Elastic beat有Filebeat,Packetbeat,Winlogbeat,Auditbeat是可以收集log做稽核用,但預設樣板功能不強,做SIEM少了處理data這塊,Wazuh可以配合做這方面的解析。
官方手冊:https://documentation.wazuh.com/current/getting-started/index.html
single-node架構如下
不想裝或想先嘗試的可以直接用ovf
https://documentation.wazuh.com/current/installation-guide/virtual-machine.html
安裝wazuh
設定wazuh repo
cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
Install wazuh-manager
yum install wazuh-manager
Install nod.js
curl --silent --location https://rpm.nodesource.com/setup_6.x | bash -
yum install nodejs
Install wazuh-api
yum install wazuh-api
Install wazuh-agent
yum install wazuh-agent
設定api帳密,帳號自己填
cd /var/ossec/api/configuration/auth
node htpasswd -c user 帳號
systemctl restart wazuh-api
安裝Elastic
ELK照之前的即可,要設定templates
https://documentation.wazuh.com/current/installation-guide/installing-elastic-stack/elastic_server_rpm.html#elastic-server-rpm
1.Elasticsearch 安裝 templates
curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://localhost:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
2.Logstash templates
curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-local.conf
啟動logstash
systemctl enable logstash.service
systemctl start logstash.service
3.kibana裝plugin(目前是支援6.1版,要舊版到github找https://github.com/wazuh/wazuh-kibana-app#installation)
./usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
網頁設定
連至kibana網頁選wazuh,api要做連結,帳號密碼輸入之前wazuh api設定的,port設定55000