) · 6.15 KB

Wazuh

wazuh tutorials for beginners


wazuh

What is Wazuh

Wazuh is a free and open source security platform that unifies XDR and SIEM capabiliteis.

Features of Wazuh

  • Log data analysis
  • File Integrity Monitoring
  • Vulnerability detection
  • Incident response
  • Regulatory compliance
  • Cloud security
  • Intrusion detection

Components of Wazuh

Wazuh has generally two main components which are central and endpoint components. Which central components have three subcomponets that are wazuh-indexer, wazuh-server and Dashboard. Which endpoint component has wazuh-agent for endpoints.


Figure (1): wazuh-components-and-data-flow

Wazuh indexer

The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names or properties, with their corresponding values which can be strings, numbers, booleans, dates, arrays of values, geolocations, or other types of data.


Figure (2): wazuh-indexer

Wazuh Server

The Wazuh server uses threat intelligence sources to improve its detection capabilities. The Wazuh server analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). The Wazuh server can be integrated with external software, including ticketing systems such as ServiceNow, Jira, and PagerDuty, as well as instant messaging platforms like Slack. These integrations are convenient for streamlining security operations.


Figure (3):wazuh-server-architecture

Wazuh Dashboard

The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for security events, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. Additionally, it provides features for role-based access control (RBAC) and single sign-on (SSO).


Figure (4):agents-monitoring

Wazuh Agents

Wazuh agents are installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. They provide threat prevention, detection, and response capabilities. They run on operating systems such as Linux, Windows, macOS, Solaris, AIX, and HP-UX. The agent helps to protect your system by providing threat prevention, detection, and response capabilities. It is also used to collect different types of system and application data that it forwards to the Wazuh server through an encrypted and authenticated channel.

  • monitoring the file system
  • reading log messages
  • collecting inventory data
  • scanning the system configuration
  • looking for malware


Figure (5):agents-architecture

Wazuh Deployment Architecture

The Wazuh architecture is based on agents, running on the monitored endpoints, that forward security data to a central server. Agentless devices such as firewalls, switches, routers, and access points are supported and can actively submit log data via Syslog, SSH, or using their API. The central server decodes and analyzes the incoming information and passes the results along to the Wazuh indexer for indexing and storage. For production environments, it is recommended to deploy the Wazuh server and Wazuh indexer to different hosts.


Figure (6):deployment-architecture

Wazuh agent - Wazuh server communication

The Wazuh agent continuously sends events to the Wazuh server for analysis and threat detection. To start shipping this data, the agent establishes a connection with the server service for agent connection, which listens on port 1514 by default. The Wazuh server then decodes and rule-checks the received events, utilizing the analysis engine. Events that trip a rule are augmented with alert data such as rule ID and rule name.

Wazuh server - Wazuh indexer communication

The Wazuh server uses Filebeat to send alert and event data to the Wazuh indexer, using TLS encryption. Filebeat reads the Wazuh server output data and sends it to the Wazuh indexer (by default listening on port 9200/TCP). Once the data is indexed by the Wazuh indexer, the Wazuh dashboard is used to mine and visualize the information. The Wazuh dashboard queries the Wazuh RESTful API (by default listening on port 55000/TCP on the Wazuh server) to display configuration and status-related information of the Wazuh server and agents.

Required ports

Component Port Protocol Purpose
1514 TCP/UDP Agent Connection service
1515 TCP Agent enrollment service
Wazuh Server 1516 TCP Wazuh cluster daemon
514 TCP/UDP Wazuh syslog collector
55000 TCP Wazuh server RESTful API
Wazuh indexer 9200 TCP Wazuh indexer RESTful API
9300-9400 TCP Wazuh indexer cluster communication
Wazuh Dashboard 443 TCP Wazuh web user interface