InfInIty Posted April 9, 2022 Share Posted April 9, 2022 I am setting up a vm on my unraid server as a Wazuh stand alone server. Is there anyway to install a wazuh agent directly onto unraid? Quote Link to comment
InfInIty Posted May 20, 2022 Author Share Posted May 20, 2022 Anyone have any thoughts on this. With many unraid users hosting public servers with unraid. I think it would be a very good idea to get something like this up and running to help keep your system secure. Quote Link to comment
autumnwalker Posted March 28, 2023 Share Posted March 28, 2023 I've been looking at this also - Wazuh doesn't have a Slackware Agent package available. Quote Link to comment
L0rdRaiden Posted June 9, 2023 Share Posted June 9, 2023 did you found any solution to monitor the security of unraid? Quote Link to comment
Kees Fluitman Posted July 20, 2023 Share Posted July 20, 2023 Im hoping to see a solution as well. I'd like to monitor connections going to my unraid mostly. VMs i can check, but my unraid can not be monitored at the moment. Quote Link to comment
S3v3nD34dly51ns Posted July 21, 2023 Share Posted July 21, 2023 (edited) I know this is an old post, but was looking through google and saw this, perhaps an installation using docker compose? this is what I have found thus far. Courtesy of Github Docker Compose Wazuh # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2) version: '3.7' services: wazuh.master: image: wazuh/wazuh-manager:4.8.0 hostname: wazuh.master restart: always ports: - "1515:1515" - "514:514/udp" - "55000:55000" environment: - INDEXER_URL=https://wazuh1.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- volumes: - master-wazuh-api-configuration:/var/ossec/api/configuration - master-wazuh-etc:/var/ossec/etc - master-wazuh-logs:/var/ossec/logs - master-wazuh-queue:/var/ossec/queue - master-wazuh-var-multigroups:/var/ossec/var/multigroups - master-wazuh-integrations:/var/ossec/integrations - master-wazuh-active-response:/var/ossec/active-response/bin - master-wazuh-agentless:/var/ossec/agentless - master-wazuh-wodles:/var/ossec/wodles - master-filebeat-etc:/etc/filebeat - master-filebeat-var:/var/lib/filebeat - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf wazuh.worker: image: wazuh/wazuh-manager:4.8.0 hostname: wazuh.worker restart: always environment: - INDEXER_URL=https://wazuh1.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key volumes: - worker-wazuh-api-configuration:/var/ossec/api/configuration - worker-wazuh-etc:/var/ossec/etc - worker-wazuh-logs:/var/ossec/logs - worker-wazuh-queue:/var/ossec/queue - worker-wazuh-var-multigroups:/var/ossec/var/multigroups - worker-wazuh-integrations:/var/ossec/integrations - worker-wazuh-active-response:/var/ossec/active-response/bin - worker-wazuh-agentless:/var/ossec/agentless - worker-wazuh-wodles:/var/ossec/wodles - worker-filebeat-etc:/etc/filebeat - worker-filebeat-var:/var/lib/filebeat - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf wazuh1.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh1.indexer restart: always ports: - "9200:9200" environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-1:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh2.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh2.indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-2:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh3.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh3.indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-3:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh.dashboard: image: wazuh/wazuh-dashboard:4.8.0 hostname: wazuh.dashboard restart: always ports: - 443:5601 environment: - OPENSEARCH_HOSTS="https://wazuh1.indexer:9200" - WAZUH_API_URL="https://wazuh.master" - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- - DASHBOARD_USERNAME=kibanaserver - DASHBOARD_PASSWORD=kibanaserver volumes: - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml depends_on: - wazuh1.indexer links: - wazuh1.indexer:wazuh1.indexer - wazuh.master:wazuh.master nginx: image: nginx:stable hostname: nginx restart: always ports: - "1514:1514" depends_on: - wazuh.master - wazuh.worker - wazuh.dashboard links: - wazuh.master:wazuh.master - wazuh.worker:wazuh.worker - wazuh.dashboard:wazuh.dashboard volumes: - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro