Step-by-Step Guide: Install Wazuh, Configure Windows Agent, and Create Custom Alert Rules (2025)๐Ÿ”ฅ

๐Ÿ›ก️ Step-by-Step: Install Wazuh, Configure Windows Agent & Custom Alerts

Complete hands-on guide to deploy Wazuh SIEM, connect Windows agents, monitor application installs, and create a custom alert rule.

๐Ÿ“‹ 1. Prerequisites

Server Requirements

  • OS: Ubuntu 20.04 / 22.04 LTS or CentOS 7 / 8 / 9
  • CPU: 4 cores (minimum)
  • RAM: 8 GB (minimum)
  • Storage: 50 GB or more recommended
  • Ports: TCP 1514, 1515, 55000, 5601, 9200, 443

Accounts & Permissions

  • Root or sudo privileges on Linux server
  • Administrator privileges on Windows endpoint
  • NTP service enabled for accurate timestamps

⚙️ 2. Wazuh Installation (All-in-One Node)

Step 2.1 – Update the System

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# CentOS/RHEL
sudo yum update -y

Step 2.2 – Install Wazuh

curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh
sudo bash wazuh-install.sh --all-in-one

This script automatically installs:

  • Wazuh Manager
  • Filebeat
  • Wazuh Dashboard (Kibana / OpenSearch)
  • Wazuh Indexer (OpenSearch / Elasticsearch)
Dashboard Access:
URL: https://<server-ip>
Credentials: Displayed after installation — note them securely.

๐Ÿ–ฅ️ 3. Adding a Windows Agent

  1. Download latest agent: Wazuh Agent for Windows
  2. Run installer as Administrator and enter:
    • Manager IP address
    • Agent name (e.g., WIN10-LAB)
  3. Open services.msc → Ensure:
    • Wazuh Agent status: Running
    • Startup type: Automatic
  4. (Optional) On Wazuh Manager, register the agent manually: 
    sudo /var/ossec/bin/manage_agents

๐ŸชŸ 4. Enable Windows Application Log Monitoring

Edit Wazuh configuration file:

sudo nano /var/ossec/etc/ossec.conf

Add this section:


  no
  Application

Restart the manager: sudo systemctl restart wazuh-manager

๐Ÿง  5. Create Custom Rule for Application Installation

Edit the local rules file:

sudo nano /var/ossec/etc/rules/local_rules.xml

Insert the following rule:


  
  
    json
    MsiInstaller
    TEST ALERT: Windows application installation detected
    no_full_log

Restart Wazuh Manager to apply the rule: sudo systemctl restart wazuh-manager

๐Ÿงช 6. Testing the Custom Alert Rule

Step 6.1 – On Windows Agent

  1. Download a test MSI file (e.g., 7-Zip Installer).
  2. Run the installer normally.

Step 6.2 – Verify Alert on Manager

sudo tail -f /var/ossec/logs/alerts/alerts.json

Expected output:

"rule": {
  "id": "110000",
  "description": "TEST ALERT: Windows application installation detected"
}

Alternatively, open Wazuh Dashboard → Security Events to confirm the alert.

๐Ÿ” 7. Maintenance & Updates

sudo apt update && sudo apt upgrade wazuh-manager wazuh-agent wazuh-indexer wazuh-dashboard -y

Backup before upgrade:

sudo tar -czvf wazuh-backup.tar.gz /var/ossec/etc

๐Ÿ“š 8. References

© 2025 • Wazuh Setup & Custom Rule Guide — Sidhesh D. ๐Ÿ”ฅ

Comments

Post a Comment

Popular posts from this blog

Install & Configure GLPI on Ubuntu (Nginx + MariaDB + PHP 8.3) — Full SOP 2025

๐Ÿงญ Install & Configure GLPI on Ubuntu (Nginx + MariaDB + PHP 8.3) — Full SOP 2025 Comprehensive setup guide for GLPI 10.x using Nginx , MariaDB , and PHP 8.3 on Ubuntu 22.04/24.04 LTS. ๐Ÿ“‹ 1. Prerequisites Ubuntu 22.04/24.04 with sudo/root privileges DNS record or hostname (e.g. glpi.localhost or glpi.example.com ) Updated system packages sudo apt update && sudo apt upgrade -y ⚙️ 2. Install Required Packages 2.1 Nginx Web Server sudo apt install -y nginx sudo nano /etc/nginx/sites-available/glpi.conf server { listen 80; listen [::]:80; server_name glpi.localhost; root /var/www/glpi/public; location / { try_files $uri /index.php$is_args$args; } location ~ ^/index\.php$ { fastcgi_pass unix:/run/php/php8.3-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } sudo ln -s /etc/...
Read more

Basic Linux Commands

๐Ÿง Linux Basic Commands — Quick Reference A comprehensive yet compact beginner's guide to Linux file system, commands, permissions, networking, users, and more. ๐Ÿ“˜ Why Learn Linux? Linux powers everything from servers and clouds to IoT devices. Whether you’re a developer, sysadmin, or cloud engineer, Linux skills are essential . Works seamlessly with Windows and macOS. Hosts most cloud workloads and containers. Open source, modular, and secure. ๐Ÿ“‚ 1. Linux File System Hierarchy / ├── bin ├── boot ├── dev ├── etc ├── home │ ├── alice │ ├── bob │ └── eve ├── root ├── run ├── sbin ├── tmp ├── usr │ ├── bin │ ├── local │ │ ├── bin │ │ ├── sbin │ └── sbin └── var /boot – Kernel & bootloader files /etc – System configuration /home – User directories /usr – Installed software /var – Logs, spools /tmp – Temporary data ๐Ÿ“ 2. File Management & Navigation Absolute vs Relative Paths Absolute: /var/log/syslog Relative: log/s...
Read more

Secure Ollama API Deployment with Nginx Reverse Proxy

๐Ÿš€ Secure Ollama API with Nginx — Deployment Guide Deploy Ollama behind Nginx with HTTPS (SSL) and Basic Authentication using Docker Compose. ๐Ÿ”ง Step 1: Create Certificates and Auth mkdir -p nginx/certs nginx/auth openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout nginx/certs/server.key \ -out nginx/certs/server.crt \ -subj "/CN=192.168.0.6" htpasswd -cb nginx/auth/.htpasswd admin yourpassword ๐Ÿงฉ Step 2: Nginx Configuration events {} http { server { listen 443 ssl; ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/auth/.htpasswd; location / { proxy_pass http://ollama:11434; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } ๐Ÿ“ฆ Step 3: Dock...
Read more