Wazuh XDR setup on Proxmox virtual machine

GK
Apr 28
5 min read

In the rapidly evolving cybersecurity environment of today, organizations encounter a growing array of threats. These include malware, phishing attacks, insider threats, and software vulnerabilities, making the demand for strong and scalable security solutions more crucial than ever.

Enter Wazuh, an open-source security platform that empowers businesses to detect, monitor, and respond to security incidents efficiently.

Proxmox is a virtualization platform designed for the provisioning of hyper-converged infrastructure. Proxmox allows deployment and management of virtual machines and containers.

This guide will show you how to setup a Wazuh on a home proxmox server and connect your Windows clients for security monitoring, then expanding later on to external clients if required with additional configuration.

SIEM = Security Information and Event Management

XDR = Extended Detection and Response

This solution is composed of a single universal agent for Windows, Mac, Cloud etc and consists of three central components:

Wazuh server, the Wazuh indexer, and the Wazuh dashboard.

Skills covered

Upload the Ubuntu o/s ISO into Proxmox
Intall Ubuntu Server and enable SSH services
Install Wazuh on Ubuntu Server
Install Wazuh client on a Windows PC
Connect from Windows PC to the Wazuh server
Create password authentication for enrollment for added security
Monitor the clients for security and compliance from the Wazuh portal

Further guides soon on expanding to external clients and montoring guides.

Installing Ubuntu server

For my setup I'm going to create an Ubuntu server (24.04) virtual machine in Proxmox.

I logged into my Proxmox server, Went to my local datastore, uploaded the ubuntu server ISO as below:

If you would like to see a proxmox setup guide drop me a message.

Now create a new Virtual Machine, select the ISO from the previous step.

Use this is a guideline for the specs.

When prompted also install the "OpenSSH Server" for easier remote access via terminal.

Once installed, open Powershell and type the below to connect to your new virtual machine, change to your login name and ip address.

ssh dave@192.168.0.69

Rather than using the proxmox console window a preferred method is using powershell SSH.

Run the following to perform a system update

sudo apt-get update

Installation of Wazuh on Azure Ubuntu server

(https://wazuh.com/install/)

Run the following to install the application:

curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Once installed head over to: https://<new server IP>:443 which gives you the login:

Agent Installation and enrollment

Now that your Wazuh server installation is ready, you can start deploying the Wazuh agent.

Ports Check

Check your client can see the 1514 and 1515 port by running a telnet command:

Install telnet

pkgmgr /iu:"TelnetClient"

Check connection:

telnet <wazuh server ip> 1514

Install the Agent

From the management console head over to:

https://ServerIP /app/endpoints-summary#/agents-preview/deploy

Select your operating system and then an installation script will be generated, for windows this is the powershell command:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='Wazuh server IP'

NET START WazuhSvc

This method will automatically add the client into the management portal with no joining password, any clients will be able to join if they know the IP address.

I can now access the portal via this webpage:

https://server ip/app/wz-home

Further guides to follow expanding on SIEM and XDR monitoring.

Main Dashboard for monitoring clients vulnerabilities.

If you found this useful, I'd appreciate a coffee tip

Setting up password authentication for client enrollment

If your having this server public facing rather than a simple home lab it will be good practice to use a joining password, otherwise any clients could join if they knew the public IP address. Also your need to configure port forwarding on your firewall to direct traffic to your proxmox ubuntu server (this is covered on another post)

Firstly the "user password" field in /var/ossec/etc/ossec.conf needs to be set to "yes".

Using the ssh connection in putty edit the following:

nano /var/ossec/etc/ossec.conf

Edit the file replacing "no" with "yes"

Save and confirm using:

more ossec.conf

Now you have password authentication switched on the next step is setting the password

echo "<CUSTOM_PASSWORD>" > /var/ossec/etc/authd.pass

Check the file using "more"

Set the correct permissions with the following:

chmod 640 /var/ossec/etc/authd.pass

chown root:wazuh /var/ossec/etc/authd.pass

Finally restart the services for the changes to apply!

systemctl restart wazuh-manager

Disconnecting a client and reconnecting with the password

To test I'm disconnecting a client on my home lab and rejoining with a password:

sudo /var/ossec/bin/manage_agents

Remove the connection using "R" and selected a test PC

As you can see from the log files the connection now fails, we need a new script with the embedded password. (uninstall the old agent beforehand).

To create the new script go to:

https://<public ip>/app/endpoints-summary#/agents-preview/deploy

The above created a new deployment script which I ran in powershell on the windows client:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='<ip>' WAZUH_REGISTRATION_PASSWORD='myconnection password'

Agent now connected (C:\Program Files (x86)\ossec-agent\ossec.log

Official documentation:

https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/using-password-authentication.html

Fault Finding the connection

If you having issues with the connections the log files can be accessed here:

or c:\Program Files (x86)\ossec-agent\ossec.log file.

Connection fail example:

Unable to connect to '[172.<public ip>]:1514/tcp': 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'.

Successful connection yexample after allowing the ports in Azure networking:

2025/01/08 19:29:09 wazuh-agent: INFO: (4102): Connected to the server ([172.<public ip>]:1514/tcp).

Client administration via SSH

In the putty terminal you can add agents, extact keys and remove agents, to do this run the following:

sudo /var/ossec/bin/manage_agents

A Brief Guide to the Wazuh Management Portal

The Wazuh Management Portal serves as the central hub for monitoring, analyzing, and managing your security environment. With its intuitive web-based interface, the portal simplifies the complexities of cybersecurity, offering powerful tools and visualizations to keep your systems safe and compliant.

Here's an overview of what you can do in the Wazuh Management Portal:

1. Monitor Real-Time Security Alerts

Stay on top of potential threats with a centralized dashboard displaying real-time security alerts. The portal categorizes and prioritizes events based on severity, enabling swift action against critical incidents.

2. Analyze Logs and Events

Effortlessly collect, index, and analyze logs from diverse sources, including servers, applications, and network devices. Use advanced search and filtering options to identify patterns and anomalies quickly.

3. Manage Endpoint Security

Gain full visibility into your endpoints. The portal provides detailed information on vulnerabilities, configuration issues, and suspicious activity, helping you strengthen endpoint defenses.

4. Ensure Compliance

Track and report on compliance with key standards like PCI DSS, HIPAA, and GDPR. The portal includes preconfigured policies and templates to assess your security posture against regulatory requirements.

5. Visualize Threat Data

Transform raw data into actionable insights with customizable dashboards and graphs. Visualizations help you understand trends, detect recurring issues, and optimize your security strategy.

6. Investigate Incidents

Drill down into specific incidents to uncover root causes and prevent future occurrences. The portal integrates threat intelligence feeds and forensic tools to enhance your investigation process.

7. Manage Agents

Deploy, configure, and monitor Wazuh agents across your infrastructure from a single interface. The portal streamlines agent updates and troubleshooting, saving valuable time.

8. Customize Alerts and Integrations

Tailor alert rules to suit your organization's needs and integrate Wazuh with third-party tools like Slack, Jira, and SIEM solutions for seamless workflows.

The Wazuh Management Portal is your command center for proactive security. By providing visibility, automation, and control, it empowers organizations to detect and respond to threats effectively while maintaining compliance. Start exploring the portal today and unlock the full potential of your cybersecurity strategy.

Old notes:

https://ow.ly/Wkt550Uti2S

Keys:

If they already exist the keys can be found in /var/ossec/etc/client.keys