In this episode we build our SIEM and XRD tool, Wazuh. It's amazing!! We then install the Wazuh agent on our Kali virtual machine, our Docker server and our pfSense firewall. We then move onto our vulnerability scanner, Nessus.
I've seemed to have run into an issue that I'm needing assistance with please. At 9.00 into the video we are are installing dependencies onto our Docker server (Python3 etc.) The first two commands entered no issue, however the 3rd command returned an...….. ERROR: Externally-Managed-Environment There seems to be a few work arounds to counter this error however I would much prefer your guidance @gerardobrien if you would please. Thank you for this fantastic resource also..... As I'm sure its been said many times before, we appreciate you sharing your knowledge and experiences with us all.
If anyone has issues getting pfSense to send any data to the wazuh server, check the /var/ossec/etc/ossec.conf file and look at the section where you set the IP. Mine (agent version 4.7.5) had a UDP line in it which caused the agent to fail the connection due to the wazuh server expecting TCP. Comment out the line, restart the agent and it should spring into life.
Had the same issue, mine showed the agent but under never connected. Commented out the line mentioned above and viola it worked! Thanks for posting the fix!
I'm a huge of Wazuh. Deployed it myself and got it proxied behind my cloudflare tunnel so I can access it anywhere. I get blown away on how much one can do with that. Awesome product and I'm glad to be able to watch you on your cyber homelab journey.
I've deployed the Nessus and Wazuh servers in LXC containers. A bit less pain to deploy than full blown VMs and it's there by default in ProxMox. Works fine so far.
@@kylelaker539 Same approach as Gerard but with containers. So one container per software to keep things clean and light on resources vs full blown VMs.
@@kylelaker539 Caldera is working on a LXC container but Security Onion is a standard ubuntu VM. I tried on a LXC but there were plenty of issues with node and other depencies I couldn't figured it out at that time.
Hi, I've been following along pretty smoothly up until the wazuh docker containers. My Wuzuh version is 4.8. I was wondering if you, Gerard, or anyone else have found a solution to docker listener not listening lol. I think the pip install is a bit funky but I can't seem to find any solutions online.
Hello Gerard, thanks for this tutorials. the new version of Wazuh does not have the GUI to enable the Docker listener. How do we enable that from the Wazur server?
Hey there, have you seen this documentation? documentation.wazuh.com/current/user-manual/capabilities/container-security/monitoring-docker.html#enable-wazuh-docker-listener
Hi Gerard, I was wondering how many CPU or CPU cores you would expect the server to be using at any one time for this Cybersecurity Lab you're building.
Good question.. some of these machines are fairly heavy therefore i might not power them all on at the same time. I've about 30 vCPU's available and honestly I think ill max it out.
Check wazuh-agent version you are using on pfSense. 4.7.5 has a UDP line where you set the server IP in /var/ossec/etc/ossec.conf. Comment/remove this line and restart the agent as the setup in this series has the wazuh server expecting a TCP connection.
getting an error when trying to install wazuh. it says the OS is not one of the recommended OS. i downloaded the same image in your first video. keeps getting stuck "an external processing is using APT" and then keeps retrying. any advice?
I had trouble with the wazuh web interface. It would often report "Wazuh dashboard service is not ready yet". With the help of ChatGPT it was eventually resolved by editing the wazuh-indexer.service, `sudo systemctl edit wazuh-indexer.service`. Then adding the 2 lines ``` [Service] TimeoutStartSec=300 ``` Then reload systemd: `sudo systemctl daemon reload` and restart the indexer: `sudo systemctl restart wazuh-indexer` Hope this helps others. 🤷
I followed all your directions and all my installed agents are stuck in " pending" status. I looked all over the and still having trouble with this. Can someone help me out?
@@gerardobrien doesn’t seem that I’m getting errors. Using sudo docket logs prod-dvwa for example look good but they’re not being sent to Wazuh. I added the docker listener snippy to the ossec.conf file. I can ping the hosts to each other. Not sure what else it can be, I’ll just move with the videos and maybe come back to this part
Maybe I'm missing something, but when i enable the agent for the firewall, I'm seeing it in Wazuh, but it says it has never connected and if I select it I get told that it has been registered but not yet connected to the manager.
@@gerardobrien I can ping in both directions. The only change i've done is that I decided to use the class C address space instead of the class A addresses. When I check the Wazuh web interface and go to agents, It shows pfsense.home.arpa with an ip address of any. The rest of the fields are blank and status says never connected. I'm getting closer though. At some point I had the firewall all messed up, but after restoring to a snapshot, I got to this. Is it possible that the first time I tried installing the agent on the firewall may have screwed something up server side and then when i rolled back to a snapshot and tried again, the Wazuh server didn't like something?
hmm if im honest id delete the agent from wazuh, then just probably rebuild the firewall.. shouldn't take that long and it'll save you trying to troubleshoot everything :)
CompTIA CySA+ is a good place to start learning, also keep an eye out for intern positions. Always a good way to get your foot in the door. Hope that helps :)
In this episode we build our SIEM and XRD tool, Wazuh. It's amazing!! We then install the Wazuh agent on our Kali virtual machine, our Docker server and our pfSense firewall. We then move onto our vulnerability scanner, Nessus.
