Deploying Agents

We have separate guides on deploying Wazuh and Elastic in separate docs, please see links below. Eventually, LME will automate these steps in a future release.

• Deploy Wazuh Agent
• Deploying Elastic-Agent

Installing Sysmon on Windows Clients

Sysmon provides valuable logs for windows computers. For each of your windows client machines, install Sysmon like so:

1. Download LME and unzip the folder.
2. From inside the unzipped folder, run the following command in Administrator Powershell:

.\scripts\install_sysmon.ps1

To run this powershell script, you may need to temporarily set the powershell script execution policy to "Unrestricted" which lets Windows execute downloaded powershell scripts. You can do that with the following command:

Set-ExecutionPolicy Unrestricted

Elastic Agent Management - Enrollment Guide

This guide will walk you through the process of enrolling an Elastic agent.

Steps to Enroll an Agent

1. Access the Fleet Menu

   • Open the LME dashboard
   • Scroll down and select "Fleet" from the menu

2. Add a New Agent

   • Click on the "Add agent" button

3. Select the Policy

   • Ensure you select the appropriate policy for the agent
   • For example, choose "Endpoint Policy" if you're adding an endpoint device

4. Enrollment Settings

   • Keep the "Enroll in Fleet" option selected

5. Choose the Agent Type

   • Select the appropriate option based on your endpoint:
     • Linux Tar
     • Mac
     • Windows (ensure you run this in a PowerShell prompt with administrator privileges)

6. Installation Command

   • You will be presented with an installation command for the selected platform
   • Note: If you haven't added the LME certificates to your trusted store, you'll need to modify the command

7. Modify the Command If necessary(e.g.,if certificates have not been added to the trusted store)

   • Add --insecure at the end of the ./elastic-agent install` command

   • This is similar to clicking "continue to website" in a browser when you get a certificate warning

   • Example:

     ./elastic-agent install [-other-flags-youll-see] --insecure
     

   • it should look like this screenshot:

8. Execute the Command
   • Recommend running each line individually so you can see a clear picture of the status of each command ran. The entire process will download an agent, unzip it, and install it.

From Fleet you should see the agent enrolled now.

LME Elastic Agent Integration Example

This guide will walk you through the process of adding a Windows integration to an agent policy in the LME system.

Steps to Add Windows Integration

1. Access Fleet and Agent Policies

   • Open the LME dashboard
   • Select "Fleet" from the menu
   • Click on "Agent policies"

2. Select the Target Policy

   • Choose the policy you want to add the integration to
   • For example, select "Endpoint Policy"

3. Add Integration

   • Click the "Add integration" button

4. Choose Windows Integration

   • From the list of available integrations, select "Windows"

5. Configure Windows Integration

   • Scroll down to review the options available
   • You'll see various Windows logs and metrics that can be collected

6. Customize Log Collection

   • Review the options set to on or off
   • These options provide more choices for collecting Windows logs
   • Important note: If you have Sysmon installed on your endpoints, ensure "Sysmon Operational" is selected to collect Sysmon logs

7. Configure Metrics Collection

   • You can choose to collect various metrics from your Windows endpoints
   • Review and enable the metrics you're interested in monitoring

8. Save and Deploy

   • After configuring your desired options, save the integration
   • Deploy the changes to apply them to the agents using this policy

Important Considerations

• Sysmon Integration: If you're using Sysmon for enhanced logging, make sure to enable the Sysmon Operational log collection.
• Performance Impact: Be mindful that collecting more logs and metrics may impact endpoint performance. Balance your monitoring needs with system resources.
• Regulatory Compliance: Consider any regulatory requirements you may have when selecting which logs and metrics to collect.
• Storage Considerations: More data collection means more storage usage. Ensure your LME system has adequate storage capacity.
• Review Regularly: Periodically review your integration settings to ensure they still meet your needs and adjust as necessary.

By following these steps, you can effectively add and configure the Windows integration to your chosen agent policy in the LME system, allowing for comprehensive logging of your Windows endpoints.

Apply these same steps to future integrations such as Auditd for Linux.

Troubleshooting Agent Setup:

The Elastic agent has multiple debugging commands that can be run to troubleshoot installs. Please see the link HERE.

In addition, you can use this link to navigate/find the directories for where Elastic agent is installed on the operating system.

If there are issues with running the command involving a pipe file, the elastic endpoint service (a windows service started by the agent) is in a failed state, and retarting the machine will most likely fix it, check out this link However, this isn't required if the agent is showing as healthy, only if you want to run other cli agent debugging commands.

LME Wazuh Agent Enrollment Guide

• See Official Wazuh Documentation Wazuh agent install documentation.

This guide will walk you through the process of enrolling a Wazuh agent in the LME system.

Important Note

Ensure the Wazuh agent version you're installing is not newer than your Wazuh manager version, as this can cause compatibility issues.

