Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
Security Onion utilizes Wazuh as a Host Intrusion Detection System (HIDS) on each of the Security Onion nodes.
The Wazuh components include:
manager - runs inside of
so-wazuh Docker container and performs overall management of agents
API - runs inside of
so-wazuh Docker container and allows for remote management of agents, querying, etc.
agent - runs directly on each host and monitors logs/activity and reports to
The Wazuh API runs at TCP port
55000 locally, and currently uses the default credentials of
password:bar for authentication. Keep in mind, the API port is not exposed externally by default. Therefore, firewall rules need to be in place to reach the API from another location other than the Security Onion node on which the targeted Wazuh manager is running.
Since the manager runs inside a Docker container, many of the Wazuh binaries that you might want to run will need to be run inside the Docker container. For example, to run
The main configuration file for Wazuh is
If you want to send Wazuh logs to an external syslog collector, please see the Syslog Output section.
Sometimes, Wazuh may recognize legitimate activity as potentially malicious and engage in Active Response to block a connection. This may result in unintended consequences such as blocking of trusted IPs. To prevent this from occurring, you can add your IP address to a safe list and change other settings in
/opt/so/conf/wazuh/ossec.conf in the
<!-- Active response --> section. so-allow does this for you automatically when you allow analyst connections.
You can add new rules in
/opt/so/rules/hids/local_rules.xml. You can also modify existing rules by copying the rule to
/opt/so/rules/hids/local_rules.xml, making your changes, and adding
overwrite="yes" as shown at https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule. To suppress a Wazuh alert, you can add the rule and include
noalert="1" in the
The overall process would be as follows:
- First, find the existing rule in
- Copy the rule to
- Put the rule inside
<group> </group>tags and give it a name.
- Update the
<rule>section to include
- Finally, restart Wazuh with
Here is an example to suppress “Windows Logon Success” and “Windows User Logoff” alerts:
<group name="customrules,"> <rule id="60106" level="3" noalert="1" overwrite="yes"> <if_sid>60103</if_sid> <field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field> <description>Windows Logon Success</description> <options>no_full_log</options> <mitre> <id>T1078</id> </mitre> <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule> <rule id="60137" level="3" noalert="1" overwrite="yes"> <if_sid>60103</if_sid> <field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field> <description>Windows User Logoff</description> <options>no_full_log</options> <group>pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule> </group>
This will not remove existing alerts that were generated before applying the new rule. Also note that this only suppresses the alert and not the underlying log.
It is important to ensure that you download the agent that matches the version of your Wazuh server. For example, if your Wazuh server is version 3.13.1, then you will want to deploy Wazuh agent version 3.13.1.
You can verify the version of your current Wazuh server using the following command:
sudo docker exec -it so-wazuh dpkg -l |grep wazuh
Please keep in mind that when you run
manage_agents you will need to do so inside the
so-wazuh container like this:
You also may need to run so-allow to allow traffic from the IP address of your Wazuh agent(s).
Maximum Number of Agents¶
Security Onion is configured to support a maximum number of
14000 Wazuh agents reporting to a single Wazuh manager.
If you would like to automate the deployment of Wazuh agents, the Wazuh server includes
ossec-authd. You can read more about
ossec-authd at https://documentation.wazuh.com/3.13/user-manual/reference/daemons/ossec-authd.html.
ossec-authd, be sure to add a firewall exception for agents to access port
1515/tcp on the Wazuh manager node by running so-allow and choosing the