Wazuh Part 1

Introduction

Let's get Wazuh back up and running.

Problem

  • My Wazuh dashboard is not running properly

Plan

  • Fix the issue
    • Might reinstall.
  • Access the Dashboard to familiarise myself

Process

Let's get right into it. I'm trying to start Wazuh again after finally powering on my server since my house flooded, and there are issues. The line I'm running is: 
sudo systemctl start wazuh-manager
Also, to check the status: 
sudo systemctl status wazuh-manager
It can also be run against wazuh-dashbaord in place of wazuh-manager. I did a sudo update and upgrade, and now I'm getting a fatal error: listen ecces: permission denied when I attempt to start the dashboard. I did a restart at this point, hoping the restart after the update would help start the dashboard. Was I wrong.... When booting, the Network Manager was failing, then wazuh-indexer and wazuh-manager. In Proxmox, I deleted the other NIC that I was using for VLAN 200 and the other networking project I am doing. At this point, it's easier to blow this VM away and start again. So let's do just that. I deleted the VM and set the ID to 1002. The unfortunate part is that I already had an agent running on a different machine. It should be easy to reassign it. Be sure to run Update and Upgrade. I also had to install Curl and net-tools The install command: 
curl -sO <https://packages.wazuh.com/4.12/wazuh-install.sh>
sudo bash wazuh-install.sh -a
This will:
  • Install Wazuh Manager
  • Install OpenSearch (the indexer)
  • Install Wazuh Dashboard
  • Install Filebeat
Once the installation is complete, the user and password will be displayed and need to be documented. I recommend changing the credentials as soon as you gain access to the Wazuh Dashboard. After some time, it finished installing. I see the Username and password. Also tells me I can access my dashboard at my <IP address>:443 I think the first thing I'll do is deploy an agent to my personal laptop, just to see the chaos and mess I'm in. I click the blue botten that says: Deploy New Agent. Click windows. Put in the IP address of Wazuh Server. Name it “AshtonWard-Laptop”. Default Group. Coppy the command to install the agent. On my laptop, I'll open a PowerShell as an administrator and paste and run the command. Secondly, start the agent : 
NET START WazuhSvc
I see “The Wazuh service was started successfully.” Big smiles, now lets see the vulnerabilities on my machine. CaptureVulnerabilites.PNG Amazing news. No Vulnerabilities at this time. This should conclude part 1 of Wazuh installation. In the next part, we'll dive into Threat Hunting and do some more exploring of the Wazuh Dashboard. Till next time! One more thing, to stop the services cleanly, run this command: 
sudo systemctl stop wazuh-manager wazuh-dashboard filebeat
sudo pkill -f opensearch