Building a home Lab : Deploying Wazuh - an Extended Detection and Response tool

In this article, we will deploy an Extended Detection and Response (XDR) tool on the home lab infrastructure. We will deploy Wazuh in the Servers VLAN. Wazuh is an open-source security monitoring platform that provides extended detection and response (XDR) and SIEM functionality. Wazuh provides a centralized platform for monitoring and managing security events across the organization’s IT infrastructure.

Wazuh collects, analyzes, and connects log data from different sources, such as endpoints, network devices,firewalls, proxy servers, and cloud instances. Once the logs are collected, Wazuh provides several capabilities to the security team such as file integrity monitoring, malware detection, vulnerability detection, command monitoring, system inventory, threat hunting, security configuration assessment, and incident response.

The core components of Wazuh

The Wazuh is made up of three main parts: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. The Wazuh agent is installed on the endpoints that need to be monitored.

The Wazuh server : This central component is also used to manage the agents and analyze the data received from them: It collects logs from several sources such as hosts, network devices, firewalls, proxy servers, and syslog servers.

Deploying Wazuh on Ubuntu

We will install Wazuh the Servers VLAN on one of the Ubuntu Servers. The Ubuntu server has been assigned the IP address 192.168.1.2. There are two ways of deploying Wazuh. The first option is to install Wazuh in cluster mode. This requires more resources in terms of the servers. The second option is to install Wazuh on a single server. In our case we will go with the second option as we only have a single server. The wazuh website provides a clear guide on the installation process for Wazuh.

Accessing Wazuh

After installing Wazuh, we will access the Wazuh dashboard through the browser on using 192.168.1.2. After successfully login, we will be presented with the home page for the dashboard as below.

Deploying Wazuh Agents.

Wazuh agents are deployed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. The Wazuh website provides a clear guide on the installation process. In our case, we will deploy an agent on our Windows laptop.

To deploy the agent, we will login into our Wazuh server using the browser using the 192.168.1.2 ip address. From the menu items on the home page, we will select “Endpoints summary” and click the “Deploy new agent” button.

On the provided deployment from as shown below, we will select WINDOWs as we will deploy the agent on the windows machine.

We input the desired agent name ‘“Home-Laptop“. We will then be provided with the commands to run to install and start the agent on our machine.

To deploy the agent on our laptop, we open Power shell as an administrator and run the copied commands.

After installing the agent, we can now go back to in the server see if the agent is live and appearing in our Wazuh dashboard. Below are the pictures of the agent live on the Wazuh dashboard.

Following the above process, We can now deploy another agent on our Microsoft Server on which we will later deploy Active Directory for the home lab.

Regards !!!!!!