04-07-2026, 06:25 AM
1) Install Wazuh agent prerequisites
apt-get update && apt-get install -y curl gnupg apt-transport-https
2) Add Wazuh repository key
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor | tee /usr/share/keyrings/wazuh.gpg > /dev/null
3) Add Wazuh repository
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt-get update
4) Install Wazuh agent
WAZUH_MANAGER="10.200.10.38" apt-get install -y wazuh-agent
5) Start and enable Wazuh agent
systemctl daemon-reexec && systemctl enable wazuh-agent && systemctl start wazuh-agent && systemctl status wazuh-agent
6) Install auditd
apt-get install -y auditd audispd-plugins
7) Start and enable auditd
systemctl enable auditd && systemctl start auditd && systemctl status auditd
8) Verify audit log exists
ls -l /var/log/audit/audit.log
9) Create audit rules file
cat > /etc/audit/rules.d/wazuh.rules <<'EOF'
-w /etc/localtime -p wa -k audit_time_rules
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=audit_time_rules
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-w /etc/group -p wa -k usergroup_mod
-w /etc/passwd -p wa -k usergroup_mod
-w /etc/gshadow -p wa -k usergroup_mod
-w /etc/shadow -p wa -k usergroup_mod
-w /etc/security/opasswd -p wa -k usergroup_mod
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/useradd -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/userdel -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/usermod -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupadd -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupdel -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupmod -F key=user_mgmt
-w /etc/issue.net -p wa -k netconfig
-w /etc/issue -p wa -k netconfig
-w /etc/hosts -p wa -k netconfig
-w /etc/netplan -p wa -k netconfig
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=netconfig
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=netconfig
-w /etc/apparmor -p wa -k MAC-policy
-w /etc/selinux -p wa -k MAC-policy
-w /var/log/tallylog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/faillog -p wa -k logins
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/run/utmp -p wa -k session
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d -p wa -k sudoers
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S unlink,rename,rmdir,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete
-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete
EOF
10) Load audit rules
augenrules --load
11) Verify audit rules are active
auditctl -l
12) Back up Wazuh agent config
cp -a /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bak.$(date +%F-%H%M%S)
13) Edit Wazuh config
vim /var/ossec/etc/ossec.conf
Add this block inside an <ossec_config> section:
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
A safe place is near the other <localfile> entries.
14) Verify the audit block is present
grep -nA3 -B3 '/var/log/audit/audit.log\|<log_format>audit</log_format>' /var/ossec/etc/ossec.conf
15) Restart Wazuh agent
systemctl restart wazuh-agent && systemctl status wazuh-agent
16) Confirm Wazuh is reading audit log
grep -i audit /var/ossec/logs/ossec.log | tail -n 20
You want to see:
Analyzing file: '/var/log/audit/audit.log'
17) Optional validation
Generate an audit event:
cat /etc/shadow >/dev/null
Check audit log:
tail -n 20 /var/log/audit/audit.log
Check Wazuh agent log again:
grep -i audit /var/ossec/logs/ossec.log | tail -n 20
Minimal post-checks on every server
systemctl is-active wazuh-agent && systemctl is-active auditd
auditctl -l | head
grep -i audit /var/ossec/logs/ossec.log | tail -n 5
apt-get update && apt-get install -y curl gnupg apt-transport-https
2) Add Wazuh repository key
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor | tee /usr/share/keyrings/wazuh.gpg > /dev/null
3) Add Wazuh repository
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt-get update
4) Install Wazuh agent
WAZUH_MANAGER="10.200.10.38" apt-get install -y wazuh-agent
5) Start and enable Wazuh agent
systemctl daemon-reexec && systemctl enable wazuh-agent && systemctl start wazuh-agent && systemctl status wazuh-agent
6) Install auditd
apt-get install -y auditd audispd-plugins
7) Start and enable auditd
systemctl enable auditd && systemctl start auditd && systemctl status auditd
8) Verify audit log exists
ls -l /var/log/audit/audit.log
9) Create audit rules file
cat > /etc/audit/rules.d/wazuh.rules <<'EOF'
-w /etc/localtime -p wa -k audit_time_rules
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=audit_time_rules
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-w /etc/group -p wa -k usergroup_mod
-w /etc/passwd -p wa -k usergroup_mod
-w /etc/gshadow -p wa -k usergroup_mod
-w /etc/shadow -p wa -k usergroup_mod
-w /etc/security/opasswd -p wa -k usergroup_mod
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/useradd -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/userdel -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/usermod -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupadd -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupdel -F key=user_mgmt
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/groupmod -F key=user_mgmt
-w /etc/issue.net -p wa -k netconfig
-w /etc/issue -p wa -k netconfig
-w /etc/hosts -p wa -k netconfig
-w /etc/netplan -p wa -k netconfig
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=netconfig
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=netconfig
-w /etc/apparmor -p wa -k MAC-policy
-w /etc/selinux -p wa -k MAC-policy
-w /var/log/tallylog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/faillog -p wa -k logins
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/run/utmp -p wa -k session
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d -p wa -k sudoers
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S unlink,rename,rmdir,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete
-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete
EOF
10) Load audit rules
augenrules --load
11) Verify audit rules are active
auditctl -l
12) Back up Wazuh agent config
cp -a /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bak.$(date +%F-%H%M%S)
13) Edit Wazuh config
vim /var/ossec/etc/ossec.conf
Add this block inside an <ossec_config> section:
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
A safe place is near the other <localfile> entries.
14) Verify the audit block is present
grep -nA3 -B3 '/var/log/audit/audit.log\|<log_format>audit</log_format>' /var/ossec/etc/ossec.conf
15) Restart Wazuh agent
systemctl restart wazuh-agent && systemctl status wazuh-agent
16) Confirm Wazuh is reading audit log
grep -i audit /var/ossec/logs/ossec.log | tail -n 20
You want to see:
Analyzing file: '/var/log/audit/audit.log'
17) Optional validation
Generate an audit event:
cat /etc/shadow >/dev/null
Check audit log:
tail -n 20 /var/log/audit/audit.log
Check Wazuh agent log again:
grep -i audit /var/ossec/logs/ossec.log | tail -n 20
Minimal post-checks on every server
systemctl is-active wazuh-agent && systemctl is-active auditd
auditctl -l | head
grep -i audit /var/ossec/logs/ossec.log | tail -n 5