OpenSource SIEM Elastic & Wazuh

/ Cisco, Fortinet, IT, Linux, Netzwerk, Security / Von 
Update und Installation Tools
sudo apt update && sudo apt upgrade -y
sudo apt install curl apt-transport-https unzip wget -y

Download und Start der Installation

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
chmod +x wazuh-install.sh
sudo ./wazuh-install.sh -a

Anpassung der Logeinstellungen und Systemkonfiguration /var/ossec/etc/ossec.conf und anschliessend Neustart Wazuh Manager 

<global>
  <logall>yes</logall>
  <logall_json>yes</logall_json>
</global>

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>0.0.0.0/0</allowed-ips>
</remote>
<remote>
  <connection>secure</connection>
  <port>1514</port>
  <protocol>tcp</protocol>
</remote>
sudo systemctl restart wazuh-manager

Verbesserung FortiGate & ASA Parsing nano /var/ossec/etc/decoders/local_decoder.xml

<decoder name="fortigate-custom">
  <prematch>date=</prematch>
</decoder>
<decoder name="cisco-asa-custom">
  <prematch>%ASA-</prematch>
</decoder>
sudo systemctl restart wazuh-manager

Download Wazuh Agent

https://documentation.wazuh.com/current/installation-guide/packages-list.html
msiexec.exe /i wazuh-agent-4.14.3-1.msi /q WAZUH_MANAGER="X.X.X.X"

Auf dem Windows Server

notepad.exe C:\Program Files (x86)\ossec-agent\ossec.conf
  <client>
    <server>
      <address>X.X.X.X</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <config-profile>windows, windows2019, windows-server, windows-server-2019</config-profile>
    <crypto_method>aes</crypto_method>
    <notify_time>20</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
  </client>
  
  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
  </localfile>

Download https://download.sysinternals.com/files/Sysmon.zip
Download https://github.com/SwiftOnSecurity/sysmon-config

.\Sysmon64.exe -accepteula -i sysmonconfig-export.xml

notepad.exe C:\Program Files (x86)\ossec-agent\ossec.conf

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Update Wazuh-Manager

sudo apt update
sudo apt install wazuh-manager

Agent neu registrieren

.\agent-auth.exe -m X.X.X.X -p 1515