Wazuh SIEM Deployment with Multi-OS Agents
Project OverviewThis project demonstrates the deployment of Wazuh, an open-source, industry-recogniz 2026-7-5 06:15:18 Author: infosecwriteups.com(查看原文) 阅读量:3 收藏

Project Overview

This project demonstrates the deployment of Wazuh, an open-source, industry-recognized SIEM and host-based intrusion detection platform, in a virtualized lab environment. Wazuh was selected for this project due to its wide adoption in security operations, strong community support, and alignment with real-world SOC practices.

A Wazuh Manager was installed on an Ubuntu system and configured to centrally monitor three endpoints: Windows, Kali Linux, and Ubuntu. Each endpoint was successfully enrolled as a Wazuh agent and configured to forward system logs and security events to the manager for analysis.

The project validates end-to-end log collection and visibility through the Wazuh web dashboard, demonstrating how security events from multiple operating systems can be centrally analyzed. This setup reflects a realistic enterprise monitoring scenario and highlights the effectiveness of Wazuh as a cost-effective, open-source security monitoring solution used across modern SOC environments.

Tools Used

  • Wazuh SIEM (Open Source): Centralized security monitoring, log collection, and host-based intrusion detection platform
  • Ubuntu Server: Hosting the Wazuh Manager, Indexer, and Web Dashboard
  • Windows : Endpoint monitored using the Wazuh agent (Agent 1)
  • Kali Linux: Linux endpoint monitored using the Wazuh agent (Agent 2)
  • Ubuntu: Linux endpoint monitored using the Wazuh agent (Agent 3)
  • VMware Workstation: Virtualization platform used to host all systems
  • Web Browser (Windows): Used to access the Wazuh web dashboard over HTTPS

Wazuh Deployment

Wazuh was deployed on Ubuntu Server using the official all-in-one installation script, following the Wazuh deployment guide. Read here

curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

This command installs all required dependencies along with the Wazuh Manager, Indexer, and Dashboard. Upon completion of the installation, a username and password are automatically generated for accessing the Wazuh web interface.

Press enter or click to view image in full size

Firewall Configuration

The firewall on the Wazuh server was configured to allow all Wazuh components to communicate properly, including agents, the dashboard, indexer, and Syslog. The following UFW rules were applied:

# Essential Wazuh ports
sudo ufw allow 1514/tcp # Agent → Manager communication
sudo ufw allow 1515/tcp # Agent enrollment
sudo ufw allow 443/tcp # Wazuh Web Dashboard (HTTPS)

# Optional ports for future use
sudo ufw allow 55000/tcp # Wazuh API
sudo ufw allow 514/tcp # Syslog collector
sudo ufw allow 22/tcp # SSH access to server

sudo ufw enable - Enables the UFW firewall
sudo ufw status numbered - Displays the current firewall status and lists all active rules with numbering

Accessing the Wazuh Web Interface

After the firewall was configured to allow all essential ports, the Wazuh web dashboard was accessed via a web browser. This interface provides centralized visibility into all connected agents, system events, and security alerts.

https://192.168.79.145:443

Press enter or click to view image in full size

Log in using the username and password generated during installation.

Agents Enrollment

To enroll an agent, navigate to Endpoints, Deploy new agents.

Agent 1: Windows

Step 1: Select windows architecture

Get Aishat Olayinka Yusuf’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

Step 2: Enter the Wazuh Manager IP Address

Press enter or click to view image in full size

Step 3: Set agent name (optional)

Press enter or click to view image in full size

Step 4: Copy and Run the Installation Command in Powershell. Run Powershell with administrator privileges

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.14.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.79.145' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Windows'

Step 5: Still in Powershell, run this command to start Wazuh agent

NET START Wazuh

Press enter or click to view image in full size

Press enter or click to view image in full size

Agent 2: Kali Linux

On the Deploy new agent;

Step 1: Select the Operating System

  • Choose Linux as the target OS.
  • For Kali Linux, choose DEB amd64.

Step 2: Assign Server Address

  • Enter your Wazuh manager’s IP address:

Step 3: Set Agent Name (Optional)

  • Enter a unique agent name (Kali)

Step 4: Copy and run the installation command

  • The UI generates a command tailored to your inputs. Run it in your Kali terminal:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.2-1_amd64.deb && sudo WAZUH_MANAGER='192.168.79.145' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Kali' dpkg -i ./wazuh-agent_4.14.2–1_amd64.deb

Step 5: Start and Enable the Agent

Run the following commands to activate the agent:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Press enter or click to view image in full size

Agent 3: Ubuntu

Repeat the same steps as Agent 2

Copy and run the installation command

  • The UI generates a command tailored to your inputs. Run it in your Ubuntu terminal:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.2-1_amd64.deb && sudo WAZUH_MANAGER='192.168.79.145' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Ubuntu' dpkg -i ./wazuh-agent_4.14.2-1_amd64.deb

Start and Enable the Agent

Run the following commands to activate the agent:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Dashboard of all Enrolled Agents

Press enter or click to view image in full size

Conclusion

Through the deployment and configuration of Wazuh, I successfully set up a centralized security monitoring environment with multiple agents across Windows, Kali Linux, and Ubuntu. Wazuh provides real-time visibility into system events, log collection, and threat detection, making it a robust and open-source industry-standard SIEM solution. Beyond log monitoring, Wazuh can be leveraged for File Integrity Monitoring (FIM) to track changes in critical files and directories, detect unauthorized modifications, and alert security teams.

Additionally, it integrates seamlessly with other security tools and services, such as Syslog for centralized logging, SSH for remote administration, and custom APIs for automated workflows, enabling comprehensive and proactive security operations.

This setup serves as a foundation for future projects, where I plan to expand Wazuh’s capabilities with additional agents, advanced detection rules, integrations with threat intelligence feeds, and custom security automation workflows to simulate real-world SOC scenarios.

Many thanks to

🫡


文章来源: https://infosecwriteups.com/wazuh-siem-deployment-with-multi-os-agents-09e80e1821e9?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh