Skip to main content

Up the Wazuh: A SIEM-ple Adventure in Troubleshooting

Initial setup

To start  I downloaded the .osa file from the  wazuh website (https://wazuh.com) and then installed it in my virtualbox hypervisor.

Then I booted up my fedora linux VM and the wazuh VM with the dashboard and manager on.

 After I had logged in to the wazuh VM with the default credentials I used the ip a command to find out the ip address of the wazuh VM. As from reading the documentation I’d need this later.

In my fedora VM I opened a terminal and used the commands on the wazuh website to install the agent on the VM. After some time the installation was completed and I had to update the. conf file with the IP address of the wazuh manager.

This is important because  the file is a generic file that needs to be modified to make it specific to each individual setup.

 All was going well up to this point. I tried to get the fedora VM to talk to the wazuh VM.

The problems I encountered

It was here the problems started when I tried to ping the wazuh VM from the fedora VM and it failed.

 I used ping to prove there was a connection between the two machines.

 The Web based dashboard that I was trying to open in my linux mint VM was displaying a page not found.

 After nearly an hour of reading the wazuh documentation and using Google and co-pilot I found that I needed to open the ports 443 and 1514 on the firewall.

I found it interesting that each of the Linux distro’s I was using had a different firewall and needed different commands to open ports and check the status of the firewall.

This is important because port 443 is for https which allows access to the Web dashboard and port 1514 is a wazuh default communication port between the agent and the manager.

After I had restarted the agent on my fedora VM and restarted the manager and dashboard on my wazuh VM and this seems to have solved the problem.

I opened the Web dashboard on the mint VM and managed to log in the dashboard opened and it was on to the next problem,

The dashboard was saying that my fedora VM was being seen but had never connected to the dashboard.

So after reading even more information online and following guides I was unable to rectify the problem.

Although one article advised deleting the fedora VM from wazuh and reinstalling it this may have worked except when I looked at the logs for the agent on fedora were now saying that it couldn’t connect because there was a duplicate name issue. After some more googling I was not able to resolve the issue and decided to call it a day.

Lessons learn and takeaways.

 I wouldn’t say that this was a complete failure the things I can take away from this are I’ve learnt about 

1.      Command line in Linux

2.      I learnt about logs in Linux even though it was very basic and minimal  I think logging is important as it’s a great insight to issues on a machine. And looking at different logs is the best way to be able to understand what’s happening on a machine or piece of software.

3.      It proves that even when you follow the installation guide things can still go wrong.

Although this wasn’t the outcome I was hoping for or expecting I at least have learnt something from the experience and it certainly hasn’t stopped my journey in to getting wazuh to work on my home lab.

If any readers have tried to install wazuh in a home lab I’d be interested in hearing your experiences if it worked or if you had issues and how you resolved them.

I have some screenshots of this experience which I will add at a later date.

Comments

Post a Comment

Popular posts from this blog

Retail Ransom: The UK's Cyber Crisis

In the last few weeks, Recent cyberattacks on the UK retail sector have made headlines in particular M&S, Harrods, and the CO-OP. These attacks have hit retailers hard, with M&S losing £1 billion in market value alone. Retailers have faced empty shelves, electronic payment failures, and delayed deliveries as a result. A blog post from the NCSC on the 4 th May 2025 says  “Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that.”   Quote from NCSC blog post https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers A cybercriminal group known as Scattered Spider appears to be the likely culprit. Who is Scattered Spider? Scattered Spider is a cybercriminal group known for targeting large organizations, particularly in retail, finance, telecoms,...
Post a Comment
Read more

Root of the Problem: Linux Flaws That Give Attackers Admin Rights

 I realised that I haven’t posted to my blog in a long time and this week an article about CVE’s in linux caught my eye and that was the perfect excuse to write another blog post. Cybersecurity researchers at Qualys have uncovered two critical local privilege escalation (LPE) flaws that are shaking the foundations of Linux security. These aren't your run-of-the-mill vulnerabilities; we're talking about direct, express lanes to full root access on major Linux distributions. If you use Ubuntu, Debian, Fedora, openSUSE Leap 15, or SUSE Linux Enterprise 15, you need to pay close attention. The Double Threat: CVE-2025-6018 & CVE-2025-6019 An article detailing the CVE’s can be found at the link below ( CVE-2025-6018 and CVE-2025-6019 Vulnerability Exploitation: Chaining Local Privilege Escalation Flaws Lets Attackers Gain Root Access on Most Linux Distributions | SOC Prime )     Qualys has pulled back the curtain on two distinct, yet chainable, vulnerabilit...
Post a Comment
Read more

Virtual Beginnings: The First Layers of My Lab

Thank you for joining me on this journey in to cybersecurity, I have a home lab and will be posting here about how I set it up and the practical exercises I do along my journey. Currently I have a Windows 11 PC with virtualbox installed. I have kali linux, metasploitable, and 4 Linux distros for endpoints. (mint, fedora, elementary and zorin). I will be expanding and changing my lab as my journey progresses. My next steps will be to install a SIEM for this I’ll be using wazuh and elastic stack.
Post a Comment
Read more