volumes: master-wazuh-api-configuration: master-wazuh-etc: master-wazuh-logs: master-wazuh-queue: master-wazuh-var-multigroups: master-wazuh-integrations: master-wazuh-active-response: master-wazuh-agentless: master-wazuh-wodles: master-filebeat-etc: master-filebeat-var: worker-wazuh-api-configuration: worker-wazuh-etc: worker-wazuh-logs: worker-wazuh-queue: worker-wazuh-var-multigroups: worker-wazuh-integrations: worker-wazuh-active-response: worker-wazuh-agentless: worker-wazuh-wodles: worker-filebeat-etc: worker-filebeat-var: wazuh-indexer-data-1: wazuh-indexer-data-2: wazuh-indexer-data-3: Edited July 21, 2023 by S3v3nD34dly51ns Quote Link to comment
thompw Posted July 22, 2023 Share Posted July 22, 2023 hello i have just seen a youtube video about wazuh on networkchuck,s channel hope this helps Quote Link to comment
Ademar Posted December 3, 2023 Share Posted December 3, 2023 @InfInIty I've tried Sandfly, and that is able to scan Unraid over SSH. Some of the checks it's trying to do can't be completed, possibly due to Docker being used. But it does pass a lot of checks, and fail some. I also see there is an agentless mode to Wazuh, I haven't tried that yet. 1 Quote Link to comment
L0rdRaiden Posted December 11, 2023 Share Posted December 11, 2023 (edited) On 12/3/2023 at 10:26 PM, Ademar said: @InfInIty I've tried Sandfly, and that is able to scan Unraid over SSH. Some of the checks it's trying to do can't be completed, possibly due to Docker being used. But it does pass a lot of checks, and fail some. I also see there is an agentless mode to Wazuh, I haven't tried that yet. Where you have installed sandfly? in a VM? have you encountered any issue during installation or it works fine just by following the documentation? Wazuh agent over docker is not officially supported, although there are some unofficial images on github. I have been told in private that soon there will be official support for auditd in Unraid, I think this will be the best option to monitor the security, anyway I plan to try sandfly. Edited December 11, 2023 by L0rdRaiden Quote Link to comment
Ademar Posted December 11, 2023 Share Posted December 11, 2023 (edited) 12 hours ago, L0rdRaiden said: Where you have installed sandfly? in a VM? have you encountered any issue during installation or it works fine just by following the documentation? Wazuh agent over docker is not officially supported, although there are some unofficial images on github. To make it easy for myself, I set up a dedicated Debian VM where I follow the official "Docker install" procedure. https://support.sandflysecurity.com/support/solutions/articles/72000078453-docker-image-install https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html Wazuh AGENT as a docker container sounds like a terrible idea. Edited December 11, 2023 by Ademar Quote Link to comment
Rearchil Posted December 11, 2023 Share Posted December 11, 2023 did you found any solution?? It does not work for me... Quote Link to comment
L0rdRaiden Posted December 11, 2023 Share Posted December 11, 2023 8 minutes ago, Ademar said: To make it easy for myself, I set up a dedicated Debian VM where I follow the official "Docker install" procedure. https://support.sandflysecurity.com/support/solutions/articles/72000078453-docker-image-install https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html Wazuh AGENT as a docker container sounds like a terrible idea. But I understand that wazuh is useless if you can't install wazuh agent directly on unRAID OS, right? I will try with sandy first and the once auditd is ready I will integrate the logs in security onion Quote Link to comment
Ademar Posted December 11, 2023 Share Posted December 11, 2023 46 minutes ago, L0rdRaiden said: But I understand that wazuh is useless if you can't install wazuh agent directly on unRAID OS, right? I will try with sandy first and the once auditd is ready I will integrate the logs in security onion If you want to monitor a system with Wazuh, you either need to install the agent, or use the agentless monitoring capability. I really don't anything about that capability. Quote Link to comment
