Labels

๐Ÿ›ก️ Ultimate Guide to Installing & Configuring Wazuh SIEM in 2025

๐Ÿ›ก️ Ultimate Guide to Installing & Configuring Wazuh SIEM in 2025

๐Ÿšจ “SIEM is not just a log collector — it’s your first line of threat visibility.”

Looking to set up a powerful open-source SIEM solution for your infrastructure? Wazuh offers real-time threat detection, log correlation, file integrity monitoring, vulnerability detection, and more — completely free!

This guide will walk you through a full Wazuh deployment on a single Ubuntu 22.04 server in under 30 minutes. ๐Ÿ’ช

๐Ÿงฐ Prerequisites

  • ๐Ÿ–ฅ️ 1x Ubuntu 22.04 or Debian 11 server (4+ GB RAM)

  • ๐ŸŒ Internet access + sudo/root access

  • ๐Ÿ” Firewall ports: 1514/UDP, 1515/TCP, 55000/TCP open

๐Ÿš€ Step 1: Update the Server

Run this command to update your system packages:

sudo apt update && sudo apt upgrade -y

๐Ÿ” Step 2: Install Wazuh All-in-One

Wazuh provides an easy deployment script that installs all components:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash ./wazuh-install.sh -a

  • ๐Ÿ•’ This process takes about 10–15 minutes

  • ๐Ÿ“ฆ Installs: Wazuh Manager, Dashboard, Filebeat, and Indexer

✅ Components Deployed

Component Purpose
๐Ÿ“‹ Wazuh Manager Analyzes and correlates security data
๐Ÿ”Ž Wazuh Indexer Stores indexed data (OpenSearch backend)
๐Ÿ“Š Wazuh Dashboard Web UI for searching, alerts, dashboards

๐ŸŒ Step 3: Access the Wazuh Dashboard

Open your browser and navigate to:

https://YOUR_SERVER_IP

Default credentials are:

  • Username: admin

  • Password: admin

๐Ÿ›ก️ You will be prompted to change the password upon first login.

๐Ÿ‘จ‍๐Ÿ’ป Step 4: Add a Wazuh Agent (Linux Example)

  1. On the Wazuh dashboard, go to Agents → Add Agent.

  2. Fill in the agent name, IP, and OS, then click Generate Install Command.

  3. On the client machine, run the generated command, for example:

curl -sO https://packages.wazuh.com/4.7/wazuh-agent.sh
sudo bash ./wazuh-agent.sh -a MANAGER_IP -r default -n AGENT_NAME

Within 1-2 minutes, the agent status should turn Active in the dashboard.

๐Ÿ” Step 5: Enable Threat Detection Modules

Navigate to Management → Rules and enable important modules such as:

  • ๐Ÿšจ CIS Benchmark Monitoring

  • ๐Ÿงช File Integrity Monitoring (FIM)

  • ๐Ÿ“œ Auditd-based Threat Detection

  • ๐Ÿ” Rootkit & Malware Detection

After enabling, restart the Wazuh manager:

sudo systemctl restart wazuh-manager

๐Ÿ“ฆ Optional: Add Windows Agent

  1. Download the Windows agent MSI installer from:
    https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.msi

  2. Run the installer and provide your manager’s IP and the group (default).

  3. Start the agent using:

    wazuh-agent.exe start

Now your Windows machine will send logs to the Wazuh dashboard.

๐Ÿ“ˆ Bonus: Monitor Logs in Real-Time

Explore the dashboard modules such as:

  • ๐Ÿ“ Security Events

  • ๐Ÿ“„ File Integrity Monitoring (FIM)

  • ๐Ÿ“ฌ Vulnerabilities

You can create custom alerts and fine-tune thresholds to reduce noise and get actionable alerts.

๐Ÿ› ️ Troubleshooting Tips

  • ๐Ÿ”’ If you see SSL errors in the dashboard, verify certificate paths in /etc/filebeat/filebeat.yml.

  • ๐Ÿšซ If agents fail to connect, check if port 1514/UDP is open between client and server.

  • ๐Ÿ”„ If logs aren’t showing, restart services:

    sudo systemctl restart wazuh-indexer filebeat wazuh-manager

๐ŸŽฏ Summary

  • ๐Ÿ” Wazuh provides enterprise-grade security monitoring for free.

  • ๐Ÿ“ˆ Collect and analyze logs from Linux, Windows, and cloud environments.

  • ๐Ÿ”” Build custom alerts, dashboards, and compliance reports with ease

๐Ÿง  Hashtags:

  • wazuh installation 2025

  • open source SIEM

  • install wazuh ubuntu

  • wazuh agent configuration

  • wazuh dashboard setup

  • wazuh best practices

  • wazuh real-time alerting


Labels:

Comments

Post a Comment