XDR & SIEM Platform

Wazuh

Deploy enterprise-grade XDR and SIEM on RamNode VPS. Unified threat detection, vulnerability scanning, and compliance monitoring with a beautiful dashboard.

Ubuntu 22.04 LTS

Web Dashboard

Cloud Integration

What is Wazuh?

Wazuh is a free, open-source security monitoring platform that provides unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities. Built on the OSSEC foundation, Wazuh offers enterprise-grade threat detection, integrity monitoring, incident response, and regulatory compliance features.

Threat Detection

Real-time analysis of security events across infrastructure

Vulnerability Scanning

Automated detection of known vulnerabilities

Compliance

PCI DSS, GDPR, HIPAA compliance reporting

Architecture Components

Wazuh Manager: Analyzes data, triggers alerts, manages configurations
Wazuh Indexer: OpenSearch-based storage for events and alerts
Wazuh Dashboard: Web interface for visualization and management

Prerequisites

RamNode VPS with 8GB RAM minimum (16GB recommended)
4 CPU cores (8 cores recommended for production)
50GB SSD storage minimum (100GB+ for production)
Ubuntu 22.04 LTS, Ubuntu 20.04, Debian 11, or CentOS 8
Ports 443, 1514, 1515 open
Root or sudo access

Initial Server Setup

Update system and set hostname

# Update packages
sudo apt update && sudo apt upgrade -y

# Install dependencies
sudo apt install -y curl apt-transport-https lsb-release gnupg

# Set hostname
sudo hostnamectl set-hostname wazuh-server
echo "127.0.0.1 wazuh-server" | sudo tee -a /etc/hosts

Configure firewall:

Configure UFW

sudo apt install -y ufw

# Allow required ports
sudo ufw allow 22/tcp     # SSH
sudo ufw allow 443/tcp    # Dashboard
sudo ufw allow 1514/tcp   # Agent communication
sudo ufw allow 1515/tcp   # Agent enrollment

sudo ufw enable

Install Wazuh (All-in-One)

Run assisted installer

# Download installation script
curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh

# Run all-in-one installation
sudo bash ./wazuh-install.sh -a

The installer will:

Install Java (required for indexer)
Install and configure Wazuh indexer
Install and configure Wazuh manager
Install Filebeat for log forwarding
Install Wazuh dashboard
Generate SSL certificates

Important: Save the admin credentials shown at the end of installation!

Example output

INFO: --- Summary ---
INFO: You can access the web interface https://192.0.2.1
User: admin
Password: A8Xr#mP9$vQ2zK4@wE7nL3bT

Access Wazuh Dashboard

Navigate to https://your-server-ip in your browser
Accept the self-signed certificate warning
Log in with admin credentials from installation
Change the default password immediately

Change admin password:

Click menu icon (☰) → Security → Internal users
Click on admin user
Click Edit and set a new strong password
Click Save

Deploy Wazuh Agents

Deploy agents on systems you want to monitor:

Ubuntu/Debian Agent:

Install Linux agent

# Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt-get update

# Install agent (replace with your manager IP)
WAZUH_MANAGER="your-manager-ip" apt-get install -y wazuh-agent

# Start agent
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Windows Agent:

Install Windows agent (PowerShell as Admin)

# Download installer
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi -OutFile wazuh-agent.msi

# Install with manager IP
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="your-manager-ip"

# Start service
NET START WazuhSvc

File Integrity Monitoring (FIM)

Configure FIM to monitor critical directories:

/var/ossec/etc/ossec.conf

<syscheck>
  <disabled>no</disabled>
  <frequency>43200</frequency>
  <scan_on_start>yes</scan_on_start>

  <directories check_all="yes" report_changes="yes" realtime="yes">/etc</directories>
  <directories check_all="yes" report_changes="yes" realtime="yes">/usr/bin,/usr/sbin</directories>
  <directories check_all="yes" report_changes="yes" realtime="yes">/bin,/sbin</directories>
  <directories check_all="yes" report_changes="yes" realtime="yes">/var/www</directories>

  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
  <ignore>/etc/mail/statistics</ignore>
</syscheck>

Vulnerability Detection

Enable vulnerability scanning

<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <min_full_scan_interval>6h</min_full_scan_interval>
  <run_on_start>yes</run_on_start>

  <provider name="canonical">
    <enabled>yes</enabled>
    <update_interval>1h</update_interval>
  </provider>

  <provider name="debian">
    <enabled>yes</enabled>
    <update_interval>1h</update_interval>
  </provider>

  <provider name="redhat">
    <enabled>yes</enabled>
    <update_interval>1h</update_interval>
  </provider>

  <provider name="nvd">
    <enabled>yes</enabled>
    <update_interval>1h</update_interval>
  </provider>
</vulnerability-detector>

Active Response

Configure automatic blocking of brute-force attacks:

Active response configuration

<active-response>
  <disabled>no</disabled>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>5710,5712</rules_id>
  <timeout>600</timeout>
</active-response>

Restart manager to apply:

Restart Wazuh manager

sudo systemctl restart wazuh-manager

Log Collection

System log collection

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/auth.log</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/syslog</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/access.log</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/error.log</location>
</localfile>

Remote syslog collection:

Remote syslog

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips>
</remote>

Open syslog port

sudo ufw allow 514/udp

Custom Rules & Alerts

Create custom rules file

sudo nano /var/ossec/etc/rules/local_rules.xml

Example: Sudo escalation detection

<group name="local,sudo,">
  <rule id="100001" level="12">
    <if_sid>5401</if_sid>
    <match>sudo: </match>
    <user>^rootlt;/user>
    <description>Root user executed a sudo command</description>
    <group>authentication_failed,pci_dss_10.2.4,</group>
  </rule>
</group>

Configure email alerts:

Email configuration

<global>
  <email_notification>yes</email_notification>
  <smtp_server>smtp.gmail.com</smtp_server>
  <email_from>wazuh@yourdomain.com</email_from>
  <email_to>admin@yourdomain.com</email_to>
  <email_maxperhour>12</email_maxperhour>
</global>

<email_alerts>
  <email_to>security@yourdomain.com</email_to>
  <level>10</level>
</email_alerts>

Cloud Integration

AWS CloudTrail Integration:

AWS CloudTrail config

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>

  <bucket type="cloudtrail">
    <name>your-cloudtrail-bucket</name>
    <access_key>YOUR_ACCESS_KEY</access_key>
    <secret_key>YOUR_SECRET_KEY</secret_key>
  </bucket>
</wodle>

Docker Monitoring:

Docker listener

<wodle name="docker-listener">
  <disabled>no</disabled>
</wodle>

Grant Docker access

sudo usermod -aG docker wazuh

Performance Tuning

Adjust indexer heap size (50% of RAM, max 32GB):

Configure indexer JVM

sudo nano /etc/wazuh-indexer/jvm.options

# For 16GB RAM server:
-Xms8g
-Xmx8g

sudo systemctl restart wazuh-indexer

Manager tuning for high-volume environments:

/var/ossec/etc/internal_options.conf

analysisd.event_threads=4
analysisd.decode_event_queue_size=32768

Backup Configuration

Create backup script

sudo nano /usr/local/bin/wazuh-backup.sh

wazuh-backup.sh

#!/bin/bash
BACKUP_DIR="/backup/wazuh"
DATE=$(date +%Y%m%d-%H%M%S)

mkdir -p $BACKUP_DIR

# Backup configurations
tar -czf $BACKUP_DIR/wazuh-config-$DATE.tar.gz \
  /var/ossec/etc/ossec.conf \
  /var/ossec/etc/rules/local_rules.xml \
  /var/ossec/etc/decoders/local_decoder.xml \
  /etc/wazuh-indexer/ \
  /etc/filebeat/

# Cleanup old backups (keep 30 days)
find $BACKUP_DIR -name "*.tar.gz" -mtime +30 -delete

Schedule daily backups

sudo chmod +x /usr/local/bin/wazuh-backup.sh
echo "0 2 * * * /usr/local/bin/wazuh-backup.sh" | sudo crontab -

Troubleshooting

Dashboard Not Accessible

Check services

sudo systemctl status wazuh-dashboard
sudo systemctl status wazuh-indexer
sudo systemctl status wazuh-manager

# View logs
sudo tail -f /var/log/wazuh-dashboard/dashboard.log

Agent Not Connecting

Debug agent connection

# On agent
sudo systemctl status wazuh-agent
sudo cat /var/ossec/logs/ossec.log

# On manager - check registered agents
sudo /var/ossec/bin/agent_control -l

High Memory Usage

Reduce indexer heap size or upgrade VPS RAM.

Check memory usage

free -h
sudo systemctl status wazuh-indexer

Next Steps

Set up CIS benchmark compliance scanning
Configure MITRE ATT&CK framework integration
Set up Slack/PagerDuty alerting integrations
Implement distributed architecture for high availability

Official Documentation GitHub Repository