Installation of Wazuh Agent, Sysmon and Shipping of Logs to the Wazuh Manager on (Jira)
What is wazuh agent?
The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in real time through an encrypted and authenticated channel.
What is sysmon?
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to files on the server or device.
- Logs process creation with a full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Multiple hashes can be used at the same time.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Includes a session GUID in each event to allow correlation of events on the same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Automatically reload configuration if changed in the registry.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
INSTALLATION OF SYSMON
To install sysmon:
- Download sysmon from the following link:
- Then navigate to where you downloaded the zip file to.
- Unzip the sysmon folder
- Copy sysmonconfig.export file into the sysmon folder.
- Open CMD and navigate to the sysmon folder
- Run the following command to install sysmon:
$ sysmon64 -accepteula -i sysmonconfig-export.xml
- For a 32-bit system, choose Sysmon.exe.
- For a 64-bit system, choose Sysmon64.exe.
This command will basically install sysmon together with the sysmon config file that you can edit later to meet your business/personal requirements and needs.
After running the command you should get similar results as shown below which basically means that your sysmon was successfully installed.
To update the config file run the following command
$ sysmon64 -c sysmonconfig-export.xml
This could be in the case where you have customized your sysmon configuration file. Maybe you want sysmon to monitor process tampering, you need to add the ‘ProcessTampering’ configuration option to a configuration file, hence the need to run the above command to be able to update your configuration file with all the changes made.
Now that we already have sysmon installed we can confirm this by opening the event viewer then navigate to the following path Applications and Services Logs/Microsoft/Windows
Here you should be able to see sysmon as shown in the figure below.
INSTALLING WAZUH AGENT.
Now that we have sysmon installed, lets go ahead and install our wazuh agent and configure it.
To do so:
- Download the wazuh agent from the following link:
- Navigate to where you downloaded it
- Run the following command to install it:
NB: Make sure to replace the IP address on the command with the IP address of your wazuh manager.
In this case, the IP address of my wazuh manager is 172.16.0.100
Now let us check and see if our wazuh is running, to do this we go to services and look for wazuh and check if it is running.
WAZUH AGENT CONFIGURATION
All the wazuh agent configurations are done on the ossec.conf file. To do so, navigate to local Disk -> Program Files (x86) here you should be able to see the ossec-agent folder, open it and find the ossec.conf file as shown below.
Wazuh Manager IP Configuration
After opening the file, replace the address section with the IP address of your wazuh manager. In my case the wazuh manager IP is 172.16.0.100 as shown below.
Syslog Monitoring Configuration
For you to monitor logs from a specific path you have to specify that on the local file section. For example in my case I am using a Jira server and I would like to monitor all syslogs on Program Files\Atlassian\JIRA and also Program Files\Atlassian\Application Data\JIRA
This is going to collect all syslogs here and send them to our wazuh manager.
For that add the following section but replace the path with your own custom path.
<location>C:\Program Files\Atlassian\Application Data\JIRA\log\*.log</location>
File Integrity Monitoring
To configure File Integrity Monitoring add the following line to the configuration file on the syscheck container section, which basically says check all directories in the \Program Files\Atlassian folder in real time
$ <directories check_all=”yes” realtime=”yes”>C:\Program Files\Atlassian</directories>
Monitor the sysmon logs
To be able to monitor the eventchannel for sysmon on wazuh you need to link sysmon to the wazuh agent. This can be done by adding the following section to your ossec.conf file which basically says monitor the eventchannel on the following path Microsoft-Windows-Sysmon/Operational which is the location where sysmon is found.
View logs on Wazuh Manager
Now that our agent is successfully installed, and configured, let’s now go to the wazuh manager and check if we can see it.
To do this, click on the total agents which takes you to the page with the agents that have been configured to send logs to our wazuh manager.
As you can see below, we are able to see Jira which is the agent that we configured on the Jira server.
This means that it was successfully configured.
Let us now trigger some alerts and see if they are going to be recorded on our wazuh manager. Remember the path that we configured to be monitored, I will navigate there and add a file, then go to services and restart my wazuh agent.
In this case I created a file and called it hello.txt as shown below.
Moving to the wazuh manager and checking through the logs I am able to see the file that I created was captured here as shown below.
We are able to see that wazuh captures the name of the file that was added and even the path to where the file was added.
Next, I will go ahead and delete the hello.txt file and on my wazuh manager that is captured as shown below.
In conclusion we were able to configure our wazuh agent and send logs to our wazuh manager and finally we were able to see how logs are shipped to the wazuh manager.
Thank you and I will see you in the next article.
CYBER RANGES by Silensec
Military-grade technology for cyber exercises, training and competence assessment.
Article by Restercuter Nyawira. Restercuter is a Shehacks Content Curator, Trainer and Mentor. Her main specialization in cybersecurity is Penetration testing and Social engineering. She’s also big on giving back to the community. Twitter: @restercuter1 LinkedIn: Restercuter Nyawira