I've seemed to have run into an issue that I'm needing assistance with please.
At 9.00 into the video we are are installing dependencies onto our Docker server (Python3 etc.)
The first two commands entered no issue, however the 3rd command returned an...…..
ERROR: Externally-Managed-Environment
There seems to be a few work arounds to counter this error however I would much prefer your guidance @gerardobrien if you would please.
Thank you for this fantastic resource also..... As I'm sure its been said many times before, we appreciate you sharing your knowledge and experiences with us all.
hey mate, are you running those commands as root?
@@gerardobrien Yes absolutely....Followed your guide to a T
If anyone has issues getting pfSense to send any data to the wazuh server, check the /var/ossec/etc/ossec.conf file and look at the section where you set the IP. Mine (agent version 4.7.5) had a UDP line in it which caused the agent to fail the connection due to the wazuh server expecting TCP. Comment out the line, restart the agent and it should spring into life.
I had the same issue and found this as a solution aswell
that worked for me too thnx
in addition to this, I needed to reboot the PfSense...thanks
Had the same issue, mine showed the agent but under never connected. Commented out the line mentioned above and viola it worked! Thanks for posting the fix!
dude thank you
I'm a huge of Wazuh. Deployed it myself and got it proxied behind my cloudflare tunnel so I can access it anywhere. I get blown away on how much one can do with that. Awesome product and I'm glad to be able to watch you on your cyber homelab journey.
Yea its really really good!! I definitely want to spend more time playing about with it, wanna ingest more and start building some dashboards!
I've deployed the Nessus and Wazuh servers in LXC containers. A bit less pain to deploy than full blown VMs and it's there by default in ProxMox. Works fine so far.
is that one container or you spin it up on seperate ones?
@@kylelaker539 Same approach as Gerard but with containers. So one container per software to keep things clean and light on resources vs full blown VMs.
@@MichelStumpf i might end up doing the same thing i'll finish the video then thanks.
@@MichelStumpf on episode 4 about caldera and security onion are you also setting that up on lxc?
@@kylelaker539 Caldera is working on a LXC container but Security Onion is a standard ubuntu VM. I tried on a LXC but there were plenty of issues with node and other depencies I couldn't figured it out at that time.
Building Cybersecurity lab based on your tutorials in my home server. Feeling happy that i have found your profile. 😊
That’s brilliant! As the lab goes on we’ll continue building and learning 😊
@@gerardobrien its true..!
Began the same project with friends and your videos are absolutely awesome
Thank you for uplaoding this kind of content and going to into details about every steps. Can't wait to see what you do next!
Fantastic series, looking forward to episode 4!
it'll be online next week :)
@@gerardobrien patiently waiting and thank you
thoroughly enjoying this project !! looking forward to the next video !! cheers
Hey Gerard can't wait to see your next episode. I have been following you.
Should be online next week 😁 I'm on the way to Japan on my honeymoon 🥳
Looks like you are still on your honeymoon :) Enjoy :)
Next video will be online today 😆😆 sorry for the delay im still holidaying 😬
@@gerardobrien I might be the first one to watch the new episode 4.
Wazuh can do security scan and provide all detected vulnarabilities on your machine. Not sure if you need Nesus after you configure Wazuh properly.
Yea I've a number of overlapping tools in the lab, just so I can play about with them.. but definitely keen to do more in Wazuh!! 😃
Hi, I've been following along pretty smoothly up until the wazuh docker containers. My Wuzuh version is 4.8. I was wondering if you, Gerard, or anyone else have found a solution to docker listener not listening lol. I think the pip install is a bit funky but I can't seem to find any solutions online.
Hey mate ive not tested wazuh 4.8 yet, soon as i do ill test this and get back to you
A 10:07 what keyboard short cut do you use to align the xml you added to the file conf file? Great Video!
I am waiting on this too
Hey guys! If i'm honest I think i just used the spacebar to align them up.... then that part was edited out of the video :)
having an issue where i cant see any security events after adding kali & ubuntu as agents
Hello Gerard, thanks for this tutorials. the new version of Wazuh does not have the GUI to enable the Docker listener. How do we enable that from the Wazur server?
I was not able to enable docker listener on wazuh 4.8. I had to reinstall 4.7
Hey there, have you seen this documentation? documentation.wazuh.com/current/user-manual/capabilities/container-security/monitoring-docker.html#enable-wazuh-docker-listener
awesome awesome awesome! My only question is are you going to be simulating attacks so we can put this to awesome tools to effect
Yep.. next video we build caldera! It's coming this week 😁
@@gerardobrien iv've never been this excited for an upcoming video since avengers endgame😄
Opnsense has a plugin for wazuh
This would make things allot easier 👍
@gerardobrien can you please explain why VLAN 30 has 10.30.30.0/24? video time stamp 25:57 Thank you!
