Skip to main content

From OVA to Rocky: My Wazuh Upgrade Story

 

In this blog post I will be covering something I’ve covered in a previous blog post, but I’ve decided to change my home lab and put my Wazuh SIEM on a standalone rocky linux, there are several reasons I chose to do this,

  • Performance & Scalability: The OVA VM is a pre-built virtual machine that may not be optimized for high availability or scalability. A dedicated instance on Rocky Linux allows for better resource allocation and tuning.
  • Customization & Flexibility: The OVA VM comes with predefined configurations. Running Wazuh on Rocky Linux gives you full control over system settings, security policies, and software updates.
  • Compatibility & Stability: Rocky Linux is a stable, enterprise-grade OS, and Wazuh has been tested for compatibility with newer versions like Rocky Linux 9.3. This ensures long-term support and reliability.
  • Security & Isolation: A dedicated instance provides better security isolation compared to a shared virtualized environment. You can implement stricter access controls and security hardening.
  • Better Resource Management: Running Wazuh on a dedicated Rocky Linux instance allows for fine-tuned resource allocation, avoiding potential performance bottlenecks that may arise in a virtualized environment.

To achieve this, I decided to use the assisted installation as it is an all-in-one solution and installs everything you need to run Wazuh.

Installation steps

Firstly, I downloaded the image file for rocky linux from the official website (https://rockylinux.org/)

 I then created a VM in virtual box, I chose 70Gb hard drive, with 8Gb RAM and 3 processors.

The picture above shows the VirtualBox setup screen for my rocky linux Wazuh virtual machine

I installed the rocky image and set up the administrator passwords and the user accounts.

The picture above shows the start of the installation process the next screen is where you would set the admin and user accounts and passwords up.

One the machine was booted I followed the instructions on the Wazuh website for an assisted installation (https://documentation.wazuh.com/current/installation-guide/wazuh-server/installation-assistant.html)

A screenshot of a computer AI-generated content may be incorrect.

The picture above shows the Wazuh assisted installation website I just copied and pasted these commands in to the terminal on my rocky linux VM.

Using the command line prompts in the installation guide, it does take some time so be patient while its all installing, it creates all the certificates and the login details for the web dashboard are shown at the end of the installation.

The picture above shows the command line in rocky linux and in particular the completed installation of Wazuh with the username and password being generated as part of the installation process.

 Another point here is its worth noting these down as I forgot and had to change it although its not a big job to change the password it’s just a hassle to go through if you don’t need to.

Once the installation was complete, I logged in to the web dashboard and booted up my endpoints (linux mint, fedora linux, elementary linux and zorin linux)

zorin linux required no set up and was seen by the dashboard straight away, the other endpoints had a few issues with IP address discrepancies in the configuration file. I decided to start from scratch and followed the prompts on the web dashboard for adding another endpoint and it generates the code to copy and paste into the command line and writes the .conf file at the same time. It only took a few minutes to add the other three endpoints using this method.

The picture above shows the web dashboard where I clicked on the deploy new agent button and followed the onscreen prompts for installing my linux endpoints on the Wazuh dashboard.

Another issue I had here was that I couldn’t copy and paste between my VM’s there is a setting in VirtualBox that allows this but I think there is something in the linux clipboard that possibly needs setting up, but a quick fix was to log in to the web dashboard on each machine and generate the code required for that specific machine.

Comments

Post a Comment

Popular posts from this blog

Retail Ransom: The UK's Cyber Crisis

In the last few weeks, Recent cyberattacks on the UK retail sector have made headlines in particular M&S, Harrods, and the CO-OP. These attacks have hit retailers hard, with M&S losing £1 billion in market value alone. Retailers have faced empty shelves, electronic payment failures, and delayed deliveries as a result. A blog post from the NCSC on the 4 th May 2025 says  “Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that.”   Quote from NCSC blog post https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers A cybercriminal group known as Scattered Spider appears to be the likely culprit. Who is Scattered Spider? Scattered Spider is a cybercriminal group known for targeting large organizations, particularly in retail, finance, telecoms,...
Post a Comment
Read more

Root of the Problem: Linux Flaws That Give Attackers Admin Rights

 I realised that I haven’t posted to my blog in a long time and this week an article about CVE’s in linux caught my eye and that was the perfect excuse to write another blog post. Cybersecurity researchers at Qualys have uncovered two critical local privilege escalation (LPE) flaws that are shaking the foundations of Linux security. These aren't your run-of-the-mill vulnerabilities; we're talking about direct, express lanes to full root access on major Linux distributions. If you use Ubuntu, Debian, Fedora, openSUSE Leap 15, or SUSE Linux Enterprise 15, you need to pay close attention. The Double Threat: CVE-2025-6018 & CVE-2025-6019 An article detailing the CVE’s can be found at the link below ( CVE-2025-6018 and CVE-2025-6019 Vulnerability Exploitation: Chaining Local Privilege Escalation Flaws Lets Attackers Gain Root Access on Most Linux Distributions | SOC Prime )     Qualys has pulled back the curtain on two distinct, yet chainable, vulnerabilit...
Post a Comment
Read more

Virtual Beginnings: The First Layers of My Lab

Thank you for joining me on this journey in to cybersecurity, I have a home lab and will be posting here about how I set it up and the practical exercises I do along my journey. Currently I have a Windows 11 PC with virtualbox installed. I have kali linux, metasploitable, and 4 Linux distros for endpoints. (mint, fedora, elementary and zorin). I will be expanding and changing my lab as my journey progresses. My next steps will be to install a SIEM for this I’ll be using wazuh and elastic stack.
Post a Comment
Read more