Great video, in particular you are showing the features first and then the installation, not the other way round where many then forget to show functionality… good job
Woah, it's a pretty heavy and demanding install. 8 vCPU along with 8GB RAM for the "quickstart" install. That's going to omit it from a lot of shared VM systems for a lot of people and benefit from bare metal install. Could be good for larger server environments, but doesn't seem like it's particularly applicable to homelab self-hosters, especially since most of the self-hosted services may not be exposed to the wan.
Hi Techdoc, great video from a fellow NZder and just implemented. Any chance you can do one on Traefik, followed a few other UT tutorials but still can't get my head around it. I'm sure with the way you do your videos I'd be able to understand and it would be very helpful.
This video was for me. I have some older machines Im using to learn how to secure networks and monitor and this is one thing id like to learn in my lab which is just for home learning. Thanks
Yeah, this! although I would prefer a client install over a network authenticated single point server. In gvm it's optional (smb/ssh creds for authenticated scan)
If you wanted to, you do it the same way as any other server. This would be https and then the IP address of Wazuh and that should be the config you need. Join the Discord if you need more help.
Here trying to figure out why Win 11 22h2 and Ubuntu 24.04 Vulns weren't showing up. I think you skipped a step here in that the agents conf files need to be edited to enable syscollector. - ill be heading to your discord now. haha
I’m not fully convinced that all the CIS linux server controls are necessary. Sure, they are stronger suggestions, but they don’t represent vulnerabilities.
@@KifKroker The problem comes when you run into people who blindly run a security tool and assume every little reported item is serious. Especially in management.
I could never get Wazuh to work properly First instance I did up worked okay, I could add agents to it but I had to close that instance down pretty much straight away as it was all temporary data in it I've tried 3 times after that and everytime I add an agent to it nothing happens. The little add agent window just refreshes and sits there
unfortunately not as straightforward on a clean ubuntu 22.04.04 LTS... several errors while following the exact ubuntu install.. Agent install tosses an error.. And even after getting that to install it doesn't show up in the dashboard. I think once it fails once it leaves behind different files/folders that prevent installation to be done correctly.... It also seemed to brake the server. I do hope they update the UI/dashboard in the future because tbh, I find it rather ugly..
Do you know how to inventory software with wazuh? Especially this with vulnerabilities. For example, search firefor 120 and show on which hosts it is installed? Thanks
Only if the package has a vulnerability so under Vulnerabilities, where it asks you to select an agent, look next to Inventory and select events. Here you can filter on a package name
@@Techdox wazuh-agent service just failed to start, some of the issues i found possibly with some group membership missing. Didn't get too far after trying to mess with that, hope you have more success.
I’ve tried so many different ways to get this running on my raspberry pi 4b 8gb, but it doesn’t work. Followed about 3 different tutorials, but all fail. Hope you can address this, as I’d love to make use of wazuh and my spare pi! 🙏
That would be because Wazuh is not supported on ARM, which is what your Raspberry Pi uses - www.reddit.com/r/Wazuh/comments/16gwtt7/wazuhdashboard_on_rpi/
Not sure about wazuh specifically but the way I do it with other containers is to place it on the same docker network as caddy and then add the docker container name to the caddyfile then reload.
Security conscious vid and the first thing he does is to grab a random url and running it.... Always, check all scripts from the web before you run them. Else great vid, thanks!
Not exactly a random link, in this case I have an active server running from this same script and verified it's legit. This is something I mention a lot on this channel, making sure you actually know what is going on. I mentioned in this video this script installs the 3 components of Wazuh and showcase you can actually install the components individually as well. Valid point still
@@Techdox Thanks for the reply, you made a great point. I got a couple of suggestions for follow ups: 1. Like anyone installing automated tools you practically drown in warnings and errors. How do you deal with it in the best way? 2. A simple walk-through of an install script, what it does and what to look out for. Maybe framed for the Linux community as a whole. I am of course referring to the debacle that led up to CVE-2024-3094.
100% fair - While no system can be entirely risk-free, using open-source solutions like Wazuh, where there is visibility into the codebase, can offer a level of reassurance. But, like anything you do your own research to see if your comfortable with it
I have exactly the same issue. Even solar winds was susceptible to this. I think any organization large enough to become a target whether for profit or open-source or whatever are susceptible to nation backed attacks or even against another well funded and driven malicious entity.
@Techdox guess you got to do layers and some of your systems should be on Wiresharked listened into local networks to validate installs and that yea you still own the systems you got the Wazuh instances and no one else is getting remote access to said instance. Probably benchmark things every time you update to insure the same or similar behavior. Idk there are probably more steps you can take to ensure your remote command and control system with Wazuh. The fact it is open source auditable and used not just by your company might have some points in more secure.
