Full Wazuh Install - The SOCFortress Way

May I suggest an audio upgrade. You can get a USB lavalier mic for under $10.

You've built some automations and a lot of cool stuff. I'd be interested in a demo video that just showcases all these in one sitting as if we were the SOC analysts at the console and to see some cases being worked from start to finish. No explanations of the back end or anything but just full on start to finish of case work in a real world scenario. That would be awesome to see it in action at the higher level.

Excellent! TYSM, welcome back Taylor !

Great content. Your audio is lousy so maybe look into some sound foam or a better microphone or something. Thanks again for great content.

As always Great! Thank you for your work!

This is so cool thank you for this. I ran into some snags following the written guide but the video cleared some things up. I am running this on Debian 12 and one of the issues is the lack of binaries for mongodb so I found a short guide on using Ubuntu binaries and it works. I am running this in an Xcp-ng VM and it looks like its all running smoothly. Now to tinker with wazuh and graylog.

Hey Taylor, thanks a lot for this video, i was stuck with graylog error due to version miss matching. you saved my job :)
Thanks a lot again.

Hey Taylor, awesome work. I was wondering if you could upload a video where we can integrate Wazuh with DFIR-IRIS via shuffle. Relatively same as Wazuh+Shuffle+TheHive+Cortex.

Hi Taylor, your content is excellent! HUGE thanks! 🤝 How can the same be done with docker? I am trying to separate each deployment of services into their own config file, to keep my eyes above water, perhaps I will be able to join all of this into a single docker-compose yaml including persistent volumes using NFS 😳 I foresee the use of nginx on the host, rather than a container for routing https traffic, but how can this be done, certificate-wise? I am building this for internal use, so I make use of an inrernal CA. So far I have not seen any videos describing a build with an internal CA, working and tested throughout. Could you show this to us newbie folk?

Hi Taylor, excellent stuff always!! Please, are you able to share docker setup for latest wazuh with greylog

Thank you for the great video! I was able to follow along with just a few modifications on Debian 12. I made it all the way to the end but I'm not seeing any logs in Graylog even after reconnecting SSH. Any ideas?

What SSH connection manager are you using? Looks nifty

Much appreciated !!

Hi Taylor thnx for the great vids!! Since you dont use wazuh manager to ingest the firewall logs but Graylog, is there a way to get some alerts ore shuffle triggerd on certain firewall log events?

Hey Taylor. Awesome videos.
By the way. I'm new to wazuh and I don't know if ELK is not used anymore and now is replaced with wazu indexer or if ELK is also used with wazuh in other kind of environments. I'll appreciate you or anyone here can help with this.

thank you for this video.

FINALLY.
After 7 times trying I finally got this up For those using proxmox make sure you run privileged containers on LXC and debian 11. Debian12 does not have a binary for Deb12 yet.
I'm still having an issue with proxmox rewriting my hosts file upon each restart Looking forward to that API!

watching your series really has me motived to play around with some of this tech in my homelab. do you have a diagram to cover the full stack of tech used? summer holidays coming up!

Always great content, however I’m not sure if you’re aware Taylor but if you are trying to use Graylog ingestion and indices and expect to use the Wazuh dashboard for alerts it doesn’t work. It breaks absolutely everything. Graylog secretly changes all the key pair fields to use an underscore whereas the Wazuh uses a dot in field names… 😢 -- Basically - Garlog does not allow "." characters in field names since version 2.0 of Elastic...Support has been restored since version 5.0. - However, Wazu is using forked Opensearch and they haven't changed this yet....
For compatibility, Graylog replaces "." with "_" silently - it doesn't matter what you put in your extractor.... So Wazuh (OpenSearch 2.4.1 which I have... confirmed) expects their fields to have a "." in them... So if you ingest your agent logs to Gralog - via Fluent-bit and connect it back to Wazuh Indexer (Opensearch 2.4.1 for Wazuh 4.4.0) the fields all have _ as the key separators in each field... So rule.id becomes rule_id and manager.name becomes manager_name - Wazuh dashboard becomes useless and doesn't display anything... This may not be a problem if you don't plan to use the Wazuh DashBoard for alerts and events like if you are using Grafana...

I wonder what is the Server Sizing requirements, what will you put on which server or would you host all on different server?

