What is an SIEM Tool?

The acronym for a security information and event management technology is SIEM.

This cybersecurity solution gathers and tracks logs from all of an organization's IT systems to assist in identifying, evaluating, and responding to security threats.

What it accomplishes:

compiles information from servers, firewalls, endpoints, apps, cloud services, and other sources.

Events that are related—looks for suspicious patterns or abnormalities in data (such as repeated unsuccessful login attempts or odd data transfers).

Security teams are alerted when possible threats are identified.

Aids in compliance: By keeping and examining security logs, it helps adhere to regulations such as ISO 27001, HIPAA, and PCI-DSS.

Security Orchestration, Automation, and Response (SOAR) is a component that some SIEMs interact with to automate incident response.

SIEM tool examples:

Commercial: ArcSight, Microsoft Sentinel, IBM QRadar, and Splunk.

SIEMonster, OSSIM, and Wazuh are open-source.

To put it succinctly, a SIEM platform serves as the brains of cybersecurity monitoring, providing security professionals with insight into risks and facilitating quicker reaction times.

What you need to build:

With the official guided installer, a single host running all central Wazuh components (server, indexer, and dashboard) and at least one Linux and/or Windows agent reporting in. Small and medium deployments and labs benefit greatly from this supported method, which is the fastest.

Installation Requirement on the Operating System

To install this tool, here are some things you would need because it is very heavy, and you need a minimum requirement of:

• RAM
• ROM Space / storage
• And Good and fast Internet
• You need at least 6 GB of RAM for this installation, and that means your system must be running 16 GB of RAM with enough storage. And then make sure your system is running SSD for the system to be very fast
• OS host (bare metal or virtual machine): Debian 11/12, Rocky/Alma/RHEL 8/9, Ubuntu 22.04/24.04 LTS, etc.
• Starting size: around 4 vCPU, 8–16 GB RAM, and 50–200 GB SSD, depending on volume and retention.
• Network/DNS: Resolvable hostname or static IP.

Ubuntu Server Installation

Ubuntu Server is a free and open-source operating system designed for servers, cloud computing, and virtualization. It offers a robust and reliable platform for deploying various types of servers, with benefits including security, reliability, scalability, and customizability.

The background knowledge about the installation phases

• Installation of dedicated server—Ubuntu Server
• Installation of Docker
• Inside the Docker, the Wazuh SIEM Solution would be installed.
• On the Wazuh, the agents (The individual PCs/Laptop in the organization) are to be connected for proper monitoring
• And the wazuh dashboard would be configured

1. Download of Ubuntu Server

• Open a web browser and type "Ubuntu server download" or copy the url below
• Click on Get Ubuntu.

• Scroll down and click on alternative download
  

• Scroll down and click on Ubuntu 22.04 LTS (Jammy Jellyfish)

• Scroll down and Click on Ubuntu-22.04.5-live-server-amd64.iso

• After Clicking on that, wait for it to finish downloading

2. Installation of the Ubuntu Server

After the download, what is next is to install the downloaded Ubuntu software into the VM; just locate the software from your download.

Launch your VM. In the top right corner, click on File, then click on New Window.

The file you have downloaded is an ISO file. What to do is to install it as a new virtual machine; that is, click on the first option icon on the diagram.

After clicking on it, a wizard, comes Up, like this

Click on the Browse to select the downloaded Iso file and click Next.

Select the iso file from the download folder and click open

When the ISO file is successfully selected, it will be indicated on the installation wizard just like this, and then click next:

Rename the Operating System with the name "Wazuh" and click next

Specify Disk Capacity

Click on Customized Hardware to increase the RAM

Change the memory of this virtual machine to 6144 (6G); press enter to make the adjustment.