Absolutely, it's a valid point to be cautious about who has root access to your servers. But if you think about it, that's a concern with pretty much any third-party service or application we use, not just Wazuh. It really comes down to trust and verifying the security practices of any company you're considering. Plus, with open-source solutions like Wazuh, there's a community keeping an eye on things, which can sometimes offer an additional layer of scrutiny and security. It's all about finding the right balance that works for you!
thnx for guide.. please tell me why we should just trust this company out of the box and installing clients/agents on our servers ? Does this company have any reputation in the world wide security map ?
Great question. I’ll make sure to include this in videos from now on. For me, I followed their social pages, verified their company and customers. wazuh.com/our-customers/ After six years of running, I’m sure if they were not legit they would have been called out by now. Gartner is also a good place to check out tooling www.gartner.com/reviews/market/security-information-event-management/vendor/wazuh/product/wazuh-the-open-source-security-platform
Talking about security and then running an install script downloaded from the web as root without even checking its content is a little bit off, right?
Someone asked the same below this was my reply :) “Not exactly a random link, in this case I have an active server running from this same script and verified it's legit. This is something I mention a lot on this channel, making sure you actually know what is going on. I mentioned in this video this script installs the 3 components of Wazuh and showcase you can actually install the components individually as well. Valid point still”
@@Techdox use case as enterprise that makes heavy use of spot instances that auto-register. Wazuh doesn’t scale in these cases very well. Imagine thousands of instances that instantiate and terminate a day. Primarily for data operations, etl.
@@trollingdirty8910 yeah, in this case they would be container based most likely and in that case the image itself would go through the testing for vulnerabilities etc
Wow. So no dark mode is the killer here? Like what??? I guess network security tools rely on things being dark, before things actually go dark?? What a crazy comment.....
Thanks for watching!
Give Internet Merch giveaway - dyno.gg/giveaway/39c494bb
Support a great cause! - giveinternet.org/techdox
Great video, in particular you are showing the features first and then the installation, not the other way round where many then forget to show functionality… good job
Yeah, I like to get an idea of where I am going before I go on a trip.
Great tutorial!! How are updates though with the latest version? I heard there were issues in the past...
I personally have had no issues
gonna give it a try over weekend for sure . thanks!
Let me know how you get on! Keen to hear other opinions on it :)
Can we get a tour of ur home lab setup and design?
Sure, it's nothing fancy :)
Great video! I've been using Wazuh at home for a while now, but still have much to learn.
how do you setup wazuh to use traefik?
Thanks for the demo and info, this is Awesome. I will set it up, and be more secure. Have a great day Sir
Awesome, glad you liked it!
Woah, it's a pretty heavy and demanding install. 8 vCPU along with 8GB RAM for the "quickstart" install. That's going to omit it from a lot of shared VM systems for a lot of people and benefit from bare metal install. Could be good for larger server environments, but doesn't seem like it's particularly applicable to homelab self-hosters, especially since most of the self-hosted services may not be exposed to the wan.
Yeah, I said the same thing. I have it running with half of that and seems fine :)
It is using ELK stack underneath (ElasticSearch, LogStash, Kibana).
@@SanjayTyagi-rj9yr Yup. It's actually OpenSearch software suite (which itself is a fork of the ELK software suite)
Hi Techdoc, great video from a fellow NZder and just implemented. Any chance you can do one on Traefik, followed a few other UT tutorials but still can't get my head around it. I'm sure with the way you do your videos I'd be able to understand and it would be very helpful.
Traefik seems to be pretty well requested. I’ll get a video sorted for ya!
@@Techdox will Wazuh work well with tailscale?
This video was for me. I have some older machines Im using to learn how to secure networks and monitor and this is one thing id like to learn in my lab which is just for home learning. Thanks
You're welcome!
Have you every setup an open source vulnerability scanner like GVM/Openvas?
No I haven’t, are they worth looking into?
@@Techdox They are great for performing continuous scans of your network environment and catching known vulnerabilities as soon as they are disclosed
Yeah, this! although I would prefer a client install over a network authenticated single point server. In gvm it's optional (smb/ssh creds for authenticated scan)
Thanks for the video, great tool!
Great video, How do you make the dashboard available via Cloudflare tunnel
If you wanted to, you do it the same way as any other server. This would be https and then the IP address of Wazuh and that should be the config you need. Join the Discord if you need more help.
Here trying to figure out why Win 11 22h2 and Ubuntu 24.04 Vulns weren't showing up.
I think you skipped a step here in that the agents conf files need to be edited to enable syscollector. - ill be heading to your discord now. haha
Hi, thanks for this usefull guide! Signed up! Greetings from Italy !