Apologies I think that was in error... VLAN 30 is using the subnet 10.10.30.0/24... 😊
@@gerardobrien thanks, I got confused when I saw that. I truly appreciate your feedback Sir🙏🏾
@@shadrachwilson1211 sorry for the confusion lol it's a learning moment 😬
Hi Gerard, I was wondering how many CPU or CPU cores you would expect the server to be using at any one time for this Cybersecurity Lab you're building.
Good question.. some of these machines are fairly heavy therefore i might not power them all on at the same time. I've about 30 vCPU's available and honestly I think ill max it out.
Wazuh 4.8 has a different dashboard than 4.7. I can't seem to locate the place to toggle on the Docker Listener. Is there something I'm missing?
I've not checked 4.8 yet, did you manage to find it?
its on Server Management - Settings - Docker Listener
Please are you able to enable Wazuh docker listener dashboard?
I'm now able to fix the issue
Hey Gerard my pfSense is not connecting on wazuh after following your steps from 11:21 through 16:41.
Hey what errors are you getting?
Check wazuh-agent version you are using on pfSense. 4.7.5 has a UDP line where you set the server IP in /var/ossec/etc/ossec.conf. Comment/remove this line and restart the agent as the setup in this series has the wazuh server expecting a TCP connection.
great video
getting an error when trying to install wazuh. it says the OS is not one of the recommended OS. i downloaded the same image in your first video. keeps getting stuck "an external processing is using APT" and then keeps retrying. any advice?
oh really maybe theres been an update? ill test it and let you know if i get the same
built the prod-wazuh but gets to the same point and reboots and then stuck on 'booting from Hard Disk'
You building this on Proxmox? Or VMware?
on Proxmox
hi @gerardobrien this is a great series! I am definitely following along and see how this turns out.
I had trouble with the wazuh web interface. It would often report "Wazuh dashboard service is not ready yet". With the help of ChatGPT it was eventually resolved by editing the wazuh-indexer.service, `sudo systemctl edit wazuh-indexer.service`. Then adding the 2 lines
```
[Service]
TimeoutStartSec=300
```
Then reload systemd: `sudo systemctl daemon reload`
and restart the indexer: `sudo systemctl restart wazuh-indexer`
Hope this helps others. 🤷
Good tip! And good work figuring it out 💪
I followed all your directions and all my installed agents are stuck in " pending" status. I looked all over the and still having trouble with this. Can someone help me out?
Hey mate, if you connect to the wazuh server.. can you ping the other servers?
I followed all your steps but the docker listener ain't working. I've restarted my containers multiple times. I ran to check the status all is good
What error messages are you getting?
@@gerardobrien doesn’t seem that I’m getting errors. Using sudo docket logs prod-dvwa for example look good but they’re not being sent to Wazuh. I added the docker listener snippy to the ossec.conf file. I can ping the hosts to each other. Not sure what else it can be, I’ll just move with the videos and maybe come back to this part
@@edgarvalenzuela3604any Solution yet ? Having same problem. 😢
Maybe I'm missing something, but when i enable the agent for the firewall, I'm seeing it in Wazuh, but it says it has never connected and if I select it I get told that it has been registered but not yet connected to the manager.
Hey, has your IP address for wazuh changed? Can you ping the firewall from the Wazuh server?
@@gerardobrien I can ping in both directions. The only change i've done is that I decided to use the class C address space instead of the class A addresses. When I check the Wazuh web interface and go to agents, It shows pfsense.home.arpa with an ip address of any. The rest of the fields are blank and status says never connected. I'm getting closer though. At some point I had the firewall all messed up, but after restoring to a snapshot, I got to this. Is it possible that the first time I tried installing the agent on the firewall may have screwed something up server side and then when i rolled back to a snapshot and tried again, the Wazuh server didn't like something?
hmm if im honest id delete the agent from wazuh, then just probably rebuild the firewall.. shouldn't take that long and it'll save you trying to troubleshoot everything :)
I have exactly the same. Did you manage to get round this?
My ossec.conf file had a default protocol in. I removed that and the line below and all worked fine.
i am unable to ssh to the wazuh vm.. just says connection refused
never mind, i had the static ip set to .51 but the Kali box already had that ip.
To be honest I shouldn't have set static IP addresses in the DHCP scope range.. lll fix that in the next episode 👍
How i become soc Analytst?
CompTIA CySA+ is a good place to start learning, also keep an eye out for intern positions. Always a good way to get your foot in the door. Hope that helps :)
@@gerardobrien thanks
in terms of CS only in tryhackme i have some experience.
Thanks for sharing this video
@gerardobrien I build a deployment script you might be interested in!
Sounds good 😊 Is it on GitHub?
@@gerardobrienyes I'll message you