In today's dynamic cybersecurity landscape, organizations face an ever-increasing number of threats. From malware and phishing attacks to insider threats and vulnerabilities in software, the need for robust and scalable security solutions is more critical than ever.
Enter Wazuh, an open-source security platform that empowers businesses to detect, monitor, and respond to security incidents efficiently.
This guide will show you how to setup a Wazuh server in Azure and connect your Windows clients for security monitoring within the Azure hosted SIEM / XDR.
SIEM = Security Information and Event Management
XDR = Extended Detection and Response
This solution is composed of a single universal agent for Windows, Mac, Cloud etc and consists of three central components:
Wazuh server, the Wazuh indexer, and the Wazuh dashboard.
As you are reading this I would presume you have some knowledge of creating virtual machines in Azure, if not contact me for further tuition.
Skills covered
Install Ubuntu server on Azure
Setup Azure port rules to allow ssh (22), https (443), wazah agent (1514) and wazuh enrollment (1515)
Install a Wazuh public server on Azure via ssh
Install Wazuh client on a Windows PC
Check port connections with telnet
Connect from Windows PC to the Wazuh server
Monitor the clients for security and compliance from the Wazuh portal
Installing Ubuntu server on Azure
For my test lab I created a Ubuntu server (24.04) virtual machine in Azure for 1-25 agent specification and SSH port 22, HTTPS 443, 1514 and 1515 ports enabled.
Create the virtual machine:
Login to https://portal.azure.com
Create a Ubuntu server with the following specs:
Ubuntu 24.04 server
8GB ram / 50GB SSD
Azure port setup
To enable the next tasks you need to ensure the following:
SSH terminal port 22 is open for administration
Web access port 443 for web site access
Agent enrollment from client to server on port 1515
Agent connection from client to server on port 1514
Once the virtual machine is created and the ports are setup as above, connected from your Windows PC to the public IP address via SSH using Putty.
Installation of Wazuh on Azure Ubuntu server
Run the following to install the application: curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Once installed head over to: https://<Public IP>:443 which gives you the login:
Agent Installation and enrollment
Now that your Wazuh server installation is ready and the 4 ports are setup, you can start deploying the Wazuh agent.
First is making sure your client can see your public IP and services on port 1514/1515, otherwise nothing will appear in the management portal.
Ports Check
Check your client can see the 1514 and 1515 port by running a telnet command:
Install telnet
pkgmgr /iu:"TelnetClient"
Check connection:
telnet <wazuh server ip> 1514
Install the Agent
From the management console head over to:
Select your operating system and then an installation script will be generated, for windows this is the powershell command:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='172.<public ip>' WAZUH_AGENT_GROUP='default'
NET START WazuhSvc
You can also manually download the msi and enter the details manually.
This method will automatically add the client into the management portal with no joining password, any clients will be able to join if they know the IP address.
As this is a public facing IP it's recommended you configure a joining password to connect, this is documented on the official guide from Wazuh here and will be covered soon:
I can now monitor the Windows client from the Azure hosted Wazuh linux server!
https://172.<public ip>
If you found this useful, I'd appreciate a coffee tip
The Wazuh Management Portal
Operation of the portal will be covered on another post, subscribe below for notifications.
Fault Finding the connection
If you having issues with the connections the log files can be accessed here:
or c:\Program Files (x86)\ossec-agent\ossec.log file.
Connection fail example:
Unable to connect to '[172.<public ip>]:1514/tcp': 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'.
Successful connection example after allowing the ports in Azure networking:
2025/01/08 19:29:09 wazuh-agent: INFO: (4102): Connected to the server ([172.<public ip>]:1514/tcp).
Client administration via SSH
In the putty terminal you can add agents, extact keys and remove agents, to do this run the following:
sudo /var/ossec/bin/manage_agents
A Brief Guide to the Wazuh Management Portal
The Wazuh Management Portal serves as the central hub for monitoring, analyzing, and managing your security environment. With its intuitive web-based interface, the portal simplifies the complexities of cybersecurity, offering powerful tools and visualizations to keep your systems safe and compliant.
Here's an overview of what you can do in the Wazuh Management Portal:
1. Monitor Real-Time Security Alerts
Stay on top of potential threats with a centralized dashboard displaying real-time security alerts. The portal categorizes and prioritizes events based on severity, enabling swift action against critical incidents.
2. Analyze Logs and Events
Effortlessly collect, index, and analyze logs from diverse sources, including servers, applications, and network devices. Use advanced search and filtering options to identify patterns and anomalies quickly.
3. Manage Endpoint Security
Gain full visibility into your endpoints. The portal provides detailed information on vulnerabilities, configuration issues, and suspicious activity, helping you strengthen endpoint defenses.
4. Ensure Compliance
Track and report on compliance with key standards like PCI DSS, HIPAA, and GDPR. The portal includes preconfigured policies and templates to assess your security posture against regulatory requirements.
5. Visualize Threat Data
Transform raw data into actionable insights with customizable dashboards and graphs. Visualizations help you understand trends, detect recurring issues, and optimize your security strategy.
6. Investigate Incidents
Drill down into specific incidents to uncover root causes and prevent future occurrences. The portal integrates threat intelligence feeds and forensic tools to enhance your investigation process.
7. Manage Agents
Deploy, configure, and monitor Wazuh agents across your infrastructure from a single interface. The portal streamlines agent updates and troubleshooting, saving valuable time.
8. Customize Alerts and Integrations
Tailor alert rules to suit your organization's needs and integrate Wazuh with third-party tools like Slack, Jira, and SIEM solutions for seamless workflows.
The Wazuh Management Portal is your command center for proactive security. By providing visibility, automation, and control, it empowers organizations to detect and respond to threats effectively while maintaining compliance. Start exploring the portal today and unlock the full potential of your cybersecurity strategy.
Work in progress......... more coming
Old notes:
Keys:
If they already exist the keys can be found in /var/ossec/etc/client.keys
Comments