My 5.25 bay could use a bunch of li-ion batteries in it to provide power to the small NAS built in network.
is it possible to use wazuh to monitor a remove device right from my laptop?
I’m not fully convinced that all the CIS linux server controls are necessary. Sure, they are stronger suggestions, but they don’t represent vulnerabilities.
100% unless your a company aiming for certification compliance, a lot of these are overkill, but still good to implement some of them
Hey CIS is open go and discuss there ;) but yeah most use it as a pick and choice list.
@@KifKroker The problem comes when you run into people who blindly run a security tool and assume every little reported item is serious. Especially in management.
I could never get Wazuh to work properly
First instance I did up worked okay, I could add agents to it but I had to close that instance down pretty much straight away as it was all temporary data in it
I've tried 3 times after that and everytime I add an agent to it nothing happens. The little add agent window just refreshes and sits there
Interesting, in this install it was done on a fresh installed VM so maybe you have conflicts? What distro are you using or how are you installing it?
Great video. I'm trying to learn how to self host.
Nice video. If you could make a video for each module that would be awesome.
I would love too, but it's a bit too deep for my channel I think. Happy to answer questions you have though
good video - i love Wazuh!
Thanks for the vido, but how to install in other port 443
ERROR: Port 443 is being used by another process. Please, check it before installing Wazuh.
Hey. This is why I suggested to run it on its own dedicated server to avoid classes with other services you are running :)
Great video! Can this run in LXC instead of a VM?
Hey, you can deploy it as a container if you wish as well :) documentation.wazuh.com/current/deployment-options/docker/index.html
unfortunately not as straightforward on a clean ubuntu 22.04.04 LTS... several errors while following the exact ubuntu install.. Agent install tosses an error.. And even after getting that to install it doesn't show up in the dashboard. I think once it fails once it leaves behind different files/folders that prevent installation to be done correctly.... It also seemed to brake the server.
I do hope they update the UI/dashboard in the future because tbh, I find it rather ugly..
Do you know how to inventory software with wazuh? Especially this with vulnerabilities. For example, search firefor 120 and show on which hosts it is installed? Thanks
Only if the package has a vulnerability so under Vulnerabilities, where it asks you to select an agent, look next to Inventory and select events. Here you can filter on a package name
It would be cool if mobile agents for iPhone and Android can be developed. 👍
Do you know if Wazuh can actually run on the Proxmox server? Tried but kept running into issues sadly.
Really good question, it just runs Debian so I don’t see why not, I’ll give it a try. What issues did you face?
@@Techdox wazuh-agent service just failed to start, some of the issues i found possibly with some group membership missing. Didn't get too far after trying to mess with that, hope you have more success.
@@viernester I also tried and failed. Will look into it some more. Most likely missing dependencies
@@viernesterworking fine for me on prox 8! Ensure you install on a full Ubuntu VM and not a container.
Please, the wazuh API keeps giving me issues. I'm running in in Ubuntu 24.0.4. How can I fix it please.
@@imreallith129 best place to start is to join their discord or mine and explain your issue. I get nothing from your comment :)
I’ve tried so many different ways to get this running on my raspberry pi 4b 8gb, but it doesn’t work.
Followed about 3 different tutorials, but all fail.
Hope you can address this, as I’d love to make use of wazuh and my spare pi!
🙏
That would be because Wazuh is not supported on ARM, which is what your Raspberry Pi uses - www.reddit.com/r/Wazuh/comments/16gwtt7/wazuhdashboard_on_rpi/
@@Techdox thx, I guess the tutorials I followed were just clickbait for ads.
Hopefully it gets support one day..👍
@@-someone-. yeah, especially for agents
@@Techdox have you tried?
doesn’t the “linux agents” cover pi’s.
@@-someone-. when I checked there was no ARM option which would be needed for the Pi’s
Looks like it uses ElasticSearch / Kibana under the hood
The font and layout gave it away for me as well.
It uses Opensearch for the Indexer and Dashboard.
It does it's based on elastic
Is there a way to install wazuh with portainer and caddy reverse proxy?
I tried multiple times but failed
Not sure about wazuh specifically but the way I do it with other containers is to place it on the same docker network as caddy and then add the docker container name to the caddyfile then reload.
Discord invite is invalid.
I just tested it, still works. - discord.com/invite/8mX2KRxDw8
Why does this look like splunk UI?
I think it’s just that enterprise UI feel haha
@@Techdox i like it anyway
Great video
Security conscious vid and the first thing he does is to grab a random url and running it....
Always, check all scripts from the web before you run them.
Else great vid, thanks!
