What is wazuh agent?
The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in real time through an encrypted and authenticated channel.
What is sysmon?
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to files on the server or device.
INSTALLATION OF SYSMON
To install sysmon:
- Download sysmon from the following link:
- Then navigate to where you downloaded the zip file to.
- Unzip the sysmon folder
- Copy sysmonconfig.export file into the sysmon folder.
- Open CMD and navigate to the sysmon folder
- Run the following command to install sysmon:
$ sysmon64 -accepteula -i sysmonconfig-export.xml
- For a 32-bit system, choose Sysmon.exe.
- For a 64-bit system, choose Sysmon64.exe.
This command will basically install sysmon together with the sysmon config file that you can edit later to meet your business/personal requirements and needs.
After running the command you should get similar results as shown below which basically means that your sysmon was successfully installed.
To update the config file run the following command
$ sysmon64 -c sysmonconfig-export.xml
This could be in the case where you have customized your sysmon configuration file. Maybe you want sysmon to monitor process tampering, you need to add the ‘ProcessTampering’ configuration option to a configuration file, hence the need to run the above command to be able to update your configuration file with all the changes made.
Now that we already have sysmon installed we can confirm this by opening the event viewer then navigate to the following path Applications and Services Logs/Microsoft/Windows
Here you should be able to see sysmon as shown in the figure below.
INSTALLING WAZUH AGENT.
Now that we have sysmon installed, lets go ahead and install our wazuh agent and configure it.
To do so:
- Download the wazuh agent from the following link:
- Navigate to where you downloaded it
- Run the following command to install it:
NB: Make sure to replace the IP address on the command with the IP address of your wazuh manager.
In this case, the IP address of my wazuh manager is 172.16.0.100
Now let us check and see if our wazuh is running, to do this we go to services and look for wazuh and check if it is running.
WAZUH AGENT CONFIGURATION
All the wazuh agent configurations are done on the ossec.conf file. To do so, navigate to local Disk -> Program Files (x86) here you should be able to see the ossec-agent folder, open it and find the ossec.conf file as shown below.
Wazuh Manager IP Configuration
After opening the file, replace the address section with the IP address of your wazuh manager. In my case the wazuh manager IP is 172.16.0.100 as shown below.
Syslog Monitoring Configuration
For you to monitor logs from a specific path you have to specify that on the local file section. For example in my case I am using a Jira server and I would like to monitor all syslogs on Program Files\Atlassian\JIRA and also Program Files\Atlassian\Application Data\JIRA
This is going to collect all syslogs here and send them to our wazuh manager.
For that add the following section but replace the path with your own custom path.
<location>C:\Program Files\Atlassian\Application Data\JIRA\log\*.log</location>
File Integrity Monitoring
To configure File Integrity Monitoring add the following line to the configuration file on the syscheck container section, which basically says check all directories in the \Program Files\Atlassian folder in real time
$ <directories check_all=”yes” realtime=”yes”>C:\Program Files\Atlassian</directories>
Monitor the sysmon logs
To be able to monitor the eventchannel for sysmon on wazuh you need to link sysmon to the wazuh agent. This can be done by adding the following section to your ossec.conf file which basically says monitor the eventchannel on the following path Microsoft-Windows-Sysmon/Operational which is the location where sysmon is found.
View logs on Wazuh Manager
Now that our agent is successfully installed, and configured, let’s now go to the wazuh manager and check if we can see it.
To do this, click on the total agents which takes you to the page with the agents that have been configured to send logs to our wazuh manager.
As you can see below, we are able to see Jira which is the agent that we configured on the Jira server.
This means that it was successfully configured.
Let us now trigger some alerts and see if they are going to be recorded on our wazuh manager. Remember the path that we configured to be monitored, I will navigate there and add a file, then go to services and restart my wazuh agent.
In this case I created a file and called it hello.txt as shown below.
Moving to the wazuh manager and checking through the logs I am able to see the file that I created was captured here as shown below.
We are able to see that wazuh captures the name of the file that was added and even the path to where the file was added.
Next, I will go ahead and delete the hello.txt file and on my wazuh manager that is captured as shown below.
In conclusion we were able to configure our wazuh agent and send logs to our wazuh manager and finally we were able to see how logs are shipped to the wazuh manager.
Thank you and I will see you in the next article.