Check back and see the effect of the change, and Click on Finish

Allow the server to boot

The setup up stage of the Server

In this Ubuntu server environment, you will not be using your mouse because it is not a GUI interface. What you only need at this point to communicate with the server is the command line, just your keyboard alone. The most keys that you would need in this environment are

• Tab key
• Space bar
• Enter
• Up, down, forward, and back arrow keys.

To communicate with the environment, you have to click in the environment for the cursor hand icon to disappear, and then you would begin to use the above keys as applicable.

Now let's start:
Here on this page, press enter on the highlighted word "English." Don't forget you must first click on the VM environment for the virtual cursor hand to disappear.

Press Enter to select the keyboard

Press Enter to continue (Always follow the highlighted green icon)

Follow the direction of the arrow

Follow the direction of the arrow

Guided Storage configuration (This is where you start using your Tab key to move the cursor down to Done and then press Enter once the cursor gets to Done). Just follow the direction of the arrow

Storage Configuration
On that memory option, press enter to increase the memory. After pressing the enter key, use the tab key to move to edit, press enter, and press the down arrow. Change the value to 70.99G and press save.

After inputting the value try and save it

Use your tab key as you follow the direction of the arrow

Use your tab to move down the cursor and press enter on "done," then press enter on "continue."

Profile Configuration
Input correct information into these fields:Your name: the server name: wazuh, username: analyst, then enter your password, use tab key all through, and then move to Done

Continue

SSH Configuration
Press the Tab key to go to Done and press Enter.

Featured saver snaps
Pres tab to go to Done and press enter

Installing the system
Now wait for the system to complete the installation

Press enter. After pressing enter, you will see the prompt asking you to input your login details.

Login

After you successfully input your correct login credentials, it will bring you to this interface to show that your server is up and running.

Install SSH on the server
Why do we need to install ssh on the server?

To establish a secure connection from a different computer (such as your kali machine, Windows or workstation), we install SSH on a server. You wouldn't be able to remotely access the server or log in securely without SSH. Here's why it's essential:

• Administration via Remote: A monitor and keyboard cannot be connected to a server located in a data center or cloud (AWS, Azure, DigitalOcean, etc.). With SSH, you may control the server from any location in the world. -** Protected Interaction:** Your commands, files, and data are encrypted between your machine and the server via SSH. Older techniques like Telnet or FTP would disclose usernames, passwords, and data in plain text if SSH weren't available (very dangerous).
• Transfer of Files: You can safely upload and download files between your computer and the server by installing SSH, which activates SCP or SFTP.
• ** Scripts & Automation:** SSH is necessary for many programs (such as Ansible, Git, and CI/CD pipelines) to connect to servers and execute commands automatically.
• Tunneling & Port Forwarding: Databases, web apps, and other server services that are not immediately accessible over the internet can be safely accessed via SSH, which can function as a tunnel.

To Install SSH on the server. Enter this on command line"sudo apt install ssh" press enter

3. Remotely Connecting the server with kali using SSH command

What is SSH?

SSH is a remote connection protocol. The acronym for Secure Shell is SSH. Through the use of a cryptographic network protocol, two devices can communicate securely over an unprotected network, such as the internet. The primary purpose of SSH for developers and system administrators is to remotely access and administer servers. Here are the main points:

• Security: All communication is encrypted by SSH, guarding against password theft, connection hijacking, and eavesdropping.
• Through the use of a terminal or command line, remote access enables you to safely log into another computer or server.
• SCP (Secure Copy) and SFTP (SSH File transmit Protocol) are two programs that can be used to safely transmit files.
• Authentication: Passwords or more robust techniques like SSH keys (public/private key pairs) can be used.
• The ability to safely tunnel other network connections via SSH is known as port forwarding/tunneling.

Firstly, you need to connect your Ubuntu Server to the Kali machine by using the SSH command line so as to start operating the server from the Kali environment.

