InfInIty Posted April 9, 2022 Share Posted April 9, 2022 I am setting up a vm on my unraid server as a Wazuh stand alone server. Is there anyway to install a wazuh agent directly onto unraid? Quote Link to comment
InfInIty Posted May 20, 2022 Author Share Posted May 20, 2022 Anyone have any thoughts on this. With many unraid users hosting public servers with unraid. I think it would be a very good idea to get something like this up and running to help keep your system secure. Quote Link to comment
autumnwalker Posted March 28, 2023 Share Posted March 28, 2023 I've been looking at this also - Wazuh doesn't have a Slackware Agent package available. Quote Link to comment
L0rdRaiden Posted June 9, 2023 Share Posted June 9, 2023 did you found any solution to monitor the security of unraid? Quote Link to comment
Kees Fluitman Posted July 20, 2023 Share Posted July 20, 2023 Im hoping to see a solution as well. I'd like to monitor connections going to my unraid mostly. VMs i can check, but my unraid can not be monitored at the moment. Quote Link to comment
S3v3nD34dly51ns Posted July 21, 2023 Share Posted July 21, 2023 (edited) I know this is an old post, but was looking through google and saw this, perhaps an installation using docker compose? this is what I have found thus far. Courtesy of Github Docker Compose Wazuh # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2) version: '3.7' services: wazuh.master: image: wazuh/wazuh-manager:4.8.0 hostname: wazuh.master restart: always ports: - "1515:1515" - "514:514/udp" - "55000:55000" environment: - INDEXER_URL=https://wazuh1.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- volumes: - master-wazuh-api-configuration:/var/ossec/api/configuration - master-wazuh-etc:/var/ossec/etc - master-wazuh-logs:/var/ossec/logs - master-wazuh-queue:/var/ossec/queue - master-wazuh-var-multigroups:/var/ossec/var/multigroups - master-wazuh-integrations:/var/ossec/integrations - master-wazuh-active-response:/var/ossec/active-response/bin - master-wazuh-agentless:/var/ossec/agentless - master-wazuh-wodles:/var/ossec/wodles - master-filebeat-etc:/etc/filebeat - master-filebeat-var:/var/lib/filebeat - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf wazuh.worker: image: wazuh/wazuh-manager:4.8.0 hostname: wazuh.worker restart: always environment: - INDEXER_URL=https://wazuh1.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key volumes: - worker-wazuh-api-configuration:/var/ossec/api/configuration - worker-wazuh-etc:/var/ossec/etc - worker-wazuh-logs:/var/ossec/logs - worker-wazuh-queue:/var/ossec/queue - worker-wazuh-var-multigroups:/var/ossec/var/multigroups - worker-wazuh-integrations:/var/ossec/integrations - worker-wazuh-active-response:/var/ossec/active-response/bin - worker-wazuh-agentless:/var/ossec/agentless - worker-wazuh-wodles:/var/ossec/wodles - worker-filebeat-etc:/etc/filebeat - worker-filebeat-var:/var/lib/filebeat - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf wazuh1.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh1.indexer restart: always ports: - "9200:9200" environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-1:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh2.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh2.indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-2:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh3.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh3.indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-3:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh.dashboard: image: wazuh/wazuh-dashboard:4.8.0 hostname: wazuh.dashboard restart: always ports: - 443:5601 environment: - OPENSEARCH_HOSTS="https://wazuh1.indexer:9200" - WAZUH_API_URL="https://wazuh.master" - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- - DASHBOARD_USERNAME=kibanaserver - DASHBOARD_PASSWORD=kibanaserver volumes: - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml depends_on: - wazuh1.indexer links: - wazuh1.indexer:wazuh1.indexer - wazuh.master:wazuh.master nginx: image: nginx:stable hostname: nginx restart: always ports: - "1514:1514" depends_on: - wazuh.master - wazuh.worker - wazuh.dashboard links: - wazuh.master:wazuh.master - wazuh.worker:wazuh.worker - wazuh.dashboard:wazuh.dashboard volumes: - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro volumes: master-wazuh-api-configuration: master-wazuh-etc: master-wazuh-logs: master-wazuh-queue: master-wazuh-var-multigroups: master-wazuh-integrations: master-wazuh-active-response: master-wazuh-agentless: master-wazuh-wodles: master-filebeat-etc: master-filebeat-var: worker-wazuh-api-configuration: worker-wazuh-etc: worker-wazuh-logs: worker-wazuh-queue: worker-wazuh-var-multigroups: worker-wazuh-integrations: worker-wazuh-active-response: worker-wazuh-agentless: worker-wazuh-wodles: worker-filebeat-etc: worker-filebeat-var: wazuh-indexer-data-1: wazuh-indexer-data-2: wazuh-indexer-data-3: Edited July 21, 2023 by S3v3nD34dly51ns Quote Link to comment
thompw Posted July 22, 2023 Share Posted July 22, 2023 hello i have just seen a youtube video about wazuh on networkchuck,s channel hope this helps Quote Link to comment