@Wahinies 1 day ago
Thank you that explains why my vulnerability scans disappeared and now the index templates are FUBAR after the 4.7 upgrade. Is the best course of action to just redo without graylog to keep the wazuh dashboard useful?
That is a great question as I just ran across this video tonight and started creating folders with bookmarks to some of the programs I didn't already have. This one Series I really do want to pursue and it'd be my first home lab test. However, if graylog dosen't work, how it's described in the video from May, 2023 that would be a bummer as one of my favorite YT streamers speaks highly of graylog and they use it for the many thousands of computers they are in charge of remotely in their IT business.

Is it possible to connect already running Wazuh-Indexer (installed with installation scripts) with graylog?

hai tailor just want correcting your script in Medium in Certificate Deployment segment, the script is missing ".pem", overall thank you for your guidance

man can you give me a roadmap to being a good analyst . to learn all these things , for an absolute beginner

I would like to say maybe you should cover some troubleshooting steps as not everyone will get through without errors. Your assuming it will just go smoothly.

Please make a video regarding how alerts are triggered in wazuh and how to investigate

How do you use cloudflare tunnel with this?

What is the name of the ssh tool?

On a fresh Ubuntu VPS, fresh install using docker, when trying to add a new agent, I then fill all the data, run the commands on the machines where agents suppose to run, nothing happens, if I press the refresh button it clears all options, if I go back to agents the list is empty.
On agent machine I get this in the logs:
wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[ip-address]:1515'

Can how show us how to forward Cisco router log to wazuh in another video?

I have OpenSearch, Graylog and Wazuh manager EDR installed and working great, is it possible to install GUI for Wazuh EDR without Wazuh indexer ?

Mentioning the fact that you have to alter the information in your 'custom' config.yml under the [req_domain_name] from _your_ information to the default or our own would likely save people some headache. You should probably fix that link, since it kinda defeats the purpose of trying to help save time. Otherwise, great info!

how are you doing this ? but why i am facing error at every command. denied failed

Can someone tell me, I'm using oracle VM, ubuntu 22.04, trying to install mongodb, and every time I get core-dump, apparently oracle can't work with avx. Can anyone tell me ?

I have been having the issue with certificate while using their docker with OpenSearch's indexer docker. Hope this solves it.
Will get back here if it resolves the issue

What terminal emulator program are you using?

Tried this multiple time, but sadly i get a connection error with.the wazuh dashboard.. seems it cant connect to opensearch.. so when logging into the web interface i get the message wazuh dasboard server is not ready yet.😢

love your videos but... the audio man.. please. do smth with it.

how to fix the problem ?
INFO: No current API selected
INFO: Getting API hosts...
INFO: API hosts found: 1
INFO: Checking API host id [default]...
INFO: Could not connect to API id [default]: timeout of 20000ms exceeded
INFO: Removed [navigate] cookie
ERROR: No API available to connect
you received the same error at 13:07

Excellent video, you helped me out to solve every issues that I have connecting graylog with Wazuh-Indexer. Great content man.

I'm facing this problem after completing 12:35 min from your video "Wazuh dashboard server is not ready yet" 😭😭

The sound it bad :(

aktifkan teks bro,,

just my personal input but when i go to watch a video that has possible good info but the audio of the video is not well i skip to the another one with better audio.
reverb city yo

On Wazuh I get this error. Any idea how to fix it, since are aren't using filebeat? Thanks.
[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]

No reply to even single comment... Great..

the temp/config.yml is empty

. - unable to find valid certification path to requested target.
2024-05-30T00:33:37.262-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #344
2024-05-30T00:33:42.278-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:42.279-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #345
2024-05-30T00:33:47.301-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:47.301-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #346
2024-05-30T00:33:52.330-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:52.330-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #347
2024-05-30T00:33:57.353-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:57.354-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #348

i dont have files in /tmp/wazuh-certificates as tmp get deleted upon reboot how do I proceed further with this command openssl x509 -in wazuh-indexer01.socfortress.demo -text -noout and installation of graylog certs and its validation though it does store a copy to /certs but it is throwing connection error and my set domain and node server doesnt show up

[ConnectionError]: getaddrinfo ENOTFOUND wazuh-indexer01. this error WHYY