Not exactly a random link, in this case I have an active server running from this same script and verified it's legit. This is something I mention a lot on this channel, making sure you actually know what is going on. I mentioned in this video this script installs the 3 components of Wazuh and showcase you can actually install the components individually as well. Valid point still
@@Techdox Thanks for the reply, you made a great point. I got a couple of suggestions for follow ups:
1. Like anyone installing automated tools you practically drown in warnings and errors. How do you deal with it in the best way?
2. A simple walk-through of an install script, what it does and what to look out for. Maybe framed for the Linux community as a whole. I am of course referring to the debacle that led up to CVE-2024-3094.
My excuse is supply chain attacks could make Wazuh into a giant backdoor to all connected systems.
100% fair - While no system can be entirely risk-free, using open-source solutions like Wazuh, where there is visibility into the codebase, can offer a level of reassurance. But, like anything you do your own research to see if your comfortable with it
I have exactly the same issue. Even solar winds was susceptible to this. I think any organization large enough to become a target whether for profit or open-source or whatever are susceptible to nation backed attacks or even against another well funded and driven malicious entity.
@Techdox guess you got to do layers and some of your systems should be on Wiresharked listened into local networks to validate installs and that yea you still own the systems you got the Wazuh instances and no one else is getting remote access to said instance. Probably benchmark things every time you update to insure the same or similar behavior. Idk there are probably more steps you can take to ensure your remote command and control system with Wazuh. The fact it is open source auditable and used not just by your company might have some points in more secure.
Agreed. Supply chain attacks affect proprietary software as well, and there's less transparency.
My excuse is that I trust podman+SELinux.
Great idea trusting yet another company with full root access to my servers. They won't ever be hacked I'm sure.
Absolutely, it's a valid point to be cautious about who has root access to your servers. But if you think about it, that's a concern with pretty much any third-party service or application we use, not just Wazuh. It really comes down to trust and verifying the security practices of any company you're considering. Plus, with open-source solutions like Wazuh, there's a community keeping an eye on things, which can sometimes offer an additional layer of scrutiny and security. It's all about finding the right balance that works for you!
thnx for guide.. please tell me why we should just trust this company out of the box and installing clients/agents on our servers ? Does this company have any reputation in the world wide security map ?
Great question. I’ll make sure to include this in videos from now on. For me, I followed their social pages, verified their company and customers. wazuh.com/our-customers/
After six years of running, I’m sure if they were not legit they would have been called out by now. Gartner is also a good place to check out tooling www.gartner.com/reviews/market/security-information-event-management/vendor/wazuh/product/wazuh-the-open-source-security-platform
I live on the Northern Beaches in Sydney, I am broke, can you send some Kiwi Love with some of that giveaways?, LOL!
Isn’t northern beaches one of the richest areas in Sydney haha
@@Techdox I take it is a NO then, lol
@@air-drive Join the Discord channel if you haven't we do giveaways there :)
How does the wazuh agent compare to an EDR solution.
Do you need an EDR or Antivirus software installed alongside the wazuh agents?
Good luck fixing that apparmor vulnerability in Ubuntu. I think that remains unresolved even in 22.04
Wild right? I was wondering why that wasn’t going away
Banger video as usual
Talking about security and then running an install script downloaded from the web as root without even checking its content is a little bit off, right?
Someone asked the same below this was my reply :)
“Not exactly a random link, in this case I have an active server running from this same script and verified it's legit. This is something I mention a lot on this channel, making sure you actually know what is going on. I mentioned in this video this script installs the 3 components of Wazuh and showcase you can actually install the components individually as well. Valid point still”
Try to upgrade it. It will fail miserably
What steps are you using to upgrade?
Ubiquiti 😁
Wazzzzzzzzzzzaaaaaaaaaaaap
😝🤙🏻
Doesn't scale well for enterprise especially in highly ephemeral environments.
Keen to hear more about that use case and how it doesn’t work? :)
@@Techdox use case as enterprise that makes heavy use of spot instances that auto-register. Wazuh doesn’t scale in these cases very well. Imagine thousands of instances that instantiate and terminate a day. Primarily for data operations, etl.
@@trollingdirty8910 yeah, in this case they would be container based most likely and in that case the image itself would go through the testing for vulnerabilities etc
@@Techdox Negative. Fat EC2 instances heavy compute. The AMI is baked and already scanned, primary concern is FIM.
Apparently the dashboard doesnt have a good dark mode, but the docs do? No thank you.
Haha, fair enough. Pretty sure you can get browser extensions to do that if it’s a big issue for you
Wow. So no dark mode is the killer here? Like what??? I guess network security tools rely on things being dark, before things actually go dark?? What a crazy comment.....
Wearing a hoody much? 😂
I will not discount software outright for no dark mode, but I really hate using a web app that is constantly flash banging me.
Clearly a bot