Quick Start: Deploying Wazuh All-in-One in 5 Minutes
If you’re in a hurry or want to test it immediately, the automatic installation script is your best bet. I once learned a hard lesson when my server was hit by constant SSH brute-force attacks at 2 AM. After staying up all night cleaning up that mess, I installed Wazuh right away so I’d never have to pull a pointless all-nighter again.
Hardware requirements: Ubuntu 20.04/22.04, at least 4GB RAM and 2 CPUs. However, for long-term production use, I recommend 8GB RAM to ensure the system runs smoothly.
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash wazuh-install.sh -aThe installation typically takes 3 to 5 minutes. Once finished, the script will output the username (admin) and password. Simply access https://<Your-IP> to start exploring the Dashboard.
Why Wazuh is the Top Choice for Linux Administrators
In the past, I used to SSH into each node individually to check /var/log/auth.log or syslog. This approach is fine for 1-2 servers, but once you hit dozens, manual management becomes a disaster. Wazuh solves this by transforming raw log data into valuable security intelligence:
- Intrusion Detection (HIDS): Monitor abnormal user behavior and system processes in real-time.
- Vulnerability Management: Automatically scan for outdated software packages. It cross-references with the CVE database to alert you as soon as a new patch is available.
- File Integrity Monitoring (FIM): If someone injects malicious code into
/etc/passwdor modifies an Nginx config file, you’ll receive an alert within seconds. - Active Response: This feature enables self-defense by automatically blocking the attacker’s IP when intrusion signs are detected.
Installing the Agent: Connecting Servers to the Hub
After setting up the Manager, you need to install “eyes and ears” (Agents) on your satellite servers. Instead of typing commands manually, use the Dashboard interface. Select Deploy new agent, choose the operating system (Ubuntu, CentOS, Windows), and copy the pre-generated command.
Here is an example installation command for an Ubuntu server:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.2-1_amd64.deb
sudo WAZUH_MANAGER='<WAZUH_SERVER_IP>' dpkg -i wazuh-agent_4.7.2-1_amd64.deb
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agentJust seconds after running the command, the server will show an Active status on the Dashboard. Everything from system file changes to login logs is now right at your fingertips.
Activating Active Response: Automatically Stopping Attackers
This is the most valuable part of Wazuh. Instead of watching hackers brute-force passwords, we’ll configure the system to use iptables to ban those IPs immediately. In practice, this feature has helped me reduce automated botnet brute-force attacks by up to 95%.
Open the configuration file on the Manager at /var/ossec/etc/ossec.conf. Navigate to the <active-response> section and add the following configuration to handle rule 5712 (SSH brute force):
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5712</rules_id>
<timeout>1800</timeout>
</active-response>With this configuration, any IP violating rule 5712 will be blocked for 30 minutes. Don’t forget to run systemctl restart wazuh-manager to apply the changes.
Hard-Learned Lessons from Real-World Operations
After years of deploying Wazuh for various projects, I’ve identified 4 key considerations to ensure the system doesn’t become a burden:
1. Managing Log Noise
The Wazuh Indexer consumes resources quickly if you store everything. A mid-sized system can generate gigabytes of logs daily just from Load Balancer health checks. Filter out these useless logs and only keep alerts from Level 5 and above to save disk space.
2. Optimizing Vulnerability Detection
Don’t just install the agent to monitor SSH logs. Enable the vulnerability-detector feature in the ossec.conf file. However, you should schedule scans during off-peak hours. Continuous scanning can spike CPU usage to 100% on low-spec servers.
3. Strict Access Control
Never share a single admin account across the entire team. Create specific Roles for different departments. For example, the Development team only needs permission to view application logs, while Active Response management should be restricted to the Security team.
4. Backup Strategy
Many people spend weeks writing custom Rules and Decoders but forget to back them up. Always perform regular backups of the /var/ossec/etc/ directory. If the server crashes or needs an upgrade, you won’t have to rebuild everything from scratch.
Wazuh is powerful, but to be truly effective, it requires meticulous operation. I hope these guidelines help you build a robust monitoring system. Don’t wait until you’re hacked to start worrying about security.