Ademar Posted December 3, 2023 Share Posted December 3, 2023 @InfInIty I've tried Sandfly, and that is able to scan Unraid over SSH. Some of the checks it's trying to do can't be completed, possibly due to Docker being used. But it does pass a lot of checks, and fail some. I also see there is an agentless mode to Wazuh, I haven't tried that yet. 1 Quote Link to comment
L0rdRaiden Posted December 11, 2023 Share Posted December 11, 2023 (edited) On 12/3/2023 at 10:26 PM, Ademar said: @InfInIty I've tried Sandfly, and that is able to scan Unraid over SSH. Some of the checks it's trying to do can't be completed, possibly due to Docker being used. But it does pass a lot of checks, and fail some. I also see there is an agentless mode to Wazuh, I haven't tried that yet. Where you have installed sandfly? in a VM? have you encountered any issue during installation or it works fine just by following the documentation? Wazuh agent over docker is not officially supported, although there are some unofficial images on github. I have been told in private that soon there will be official support for auditd in Unraid, I think this will be the best option to monitor the security, anyway I plan to try sandfly. Edited December 11, 2023 by L0rdRaiden Quote Link to comment
Ademar Posted December 11, 2023 Share Posted December 11, 2023 (edited) 12 hours ago, L0rdRaiden said: Where you have installed sandfly? in a VM? have you encountered any issue during installation or it works fine just by following the documentation? Wazuh agent over docker is not officially supported, although there are some unofficial images on github. To make it easy for myself, I set up a dedicated Debian VM where I follow the official "Docker install" procedure. https://support.sandflysecurity.com/support/solutions/articles/72000078453-docker-image-install https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html Wazuh AGENT as a docker container sounds like a terrible idea. Edited December 11, 2023 by Ademar Quote Link to comment
Rearchil Posted December 11, 2023 Share Posted December 11, 2023 did you found any solution?? It does not work for me... Quote Link to comment
L0rdRaiden Posted December 11, 2023 Share Posted December 11, 2023 8 minutes ago, Ademar said: To make it easy for myself, I set up a dedicated Debian VM where I follow the official "Docker install" procedure. https://support.sandflysecurity.com/support/solutions/articles/72000078453-docker-image-install https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html Wazuh AGENT as a docker container sounds like a terrible idea. But I understand that wazuh is useless if you can't install wazuh agent directly on unRAID OS, right? I will try with sandy first and the once auditd is ready I will integrate the logs in security onion Quote Link to comment
Ademar Posted December 11, 2023 Share Posted December 11, 2023 46 minutes ago, L0rdRaiden said: But I understand that wazuh is useless if you can't install wazuh agent directly on unRAID OS, right? I will try with sandy first and the once auditd is ready I will integrate the logs in security onion If you want to monitor a system with Wazuh, you either need to install the agent, or use the agentless monitoring capability. I really don't anything about that capability. Quote Link to comment
Geck0 Posted May 6 Share Posted May 6 I'm also interested in this. It has a lot of options, Opnsense also supports it. It would encompass a lot for monitoring and its file change detection may be a viable alternative to Unraid's filechange plugin, which I've just started using again. My wife recently got scammed for a lot of money, something I would have been able to pick up on, if there had been a Wazuh agent installed on her laptop. Quote Link to comment
Anna Tuen Posted Tuesday at 04:42 PM Share Posted Tuesday at 04:42 PM I have only just got an UnRAID device but have been leveraging wazuh for... err... about a decade for large international companies so.... My UnRAID device (a LincStation N1) basically trashes the root system every boot and reconstructs from flash. Cool for protecting the system as any changes get overwritten at boot, but a right PITA for persistant programmes, like wazuh agent. The option I am working on is... a) Build a slackware package from the wazuh agent source files (see alternative installs on their site), on a temp slackware server (VM of course) b) Build a plugin script to re-install the agent every boot. The problem is that "technically", all the historical tracking - like directory integrity - will be useless as its overwritten on boot - we're talking system area here, remember.... but practically, as its overwritten anyway... no biggie... one could cache the logs files but 'meh'. My issue will be maintaining a config file after reboots, but as I said, this is my first UnRAID box and its only been 24 hours. The idea of a wazuh manager is a non-starter coz without kibana and elastic, wazuh manager is a pain. If I got wazuh onto a synology box, I'm prtty confident I can get this thing to work. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.