InfInIty Posted April 9, 2022 Share Posted April 9, 2022 I am setting up a vm on my unraid server as a Wazuh stand alone server. Is there anyway to install a wazuh agent directly onto unraid? Quote Link to comment
InfInIty Posted May 20, 2022 Author Share Posted May 20, 2022 Anyone have any thoughts on this. With many unraid users hosting public servers with unraid. I think it would be a very good idea to get something like this up and running to help keep your system secure. Quote Link to comment
autumnwalker Posted March 28, 2023 Share Posted March 28, 2023 I've been looking at this also - Wazuh doesn't have a Slackware Agent package available. Quote Link to comment
L0rdRaiden Posted June 9, 2023 Share Posted June 9, 2023 did you found any solution to monitor the security of unraid? Quote Link to comment
Kees Fluitman Posted July 20, 2023 Share Posted July 20, 2023 Im hoping to see a solution as well. I'd like to monitor connections going to my unraid mostly. VMs i can check, but my unraid can not be monitored at the moment. Quote Link to comment
S3v3nD34dly51ns Posted July 21, 2023 Share Posted July 21, 2023 (edited) I know this is an old post, but was looking through google and saw this, perhaps an installation using docker compose? this is what I have found thus far. Courtesy of Github Docker Compose Wazuh # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2) version: '3.7' services: wazuh.master: image: wazuh/wazuh-manager:4.8.0 hostname: wazuh.master restart: always ports: - "1515:1515" - "514:514/udp" - "55000:55000" environment: - INDEXER_URL=https://wazuh1.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- volumes: - master-wazuh-api-configuration:/var/ossec/api/configuration - master-wazuh-etc:/var/ossec/etc - master-wazuh-logs:/var/ossec/logs - master-wazuh-queue:/var/ossec/queue - master-wazuh-var-multigroups:/var/ossec/var/multigroups - master-wazuh-integrations:/var/ossec/integrations - master-wazuh-active-response:/var/ossec/active-response/bin - master-wazuh-agentless:/var/ossec/agentless - master-wazuh-wodles:/var/ossec/wodles - master-filebeat-etc:/etc/filebeat - master-filebeat-var:/var/lib/filebeat - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf wazuh.worker: image: wazuh/wazuh-manager:4.8.0 hostname: wazuh.worker restart: always environment: - INDEXER_URL=https://wazuh1.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key volumes: - worker-wazuh-api-configuration:/var/ossec/api/configuration - worker-wazuh-etc:/var/ossec/etc - worker-wazuh-logs:/var/ossec/logs - worker-wazuh-queue:/var/ossec/queue - worker-wazuh-var-multigroups:/var/ossec/var/multigroups - worker-wazuh-integrations:/var/ossec/integrations - worker-wazuh-active-response:/var/ossec/active-response/bin - worker-wazuh-agentless:/var/ossec/agentless - worker-wazuh-wodles:/var/ossec/wodles - worker-filebeat-etc:/etc/filebeat - worker-filebeat-var:/var/lib/filebeat - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf wazuh1.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh1.indexer restart: always ports: - "9200:9200" environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-1:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh2.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh2.indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-2:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh3.indexer: image: wazuh/wazuh-indexer:4.8.0 hostname: wazuh3.indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-3:/var/lib/wazuh-indexer - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml wazuh.dashboard: image: wazuh/wazuh-dashboard:4.8.0 hostname: wazuh.dashboard restart: always ports: - 443:5601 environment: - OPENSEARCH_HOSTS="https://wazuh1.indexer:9200" - WAZUH_API_URL="https://wazuh.master" - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- - DASHBOARD_USERNAME=kibanaserver - DASHBOARD_PASSWORD=kibanaserver volumes: - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml depends_on: - wazuh1.indexer links: - wazuh1.indexer:wazuh1.indexer - wazuh.master:wazuh.master nginx: image: nginx:stable hostname: nginx restart: always ports: - "1514:1514" depends_on: - wazuh.master - wazuh.worker - wazuh.dashboard links: - wazuh.master:wazuh.master - wazuh.worker:wazuh.worker - wazuh.dashboard:wazuh.dashboard volumes: - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro volumes: master-wazuh-api-configuration: master-wazuh-etc: master-wazuh-logs: master-wazuh-queue: master-wazuh-var-multigroups: master-wazuh-integrations: master-wazuh-active-response: master-wazuh-agentless: master-wazuh-wodles: master-filebeat-etc: master-filebeat-var: worker-wazuh-api-configuration: worker-wazuh-etc: worker-wazuh-logs: worker-wazuh-queue: worker-wazuh-var-multigroups: worker-wazuh-integrations: worker-wazuh-active-response: worker-wazuh-agentless: worker-wazuh-wodles: worker-filebeat-etc: worker-filebeat-var: wazuh-indexer-data-1: wazuh-indexer-data-2: wazuh-indexer-data-3: Edited July 21, 2023 by S3v3nD34dly51ns Quote Link to comment
thompw Posted July 22, 2023 Share Posted July 22, 2023 hello i have just seen a youtube video about wazuh on networkchuck,s channel hope this helps Quote Link to comment
Ademar Posted December 3, 2023 Share Posted December 3, 2023 @InfInIty I've tried Sandfly, and that is able to scan Unraid over SSH. Some of the checks it's trying to do can't be completed, possibly due to Docker being used. But it does pass a lot of checks, and fail some. I also see there is an agentless mode to Wazuh, I haven't tried that yet. 1 Quote Link to comment
L0rdRaiden Posted December 11, 2023 Share Posted December 11, 2023 (edited) On 12/3/2023 at 10:26 PM, Ademar said: @InfInIty I've tried Sandfly, and that is able to scan Unraid over SSH. Some of the checks it's trying to do can't be completed, possibly due to Docker being used. But it does pass a lot of checks, and fail some. I also see there is an agentless mode to Wazuh, I haven't tried that yet. Where you have installed sandfly? in a VM? have you encountered any issue during installation or it works fine just by following the documentation? Wazuh agent over docker is not officially supported, although there are some unofficial images on github. I have been told in private that soon there will be official support for auditd in Unraid, I think this will be the best option to monitor the security, anyway I plan to try sandfly. Edited December 11, 2023 by L0rdRaiden Quote Link to comment
Ademar Posted December 11, 2023 Share Posted December 11, 2023 (edited) 12 hours ago, L0rdRaiden said: Where you have installed sandfly? in a VM? have you encountered any issue during installation or it works fine just by following the documentation? Wazuh agent over docker is not officially supported, although there are some unofficial images on github. To make it easy for myself, I set up a dedicated Debian VM where I follow the official "Docker install" procedure. https://support.sandflysecurity.com/support/solutions/articles/72000078453-docker-image-install https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html Wazuh AGENT as a docker container sounds like a terrible idea. Edited December 11, 2023 by Ademar Quote Link to comment
Rearchil Posted December 11, 2023 Share Posted December 11, 2023 did you found any solution?? It does not work for me... Quote Link to comment
L0rdRaiden Posted December 11, 2023 Share Posted December 11, 2023 8 minutes ago, Ademar said: To make it easy for myself, I set up a dedicated Debian VM where I follow the official "Docker install" procedure. https://support.sandflysecurity.com/support/solutions/articles/72000078453-docker-image-install https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html Wazuh AGENT as a docker container sounds like a terrible idea. But I understand that wazuh is useless if you can't install wazuh agent directly on unRAID OS, right? I will try with sandy first and the once auditd is ready I will integrate the logs in security onion Quote Link to comment
Ademar Posted December 11, 2023 Share Posted December 11, 2023 46 minutes ago, L0rdRaiden said: But I understand that wazuh is useless if you can't install wazuh agent directly on unRAID OS, right? I will try with sandy first and the once auditd is ready I will integrate the logs in security onion If you want to monitor a system with Wazuh, you either need to install the agent, or use the agentless monitoring capability. I really don't anything about that capability. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.