Skip to main content

Wazuh SIEM Deployment: Deploying Your First Agent

 


Now that you have deployed your Wazuh server, we can get onto deploying agents to our endpoints (Windows servers, workstations, Linux boxes etc). 

For housekeeping, we can create groups within the Wazuh management console, these will be used to logically group our devices. 

Begin by navigating to the Wazuh drop down menu, Select Management and then Groups 


Select "Add Group" and enter your desired group name(s) - i've created a number of groups for my infrastructure. 
Cool! Now the groups are done, we can begin deploying our agent. I'm starting with my windows workstation that sits in the bottom of my rack. 

Select the Wazuh Menu again and select "agents" as this is our first agent deployment, we are taken directly to the add agent screen. 

Fill in the appropriate details. 


Once we have filled in all the details, you'll be presented with a PS script to run, make sure you launch PS as an administrator to install the agent. 


Copy the PS script and run it! (make sure your endpoint device can reach the Wazuh Server by FQDN or IP Address BTW) 


Dont forget to start the agent as well 


If you now navigate to the Wazuh Menu > Agents you should see your first agent endpoint device! 
and clicking on the device will take you to detailed results - as you can see i fail haha. Thats all for now, next we'll explore either log forwarding for devices such as VCenter OR agentless monitoring for devices like my fortigate firewall :)  



Comments

Post a Comment

Popular posts from this blog

Removing Multiple Datastores From Single ESXI Host Via PowerCLI

This post covers removing a multiple datastores from a single host at a time in vCenter with the use of PowerCLI. In the case where you have multiple hosts which have MANY MANY Datastores attached, its important to make sure you fully unmount and detach the DS from the host before removing storage connections.  Below is the code to make this happen $datastores = 'DS1','DS2'  $startTime = Get-Date $esxName = 'vmh.local' foreach($datastoreName in $datastores){ $datastoreName  $esx = Get-VMHost -Name $esxName $ds = Get-Datastore -Name $datastoreName $canonicalName = $ds.ExtensionData.Info.Vmfs.Extent[0].DiskName $storSys = Get-View $esx.Extensiondata.ConfigManager.StorageSystem $device = $storsys.StorageDeviceInfo.ScsiLun | where {$_.CanonicalName -eq $canonicalName} if($device.OperationalState[0] -eq 'ok'){     $StorSys.UnmountVmfsVolume($ds.ExtensionData.Info.Vmfs.Uuid) } $storSys.DetachScsiLun($device.Uuid) } $endTime = Get-Date $executionTime = $endTime...
Post a Comment
Read more

HPE DL Series Host TPM Attestation Alarm Remediation

  Recently in my lab, i ran into an issue with the Host TPM Attestation Alarm being set. This was a little annoying that out of the box there are some configuration items that are not done by standard, and this guide will cover the specific BIOS / RBSU Configs that need to be made to clear this up.  First off, we need to boot into the BIOS / System Config / RBSU, so unfortunately you need to reboot your host - none of these changes can be made through the ILO "I reboot now - Good luck everybody else"  Next up, we need to navigate to Server Security and Secure Boot Settings  Next up, Select "Attempt Secure Boot" and accept the warning regarding the required reboot.  Navigate back to the main "Server Security" Menu and Select Trusted Platform Module Options  Ensure you have the below Config:  Current TPM Type: TPM 2.0  Current TPM 2.0 Active PCRs: SHA256 Only  TPM 2.0 Operation: No Action UNLESS your current TPM Type is not 2.0 - change to TPM ...
Post a Comment
Read more