curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
le logiciel va automatiquement installer indexer, server et dashboard Le mot de passe administrateur sera donner a la fin de l'isntallation, `n'oubliez pas de le noter`
<ossec_config> <global> <email_notification>yes</email_notification> <smtp_server>localhost</smtp_server> <email_from>wazuh@votredomaine.com</email_from> <email_to>destinataire@votredomaine.com</email_to> <email_maxperhour>12</email_maxperhour> </global> </ossec_config>
<ossec_config> <alerts> <email_alert_level>10</email_alert_level> </alerts> </ossec_config>
Voici des champs intéressants à activer: data.win.eventdata.targetUserName, data.win.eventdata.subStatus, data.win.system.systemTime.
Windows: type d'échec (0xC0000064 = user inconnu, 0xC000006A = mauvais mot de passe).
./wazuh-agent-4.7.3-1.msi /q WAZUH_MANAGER='addresse.ip.du.server' WAZUH_AGENT_NAME='CHANGE_MOI' WAZUH_REGISTRATION_SERVER='addresse.ip.du.server'
NET START Wazuh_
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.3-1_amd64.deb && sudo WAZUH_MANAGER='addresse.ip.du.server' WAZUH_AGENT_NAME='CHANGE_MOI' dpkg -i ./wazuh-agent_4.7.3-1_amd64.deb_
sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
Pour ajouter un certificat ssl
chmod 500 /etc/wazuh-dashboard/certs chmod 400 /etc/wazuh-dashboard/certs/* chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
nano /etc/wazuh-dashboard/opensearch_dashboards.yml
Et rajouter ceci:
opensearch.ssl.verificationMode: none server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/srv-sec1.company.lan.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/srv-sec1.company.lan.crt" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/company-ca.crt"]