Software & Configuration

Wazuh Security Monitoring

Install Wazuh for centralized log analysis, intrusion detection, and security monitoring on Linux servers

Wazuh is an open-source SIEM (Security Information and Event Management) platform. It collects and analyzes logs from your servers, detects intrusions, monitors file integrity, and alerts on suspicious activity.

Architecture

  • Wazuh Manager, central server that receives data from agents, runs rules, and generates alerts
  • Wazuh Agent, lightweight daemon installed on each server to monitor (10-30 MB RAM)
  • Wazuh Dashboard, web UI based on OpenSearch Dashboards (optional, requires 4+ GB RAM)

For a VPS with limited RAM, you can run the Manager and Dashboard together on a dedicated monitoring server (4 GB RAM minimum recommended) and install only the lightweight Agent on each server you want to monitor.

Option A: Agent only (monitor existing servers)

If you already have a Wazuh Manager elsewhere, just install the agent:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | \
  sudo tee /etc/apt/sources.list.d/wazuh.list

sudo apt update
sudo apt install wazuh-agent -y

Configure the agent to point to your manager:

sudo nano /var/ossec/etc/ossec.conf

Set the manager IP:

<server>
  <address>MANAGER_IP</address>
  <port>1514</port>
  <protocol>tcp</protocol>
</server>

Register and start:

sudo /var/ossec/bin/agent-auth -m MANAGER_IP
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Option B: Full stack installation

Install the Manager, Indexer, and Dashboard on a dedicated server (minimum 4 GB RAM, 8 GB recommended):

curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.10/config.yml

Edit config.yml to set your server's IP/hostname, then run:

sudo bash wazuh-install.sh -a

This installs all components. At the end, it prints the admin password.

The full installation takes 10-20 minutes and requires internet access.

Access the dashboard

After full installation, open:

https://your-server-ip

Default credentials are shown at the end of the install script. Change them immediately after first login.

What Wazuh monitors by default

FeatureWhat it does
Log analysisParses /var/log/syslog, /var/log/auth.log, Nginx/Apache logs
File integrityAlerts when files in /etc, /bin, /usr change
Rootkit detectionScans for known rootkits and hidden processes
Vulnerability detectionCross-references installed packages with CVE database
Brute force detectionDetects SSH/FTP/web login brute force attempts
Policy complianceChecks against CIS benchmarks (optional)

Firewall rules

On the Wazuh Manager server:

sudo ufw allow 1514/tcp   # Agent communication
sudo ufw allow 1515/tcp   # Agent registration
sudo ufw allow 443/tcp    # Dashboard (HTTPS)
sudo ufw allow 9200/tcp   # Indexer API (restrict to localhost or LAN)

Agent status and management

On the Manager:

# List all agents
sudo /var/ossec/bin/manage_agents -l

# Restart the manager
sudo systemctl restart wazuh-manager

# View alerts in real time
sudo tail -f /var/ossec/logs/alerts/alerts.log

On an agent:

# Check agent status
sudo systemctl status wazuh-agent

# View agent logs
sudo tail -f /var/ossec/logs/ossec.log

Custom rules

Add custom detection rules in /var/ossec/etc/rules/local_rules.xml:

<group name="custom,">
  <rule id="100001" level="10">
    <if_sid>5710</if_sid>
    <match>Failed password for root</match>
    <description>SSH brute force attempt on root account</description>
    <group>authentication_failed,pci_dss_10.2.4,gpg13_7.1,</group>
  </rule>
</group>

Reload rules without restart:

sudo /var/ossec/bin/ossec-control reload

Active response (auto-block IPs)

Wazuh can automatically block IPs that trigger rules. In ossec.conf:

<active-response>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>5763</rules_id>
  <timeout>600</timeout>
</active-response>

This blocks the offending IP with iptables for 10 minutes when rule 5763 (SSH brute force) triggers.

Test active response carefully, misconfiguration can block legitimate traffic, including your own IP.

Upgrade agents

sudo apt update && sudo apt upgrade wazuh-agent -y
sudo systemctl restart wazuh-agent

Useful log paths

FileDescription
/var/ossec/logs/alerts/alerts.logAll security alerts
/var/ossec/logs/ossec.logManager/agent operational logs
/var/ossec/logs/active-responses.logActive response actions taken

HAProxy Load Balancer

Install and configure HAProxy as a TCP/HTTP load balancer and reverse proxy on Linux

Varnish Cache

Install and configure Varnish Cache in front of Nginx to dramatically speed up WordPress and static websites

On this page

ArchitectureOption A: Agent only (monitor existing servers)Option B: Full stack installationAccess the dashboardWhat Wazuh monitors by defaultFirewall rulesAgent status and managementCustom rulesActive response (auto-block IPs)Upgrade agentsUseful log paths