Geck0 Posted May 6 Share Posted May 6 I'm also interested in this. It has a lot of options, Opnsense also supports it. It would encompass a lot for monitoring and its file change detection may be a viable alternative to Unraid's filechange plugin, which I've just started using again. My wife recently got scammed for a lot of money, something I would have been able to pick up on, if there had been a Wazuh agent installed on her laptop. Quote Link to comment
Anna Tuen Posted May 21 Share Posted May 21 I have only just got an UnRAID device but have been leveraging wazuh for... err... about a decade for large international companies so.... My UnRAID device (a LincStation N1) basically trashes the root system every boot and reconstructs from flash. Cool for protecting the system as any changes get overwritten at boot, but a right PITA for persistant programmes, like wazuh agent. The option I am working on is... a) Build a slackware package from the wazuh agent source files (see alternative installs on their site), on a temp slackware server (VM of course) b) Build a plugin script to re-install the agent every boot. The problem is that "technically", all the historical tracking - like directory integrity - will be useless as its overwritten on boot - we're talking system area here, remember.... but practically, as its overwritten anyway... no biggie... one could cache the logs files but 'meh'. My issue will be maintaining a config file after reboots, but as I said, this is my first UnRAID box and its only been 24 hours. The idea of a wazuh manager is a non-starter coz without kibana and elastic, wazuh manager is a pain. If I got wazuh onto a synology box, I'm prtty confident I can get this thing to work. Quote Link to comment
JonathanM Posted May 23 Share Posted May 23 On 5/21/2024 at 12:42 PM, Anna Tuen said: My UnRAID device (a LincStation N1) basically trashes the root system every boot and reconstructs from flash That's because Unraid runs from RAM, the flash drive is there to store some persistent configuration changes, the license, and the OS archives that are extracted into RAM every boot. The flash is FAT32, so no permissions, so no good running executables from there, it's mounted at /boot. You can copy to another location and change permissions then run the executable with a script. With those limitations in mind, sounds like you have a valid plan. The biggest issue for things running at startup is timing, array and pool locations are only available after the array is started. Quote Link to comment
Anna Tuen Posted May 27 Share Posted May 27 (edited) Well, took me about an hour to work this one out - was a lot easier than expected Added wazuh user in the GUI Created a VM image of slackware 15 - installed standard developer tools. Downloaded the wazuh agent source file - https://documentation.wazuh.com/current/deployment-options/wazuh-from-sources/wazuh-agent/index.html Ran the build etc. Installed on sample slackware instance Tweaked the ossec.conf for my environment and stuck the client.key into the client.keys file. Zipped up and copied to N1 Create an ossec directory on the share (saves all that re-installing from scratch every boot). Extracted files from zip file. Set client.keys to new key for the N1 Downloaded user.scripts plugin. Created new script to startup wazuh-agent - to run after array is up which you can do with user.scripts (way cool!). /usr/sbin/groupadd -g 999 wazuh (coz that's what the build sets the group permission to - but may change for you) /usr/sbin/usermod -f -a wazuh wazuh /mnt/user/tools/ossec/bin/wazuh-control start This worked for me and didn't have to worry about loss of queue files etc. Hope that helps others. Edited May 27 by Anna Tuen 1 Quote Link to comment
mjeshurun Posted June 15 Share Posted June 15 On 5/7/2024 at 2:22 AM, Geck0 said: I'm also interested in this. It has a lot of options, Opnsense also supports it. It would encompass a lot for monitoring and its file change detection may be a viable alternative to Unraid's filechange plugin, which I've just started using again. My wife recently got scammed for a lot of money, something I would have been able to pick up on, if there had been a Wazuh agent installed on her laptop. Hi @Geck0, Can you please elaborate on the filechange plugin you mentioned? 🙏 I didn't find this plugin on UnRAID's community app store. Quote Link to comment
Geck0 Posted July 6 Share Posted July 6 Hi, I was referring to the Dynamix file integrity plugin. If you look at the logs, it will tell you which files have been altered. Quote Link to comment
