Elastic beat有Filebeat,Packetbeat,Winlogbeat,Auditbeat是可以收集log做稽核用，但預設樣板功能不強，做SIEM少了處理data這塊，Wazuh可以配合做這方面的解析。
官方手冊:https://documentation.wazuh.com/current/getting-started/index.html
single-node架構如下

不想裝或想先嘗試的可以直接用ovf
https://documentation.wazuh.com/current/installation-guide/virtual-machine.html

安裝wazuh
設定wazuh repo

cat > /etc/yum.repos.d/wazuh.repo <<\EOF

[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF

Install wazuh-manager

yum install wazuh-manager

Install nod.js

curl --silent --location https://rpm.nodesource.com/setup_6.x | bash -
yum install nodejs

Install wazuh-api

yum install wazuh-api

Install wazuh-agent

yum install wazuh-agent

設定api帳密，帳號自己填

cd /var/ossec/api/configuration/auth
node htpasswd -c user 帳號
systemctl restart wazuh-api

安裝Elastic
ELK照之前的即可，要設定templates
https://documentation.wazuh.com/current/installation-guide/installing-elastic-stack/elastic_server_rpm.html#elastic-server-rpm
1.Elasticsearch 安裝 templates

curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://localhost:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-

curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-

2.Logstash templates

curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-local.conf

啟動logstash

systemctl enable logstash.service
systemctl start logstash.service

3.kibana裝plugin(目前是支援6.1版，要舊版到github找https://github.com/wazuh/wazuh-kibana-app#installation)

./usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip

網頁設定
連至kibana網頁選wazuh，api要做連結，帳號密碼輸入之前wazuh api設定的，port設定55000