Labels

πŸ›‘️ Ultimate Guide to Installing & Configuring Wazuh SIEM in 2025

πŸ›‘️ Ultimate Guide to Installing & Configuring Wazuh SIEM in 2025

🚨 “SIEM is not just a log collector — it’s your first line of threat visibility.”

Looking to set up a powerful open-source SIEM solution for your infrastructure? Wazuh offers real-time threat detection, log correlation, file integrity monitoring, vulnerability detection, and more — completely free!

This guide will walk you through a full Wazuh deployment on a single Ubuntu 22.04 server in under 30 minutes. πŸ’ͺ

🧰 Prerequisites

  • πŸ–₯️ 1x Ubuntu 22.04 or Debian 11 server (4+ GB RAM)

  • 🌐 Internet access + sudo/root access

  • πŸ” Firewall ports: 1514/UDP, 1515/TCP, 55000/TCP open

πŸš€ Step 1: Update the Server

Run this command to update your system packages:

sudo apt update && sudo apt upgrade -y

πŸ” Step 2: Install Wazuh All-in-One

Wazuh provides an easy deployment script that installs all components:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash ./wazuh-install.sh -a

  • πŸ•’ This process takes about 10–15 minutes

  • πŸ“¦ Installs: Wazuh Manager, Dashboard, Filebeat, and Indexer

✅ Components Deployed

Component Purpose
πŸ“‹ Wazuh Manager Analyzes and correlates security data
πŸ”Ž Wazuh Indexer Stores indexed data (OpenSearch backend)
πŸ“Š Wazuh Dashboard Web UI for searching, alerts, dashboards

🌐 Step 3: Access the Wazuh Dashboard

Open your browser and navigate to:

https://YOUR_SERVER_IP

Default credentials are:

  • Username: admin

  • Password: admin

πŸ›‘️ You will be prompted to change the password upon first login.

πŸ‘¨‍πŸ’» Step 4: Add a Wazuh Agent (Linux Example)

  1. On the Wazuh dashboard, go to Agents → Add Agent.

  2. Fill in the agent name, IP, and OS, then click Generate Install Command.

  3. On the client machine, run the generated command, for example:

curl -sO https://packages.wazuh.com/4.7/wazuh-agent.sh
sudo bash ./wazuh-agent.sh -a MANAGER_IP -r default -n AGENT_NAME

Within 1-2 minutes, the agent status should turn Active in the dashboard.

πŸ” Step 5: Enable Threat Detection Modules

Navigate to Management → Rules and enable important modules such as:

  • 🚨 CIS Benchmark Monitoring

  • πŸ§ͺ File Integrity Monitoring (FIM)

  • πŸ“œ Auditd-based Threat Detection

  • πŸ” Rootkit & Malware Detection

After enabling, restart the Wazuh manager:

sudo systemctl restart wazuh-manager

πŸ“¦ Optional: Add Windows Agent

  1. Download the Windows agent MSI installer from:
    https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.msi

  2. Run the installer and provide your manager’s IP and the group (default).

  3. Start the agent using:

    wazuh-agent.exe start

Now your Windows machine will send logs to the Wazuh dashboard.

πŸ“ˆ Bonus: Monitor Logs in Real-Time

Explore the dashboard modules such as:

  • πŸ“ Security Events

  • πŸ“„ File Integrity Monitoring (FIM)

  • πŸ“¬ Vulnerabilities

You can create custom alerts and fine-tune thresholds to reduce noise and get actionable alerts.

πŸ› ️ Troubleshooting Tips

  • πŸ”’ If you see SSL errors in the dashboard, verify certificate paths in /etc/filebeat/filebeat.yml.

  • 🚫 If agents fail to connect, check if port 1514/UDP is open between client and server.

  • πŸ”„ If logs aren’t showing, restart services:

    sudo systemctl restart wazuh-indexer filebeat wazuh-manager

🎯 Summary

  • πŸ” Wazuh provides enterprise-grade security monitoring for free.

  • πŸ“ˆ Collect and analyze logs from Linux, Windows, and cloud environments.

  • πŸ”” Build custom alerts, dashboards, and compliance reports with ease

🧠 Hashtags:

  • wazuh installation 2025

  • open source SIEM

  • install wazuh ubuntu

  • wazuh agent configuration

  • wazuh dashboard setup

  • wazuh best practices

  • wazuh real-time alerting


Labels:

Comments

Post a Comment