Skip to content

aniket2912/Wazuh-Soc-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

5 Commits
Brute force log analysis using wazuh.pdf
Brute force log analysis using wazuh.pdf
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

Wazuh Setup and Usage Guide

πŸ“Œ Overview

Wazuh is an open-source Security Information and Event Management (SIEM) tool that provides:

  • Log analysis
  • File Integrity Monitoring (FIM)
  • Intrusion Detection System (IDS)
  • Threat intelligence integration
  • Incident response and compliance reporting

This guide documents the setup, configuration, and usage of Wazuh in a lab environment with:

  • Wazuh Server (10.136.195.223)
  • Windows 11 Agent (10.136.195.254)
  • Kali Linux Attacker (10.136.195.74)

βš™οΈ Installation

Wazuh Server (Linux VM)

  1. Install Wazuh server:

    curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
sudo bash wazuh-install.sh -a

  2. Start services:

    sudo systemctl enable --now wazuh-manager

Wazuh Agent (Windows 11)

  1. Download Wazuh agent MSI installer from:

    Wazuh Downloads -- https://wazuh.com/install/

  2. Install and configure ossec.conf:

    <client>
<server>
   <address>10.136.195.223</address>
   <port>1514</port>
   <protocol>tcp</protocol>
</server>
</client>

  3. Register the agent with Wazuh server.

πŸ” File Integrity Monitoring (FIM)

Enable and configure in ossec.conf:

<syscheck>
 <disabled>no</disabled>
  <frequency>43200</frequency>
   <directories realtime="yes">C:\Users\Public\</directories>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
</syscheck>

Detects unauthorized file or registry changes.

Alerts appear in Wazuh Dashboard β†’ Security Events.

Log Monitoring (Apache / IIS)

To monitor DVWA (installed on Windows with XAMPP):

<localfile>
 <location>C:\xampp\apache\logs\access.log</location>
 <log_format>apache</log_format>
</localfile>

<localfile>
 <location>C:\xampp\apache\logs\error.log</location>
 <log_format>apache</log_format>
</localfile>

This lets Wazuh detect web attacks (SQLi, XSS, brute force).

πŸ›‘οΈ Attack Simulation

Using Kali Linux:

  1. Perform SQL Injection on DVWA:

    ' OR 1=1 --

  2. Perform Brute Force with Hydra:

    hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.136.195.254 http-get /dvwa/login.php

  3. Perform XSS:

    <script>alert('XSS')</script>

Wazuh Detection:

  1. Alerts generated in

    /var/ossec/logs/alerts/alerts.json on server.

  2. Also visible in

    Wazuh Dashboard β†’ Security Events.

πŸ“Š Features Tested

βœ… Agent connectivity (Windows ↔ Wazuh Server)

βœ… File Integrity Monitoring (FIM)

βœ… Apache Log monitoring (DVWA attacks)

βœ… SIEM correlation with attack logs

βœ… Alert visualization in Wazuh Dashboard

πŸ“š Wazuh References

Wazuh Official Website

Wazuh Documentation

Wazuh GitHub Repository

Wazuh Installation Guide

Wazuh Agent Documentation

File Integrity Monitoring (FIM) with Wazuh

Log Data Collection

Threat Detection and Response

Wazuh Forum (Community Support)

About

Hands-on Wazuh SIEM lab with Windows agent, attack simulations, and file integrity monitoring.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published