Security Monitoring with WAZUH and ELK

Wazuh is a popular open source security detection, visibility, and compliance project which was born as a fork of OSSEC HIDS, and integrates with Elastic Stack as comprehensive open source SIEM solution. Wazuh works with different operating systems such as Linux, Windows, MacOS, Solaris and BSD alternatives. Wazuh can monitor a number of parameters on a host machine including logs, file integrity, rootkit detection, and Windows registry monitoring etc and can perform log analysis from other network services, including most of the popular open source FTP, mail, DNS, database, web, firewall, and network-based IDS solutions. The Wazuh project itself does not include a graphical user interface layer. One of the external visualization tools such as Kibana or Grafana must be used as GUI to Wazuh installation.

A Wazuh deployment consists of three main components:
The manager or the Wazuh server which is responsible for collecting the log data from the different data sources.
The agents are responsible for collecting and processing the logs and making them easier to analyze.
The data analytics tool with visualization such as Elasticstack.
Wazuh comes with a number of alerting options and can be used as part of automated intrusion detection or active response solutions. For log collection, Wazuh uses the legacy log storage engine of OSSEC. By default, log messages from host agents are rotated on daily basis unless a specific configuration is made in ht ossec.conf file.
Setting up Wazuh involves the installation of the Wazuh server with optional API package, Wazuh agents and the Elastic Stack. Wazuh server or Wazuh manager collects and analyzes data from deployed agents. Wazuh API setup the interface for communication between Wazuh manager and Kibana. Elastic Stack engine constists of Elasticsearch, Logstash and Kibana. It reads, parses, indexes, and stores alert data generated by the Wazuh server.
Wazuh agent runs on the monitored host, collecting system log and configuration data and detecting intrusions and anomalies. It talks with the Wazuh manager to which it forwards collected data for further analysis.

Wazuh deployment on Centos using YUM

Setting up the YUM repository

Install the Wazuh Manager (Server)

Check the service status with

Install the Wazuh API

Check the Wazuh API service status with:

Install the Wazuh Application for Kibana

To install the Windows agent run the downloaded file and follow the steps in the installation wizard.

Agent management in the server
manage_agents binary from the bin folder of ossec installation is used to manage the agents

The logs sent to Wazuh manager is stored as text file into /var/ossec/logs/alerts folder as alerts.log file and parsed against the rules configured and stored into alerts.json file in JSON format.

Logstash input configuration

Logstsh filter configuration (With optional geo-ip plugin )

Logstash output configuration

Create an index in Elastisearch using wazuh-alerts-3.x-* as pattern

Wazuh logs in Kibana

Wazuh-Kibana app menu

Visualizations in Wazuh-Kibana app dashboard

Compliance (PCI DSS)

File integrity

PCI DSS compliance requirement