meunraid Posted July 11 Share Posted July 11 On 5/27/2024 at 4:23 PM, Anna Tuen said: Well, took me about an hour to work this one out - was a lot easier than expected Added wazuh user in the GUI Created a VM image of slackware 15 - installed standard developer tools. Downloaded the wazuh agent source file - https://documentation.wazuh.com/current/deployment-options/wazuh-from-sources/wazuh-agent/index.html Ran the build etc. Installed on sample slackware instance Tweaked the ossec.conf for my environment and stuck the client.key into the client.keys file. Zipped up and copied to N1 Create an ossec directory on the share (saves all that re-installing from scratch every boot). Extracted files from zip file. Set client.keys to new key for the N1 Downloaded user.scripts plugin. Created new script to startup wazuh-agent - to run after array is up which you can do with user.scripts (way cool!). /usr/sbin/groupadd -g 999 wazuh (coz that's what the build sets the group permission to - but may change for you) /usr/sbin/usermod -f -a wazuh wazuh /mnt/user/tools/ossec/bin/wazuh-control start This worked for me and didn't have to worry about loss of queue files etc. Hope that helps others. Thanks Anna! Just some useful notes for those of you going to do this. Guide to install Slackware 15 in VM (It's sketchy lol) https://linuxiac.com/install-slackware-linux/ On VM: curl -Ls https://github.com/wazuh/wazuh/archive/v4.8.0.tar.gz | tar zx cd wazuh-4.8.0 ./install.sh tar will preserve ownership/permissions zip will not so use tar. Delete client.keys it will create a new one. Works like a charm Quote Link to comment
JonathanM Posted July 11 Share Posted July 11 Keep in mind the slackware version is a moving target, you will likely need to recreate your steps with new versions of Unraid. Quote Link to comment
PBA+J Posted September 11 Share Posted September 11 (edited) On 5/27/2024 at 5:23 PM, Anna Tuen said: Well, took me about an hour to work this one out - was a lot easier than expected Added wazuh user in the GUI Created a VM image of slackware 15 - installed standard developer tools. Downloaded the wazuh agent source file - https://documentation.wazuh.com/current/deployment-options/wazuh-from-sources/wazuh-agent/index.html Ran the build etc. Installed on sample slackware instance Tweaked the ossec.conf for my environment and stuck the client.key into the client.keys file. Zipped up and copied to N1 Create an ossec directory on the share (saves all that re-installing from scratch every boot). Extracted files from zip file. Set client.keys to new key for the N1 Downloaded user.scripts plugin. Created new script to startup wazuh-agent - to run after array is up which you can do with user.scripts (way cool!). /usr/sbin/groupadd -g 999 wazuh (coz that's what the build sets the group permission to - but may change for you) /usr/sbin/usermod -f -a wazuh wazuh /mnt/user/tools/ossec/bin/wazuh-control start This worked for me and didn't have to worry about loss of queue files etc. Hope that helps others. Good morning @AnnaTuen! Thank you for this; I have questions naturally as your experience level seems to be above my own. 1. What is the purpose for adding a Wazuh user in Unraid GUI? Why is this required? 2. According to Wazuh's documentation, it is able to run on Ubuntu, so why did you utilize Slackware? Is it because that is Unraid's base? 3. ossec.conf - Can you elaborate on this? What did you change that was specific to your environment? Also, was this on the VM, or within Unraid itsself? 4. What is 'N1'? 5. What did you zip and copy to N1? What is N1? Where is N1? Why? 6. You stated that you created an ossec directory on the share? What share? Did you create a new share within unraid? I'm confused. 7. What did your user.script look like? ~essentially, I'm asking for a little more detail. Also, I noticed that within the Unraid GUI, there is the option for syslog to export to 'ip'. Couldn't this be ingested by Wazuh? PFsense has the ability for syslog exporting as well. Do you think it would be easier to simply install an Ubuntu instance, setup Wazuh and simply export Unraid syslog into the Ubuntu instance? Thanks, -Ace Edited September 11 by PBA+J Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.