What you need here are:
SSH command, username of the ubuntu server and the ip address of the server

Remotely connecting the kali machine to the ubuntu server through ssh and the server ip address

Kali machine and the server successfully connected, we now have username "analyst" @ "wazuh"

4. Installation of wazuh

From here now, you want to install the wazuh it's self. You are to install the Wazuh here using Docker.

What is Docker?
Wazuh is an open source platform for XDR and Security Information and Event Management (SIEM). It supports businesses in keeping an eye on, identifying, and reacting to security risks in their IT environments. Consider it to be a network, server, or application security guard that gathers, examines, and notifies you of any questionable activity. It is a mini Virtual Machine running an operating system.

Why is it advisable to use Docker?
Because it helps you to have files in a single container to have all the working tools in one place. That is, you installing wazuh inside docker

Now go to the web browser on your kali Type wazuh documentation and Click on it.

Click on Deployment of Docker
You are installing these three together:
wazuh/wazuh-manager, wazuh/wazuh-indexer, and wazuh/wazuh-dashboard.

You just need to download single container to install the three

Click on deployment on docker under installation alternative.
The process is to firstly install docker, and insde docker you install wazuh.

The major installation here has to do with the use of command line on the vm, that is, navigating between firefox and kali (copying command from the github of docker deployment page and pasting it on vm with sudo command)

Scroll down, at bottom right corner, click on Docker Installation and copy the first command and go back to kali command line and paste with sudo, i.e sudo sysctl -w vm.max_map_count=262144 then, press enter; it will request for the password of the server.

To Increase the virtual memory, copy and paste and paste with sudo on vm terminal command line

This is meant to increase memory on your Docker host:

Install docker script

allow it to run succefully

Start the docker service, paste with sudo on the terminal

Download Docker compose binary.
This is another component of docker that makes docker work perfectly.

Obtaining the Docker Compose binary gives you the ability to coordinate all of the requirements needed to launch an application. With Docker Compose, you can describe all of your software components and services in a single configuration and spin them up all at once, saving you the trouble of manually configuring each one separately. Databases, services, and supporting software are all guaranteed to be started and connected automatically as a result, which speeds up and simplifies implementation.

Grant Execution permission

Go to the next page

This deployment can be done in either single-node or multi-node. But here we are installing single-node for the sake of personal practice; multi-node is for enterprise setup.

Scroll down and copy command on option 1 and paste with sudo

Clone the wazuh repository to your system, to pull the whole wazuh from github, this could a little time and your nietwork must be very strong here, if you do not have a good network,the installation might be failing.

Note:
Kindly note this before installing the next command. Enter into the **single-node **directory to execute all the commands described below within this directory.

To generate some certificate

Before you run this command follow the anotation on the image bellow. And just know that the command must be run on the appropriate repository.

Start the wazuh single-node deployement with docker compose up i. "sudo docker-compose up". This is the command you will always use to start up your docker, when you are done, to shot it down, you'll use "sudo docker-compose down"

Allow it to run succefully, it would take some time, as its going to pull everything we need for the system to maximumly function, such as the indexer, the server, the wazuh manager, the dashboard etc, would be downloaded here into one single container.

Allow the system to run for a while, and when you start seeing this kind of messages on your VM screen, then it shows, that your wazuh dashboard is ready.

Then go to your chrome browser or any difualt browser you use to connect with your wazuh dashboard.

Create a new tab, On the search bar, enter the following; https://ip address of your server and press enter. You laready know the ip address your server, you can write it down somewhere, or go back to the server, on the command prompt, type ip a + enter, you would see the ip address your server.

After pressing enter, scroll down and follow the direction of the arrow here:

Click on proceed to the ip address

Then your wazuh dashboard will start loading immediately. If you have follow through from the beginning up to this point, you are going to have a functioning darshboard like this

Login page

To enter the wazuh login credential, go back to your broswer where we are copying the command from, under docker-compose down to get the default login credentials. The login credentials are: admin and SecretPassword

Enter the login credentials and click on log in

Here is how your wazuh dashboard would look like