lotte/ChamplainTechJournals
1
Code Activity
ChamplainTechJournals/net-sec-controls-sec350/osquery_project/04_wazuh_integration.md
Charlotte Croce fbd588721e migrate to git.charlotte.sh
2025-04-19 23:42:08 -04:00

2.8 KiB
Raw Blame History

HOME RESEARCH INSTALLATION CLIENT APP INTEGRATION DEMONSTRATION CONCLUSION

Wazuh Integration

Requirements

  • Wazuh manager installed and configured on the wazuh server
  • Wazuh agent installed and connected on WEB01
  • osquery already installed on WEB01 (installation guide)
  • root privileges

Configure osquery on web01

on WEB01

  • create osquery configuration file. if already created with defaults, edit it
> sudo nano /etc/osquery/osquery.conf
{
  "options": {
    "logger_path": "/var/log/osquery",
    "disable_logging": "false",
    "schedule_splay_percent": "10",
    "utc": "true"
  },
  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 300
    },
    "processes": {
      "query": "SELECT pid, name, path, cmdline FROM processes;",
      "interval": 300
    },
    "logged_in_users": {
      "query": "SELECT user, host, time FROM logged_in_users;",
      "interval": 300
    },
    "firewall_status": {
      "query": "SELECT * FROM shell WHERE command = 'firewall-cmd --state';",
      "interval": 300
    }
  },
...
  • create log directories with correct permissions for storing osquery results
sudo mkdir -p /var/log/osquery
sudo chown -R root:root /var/log/osquery
sudo chmod -R 755 /var/log/osquery
  • restart osqueryd
sudo systemctl restart osqueryd
sudo systemctl status osqueryd

Configure WEB01 -> Wazuh integration

On WEB01

  • configure Wazuh agent to monitor osquery logs
> sudo nano /var/ossec/etc/ossec.conf

# Add these blocks inside the <ossec_config> section
# make sure this wodle is NOT disabled, as this service is disabled by default

<wodle name="osquery">
  <disabled>no</disabled>
  <run_daemon>yes</run_daemon>
  <log_path>/var/log/osquery/osqueryd.results.log</log_path>
  <config_path>/etc/osquery/osquery.conf</config_path>
  <add_labels>yes</add_labels>
</wodle>


<localfile>
  <log_format>json</log_format>
  <location>/var/log/osquery/osqueryd.results.log</location>
</localfile>
  • restart wazuh agent
sudo systemctl restart wazuh-agent
sudo systemctl status wazuh-agent

Validation

on WEB01

  • Run a manual query to generate an immediate log entry
sudo osqueryi --json "SELECT * FROM processes LIMIT 5;" > /var/log/osquery/osqueryd.results.log
  • Check if Wazuh detected it
sudo tail -f /var/ossec/logs/ossec.log

on Wazuh Server

  • Go to Modules Menu -> Security Events -> Events
  • In left panel, add rule.groups: osquery image
<<<< >>>>