OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Development and Code Review (Moderator: fabian) »
  • Wazuh working on LM22 with opnsense
« previous next »
  • Print
Pages: [1]

Author Topic: Wazuh working on LM22 with opnsense  (Read 122 times)

someone

  • Full Member
  • ***
  • Posts: 102
  • Karma: 2
    • View Profile
Wazuh working on LM22 with opnsense
« on: November 12, 2024, 01:46:43 am »
Ive gotten wazuh siem server working on Linux Mint 22 on a box and opnsense as an agent on another box
On the server which is LM22 I did an update and installed JDK via synaptic, which was 4 or 5 files
Then I used wazuh quickstart for ubuntu and followed the directions on their documentation page
Which was cut and paste one line, its a curl command and runs a script
Takes a while maybe 30 minutes to download and install everything
 Note:Put lan ip in browser and wazuh server page should come up, mine doesnt
I have to manually start wazuh-indexer and wait a couple minutes then open browser and it works
From command line I run sudo systemctl start wazuh-indexer
Then wazuh server page appears
Then open a terminal on the server and go to /var/ossec/bin
command line ./manage_agents     this will create a new agent
Type A for add and enter hostname of opnsense router and its IP; then quit
then run command again and type L for LIst
Then type I to get a key for that agent, copy and save it, then exit

Next on the opnsense box I install wazuh agent from plugins
reboot and enable wazuh-agent, set manager hostname...IP of wazuh server on lan, which is lan address
authentication password is your hostname on opnsense which is opnsense.somethingdomain or whatever you changed it to
It is your hostname in the opnsense dashboard, and at the top right on the wazuh agent gui page
It is also what you set as name of the wazuh-agent on the wazuh server on the other box
Then ssh into opnsense and go to /var/ossec/bin
on command line enter ./manage_agents
your agent will show up and it will ask if you want to enter key, paste the key from the server here. exit, reboot

remember to open tcp ports 1515 and 1514 on both the server box and opnsense box
Reboot operating system or use systemctl to shutdown server first then power down
sudo systemctl stop wazuh-indexer
sudo systemctl stop wazuh-dashboard
sudo systemctl stop wazuh-server

 Power uo the indexer and open gui dashboard which is lan IP in the top browser window
Give it time to connect for the first time, mine I let it run overnight with the server and opnsense connected
But not the internet
It is ingesting the current logs from the first time it connected to opnsense
all alerts blocks, its tracking all files on opnsense and server
checks for rootkits, does shasum on both systems
it does a lot
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Development and Code Review (Moderator: fabian) »
  • Wazuh working on LM22 with opnsense
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2