top of page
GK

Wazuh SIEM & XDR setup on Azure Linux virtual machine

Updated: 3 days ago

Wazuh setup guide

In today's dynamic cybersecurity landscape, organizations face an ever-increasing number of threats. From malware and phishing attacks to insider threats and vulnerabilities in software, the need for robust and scalable security solutions is more critical than ever.


Enter Wazuh, an open-source security platform that empowers businesses to detect, monitor, and respond to security incidents efficiently.


SIEM v XDR

This guide will show you how to setup a Wazuh server in Azure and connect your Windows clients for security monitoring within the Azure hosted SIEM / XDR.


SIEM = Security Information and Event Management


XDR = Extended Detection and Response



This solution is composed of a single universal agent for Windows, Mac, Cloud etc and consists of three central components:

Wazuh server, the Wazuh indexer, and the Wazuh dashboard.


As you are reading this I would presume you have some knowledge of creating virtual machines in Azure, if not contact me for further tuition.


Wazuh dashboard

Skills covered

  • Install Ubuntu server on Azure

  • Setup Azure port rules to allow ssh (22), https (443), wazah agent (1514) and wazuh enrollment (1515)

  • Install a Wazuh public server on Azure via ssh

  • Install Wazuh client on a Windows PC

  • Check port connections with telnet

  • Connect from Windows PC to the Wazuh server

  • Monitor the clients for security and compliance from the Wazuh portal


 

Installing Ubuntu server on Azure

For my test lab I created a Ubuntu server (24.04) virtual machine in Azure for 1-25 agent specification and SSH port 22, HTTPS 443, 1514 and 1515 ports enabled.


Create the virtual machine:


Create a Ubuntu server with the following specs:

Ubuntu 24.04 server

8GB ram / 50GB SSD






Azure port setup

To enable the next tasks you need to ensure the following:

  • SSH terminal port 22 is open for administration

  • Web access port 443 for web site access

  • Agent enrollment from client to server on port 1515

  • Agent connection from client to server on port 1514


Azure port rules

Once the virtual machine is created and the ports are setup as above, connected from your Windows PC to the public IP address via SSH using Putty.














 

Installation of Wazuh on Azure Ubuntu server


Run the following to install the application: curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a



Once installed head over to: https://<Public IP>:443 which gives you the login:

Wazuh login page

Agent Installation and enrollment


Now that your Wazuh server installation is ready and the 4 ports are setup, you can start deploying the Wazuh agent.


First is making sure your client can see your public IP and services on port 1514/1515, otherwise nothing will appear in the management portal.





Ports Check


Check your client can see the 1514 and 1515 port by running a telnet command:


Install telnet

pkgmgr /iu:"TelnetClient"

Check connection:

telnet <wazuh server ip> 1514

 

Install the Agent

From the management console head over to:



Select your operating system and then an installation script will be generated, for windows this is the powershell command:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='172.<public ip>' WAZUH_AGENT_GROUP='default'
NET START WazuhSvc


You can also manually download the msi and enter the details manually.


Wazuh agent

This method will automatically add the client into the management portal with no joining password, any clients will be able to join if they know the IP address.


As this is a public facing IP it's recommended you configure a joining password to connect, this is documented on the official guide from Wazuh here and will be covered soon:

I can now monitor the Windows client from the Azure hosted Wazuh linux server!











If you found this useful, I'd appreciate a coffee tip



The Wazuh Management Portal

Operation of the portal will be covered on another post, subscribe below for notifications.


 

Fault Finding the connection


If you having issues with the connections the log files can be accessed here:

or c:\Program Files (x86)\ossec-agent\ossec.log file.







Connection fail example:

Unable to connect to '[172.<public ip>]:1514/tcp': 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'.

Successful connection example after allowing the ports in Azure networking:

2025/01/08 19:29:09 wazuh-agent: INFO: (4102): Connected to the server ([172.<public ip>]:1514/tcp).

 

Client administration via SSH


In the putty terminal you can add agents, extact keys and remove agents, to do this run the following:

sudo /var/ossec/bin/manage_agents








 

A Brief Guide to the Wazuh Management Portal


The Wazuh Management Portal serves as the central hub for monitoring, analyzing, and managing your security environment. With its intuitive web-based interface, the portal simplifies the complexities of cybersecurity, offering powerful tools and visualizations to keep your systems safe and compliant.


Here's an overview of what you can do in the Wazuh Management Portal:


1. Monitor Real-Time Security Alerts

Stay on top of potential threats with a centralized dashboard displaying real-time security alerts. The portal categorizes and prioritizes events based on severity, enabling swift action against critical incidents.


2. Analyze Logs and Events

Effortlessly collect, index, and analyze logs from diverse sources, including servers, applications, and network devices. Use advanced search and filtering options to identify patterns and anomalies quickly.


3. Manage Endpoint Security

Gain full visibility into your endpoints. The portal provides detailed information on vulnerabilities, configuration issues, and suspicious activity, helping you strengthen endpoint defenses.


4. Ensure Compliance

Track and report on compliance with key standards like PCI DSS, HIPAA, and GDPR. The portal includes preconfigured policies and templates to assess your security posture against regulatory requirements.


5. Visualize Threat Data

Transform raw data into actionable insights with customizable dashboards and graphs. Visualizations help you understand trends, detect recurring issues, and optimize your security strategy.


6. Investigate Incidents

Drill down into specific incidents to uncover root causes and prevent future occurrences. The portal integrates threat intelligence feeds and forensic tools to enhance your investigation process.


7. Manage Agents

Deploy, configure, and monitor Wazuh agents across your infrastructure from a single interface. The portal streamlines agent updates and troubleshooting, saving valuable time.


8. Customize Alerts and Integrations

Tailor alert rules to suit your organization's needs and integrate Wazuh with third-party tools like Slack, Jira, and SIEM solutions for seamless workflows.

The Wazuh Management Portal is your command center for proactive security. By providing visibility, automation, and control, it empowers organizations to detect and respond to threats effectively while maintaining compliance. Start exploring the portal today and unlock the full potential of your cybersecurity strategy.



Work in progress......... more coming


 

Old notes:



Keys:

If they already exist the keys can be found in /var/ossec/etc/client.keys


213 views

Recent Posts

See All

Comments


bottom of page