Variables

Throughout this guide, we'll use the following variables. Replace these with your specific values:

• {WAZUH_AGENT_VERSION}: The version of the Wazuh agent you're installing (e.g., 4.9.0-1)
• {WAZUH_MANAGER_IP}: The IP address of your Wazuh manager (e.g., 10.0.0.2)

You can get your wazuh version that you are running via the following command:

sudo -i podman exec -it lme-wazuh-manager /var/ossec/bin/wazuh-control -j info | jq

Output should look similar to this:

{
  "error": 0,
  "data": [
    {
      "WAZUH_VERSION": "v4.7.5"
    },
    {
      "WAZUH_REVISION": "40720"
    },
    {
      "WAZUH_TYPE": "server"
    }
  ]
}

drop the v, and use 4.7.5-1. You need to add a "-1" like wazuh expects. You can confirm the version is accurate with a list from wazuh's versions HERE

Steps to Enroll a Wazuh Agent (Windows)

1. Download the Wazuh Agent
   • Download the Wazuh agent MSI installer from the following URL:

     https://packages.wazuh.com/4.x/windows/wazuh-agent-{WAZUH_AGENT_VERSION}.msi
     

   • Replace {WAZUH_AGENT_VERSION} with the appropriate version number.
   • You can also use the below powershell command:

# Replace the values with the values you have above
# where {WAZUH_AGENT_VERSION}=4.7.5
# where {WAZUH_MANAGER_IP}=10.1.0.5
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi -OutFile wazuh-agent-4.7.5-1.msi;`
Start-Process msiexec.exe -ArgumentList '/i wazuh-agent-4.7.5-1.msi /q WAZUH_MANAGER="10.1.0.5"' -Wait -NoNewWindow

2. Install the Wazuh Agent

   • Open a command prompt with administrator privileges.
   • Navigate to the directory containing the downloaded MSI file.
   • Run the following command to install the agent:

     wazuh-agent-{WAZUH_AGENT_VERSION}.msi /q WAZUH_MANAGER="{WAZUH_MANAGER_IP}"
     

   • Replace {WAZUH_AGENT_VERSION} with the version you downloaded.
   • Replace {WAZUH_MANAGER_IP} with the IP address of your Wazuh manager.

3. Verify Installation

   • After installation, the Wazuh agent service should start automatically.
   • You can verify the service status in the Windows Services manager.
   • Ensure the service starts if it doesn't start automatically. Run this in a powershell terminal:

   NET START Wazuh
   

Steps to Enroll a Wazuh Agent (Debian-based Systems)

1. Add Wazuh GPG key

   curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
   

2. Add Wazuh repository

   echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
   

3. Update package information

   apt-get update
   

4. Install Wazuh agent and configure Wazuh Manager IP variable

   WAZUH_MANAGER="{WAZUH_MANAGER_IP}" apt-get install wazuh-agent={WAZUH_AGENT_VERSION} && sed -i 's/MANAGER_IP/{WAZUH_MANAGER_IP}/i' /var/ossec/etc/ossec.conf
   

   For example:

   WAZUH_MANAGER=10.0.0.15 apt-get install wazuh-agent=4.7.5-1 && sed -i 's/MANAGER_IP/10.0.0.15/i' /var/ossec/etc/ossec.conf
   

Verifying Installation

After installation, you can check the status of the Wazuh agent:

systemctl status wazuh-agent

Troubleshooting

If it doesn't start attempt the following:

systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

• If the agent fails to connect, check your firewall settings to ensure the necessary ports are open. Wazuh Ports Documentation
• Verify that the Wazuh manager IP address is correct and reachable from the agent. This is the IP address of your LME server running the containers.

By following these steps, you should be able to successfully enroll Wazuh agents into your LME system. Remember to keep your agents updated, but always ensure compatibility with your Wazuh manager version.

Verifying Wazuh Agent Status

This guide provides steps to check the status of Wazuh agents in the LME setup. These commands can be run from the host system without needing to execute into the container.

Listing All Agents and Their Status

To get an overview of all registered agents and their current status:

sudo -i podman exec lme-wazuh-manager /var/ossec/bin/agent_control -l

This command will display a list of all agents, including their ID, name, IP address, and current status (active, disconnected, never connected, etc.).

Checking Status of a Specific Agent

To check the detailed status of a specific agent:

sudo -i podman exec lme-wazuh-manager /var/ossec/bin/agent_control -i [agent_id]

Replace [agent_id] with the ID of the agent you want to check. This will provide more detailed information about the agent, including its last keep alive time, version, and operating system.

This command gives you a quick overview of how many agents are active, disconnected, or never connected.

See official Wazuh documentation for more steps on agent_control

Example Setup for Wazuh Active Response

This guide summarizes how to configure Wazuh's active response to defend against SSH brute-force attacks.

Overview

Wazuh can automatically block IP addresses attempting SSH brute-force attacks using its active response module. This feature executes scripts on monitored endpoints when specific triggers occur.

Configuration Steps

1. Verify Default Script:

   • Check for firewall-drop script in /var/ossec/active-response/bin/ on Linux/Unix systems.

2. Configure Command in wazuh_manager.conf: Note this command (firewall-drop) already exists. But you can create custom scripts located in the active response/bin path and add new commands into the .conf file located at wazuh_manger.conf located at /opt/lme/config/wazuh_cluster/wazuh_manager.conf

   <command>
     <name>firewall-drop</name>
     <executable>firewall-drop</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
   

3. Set Up Active Response: Looks for the section that says "active-response options here" in the .conf file. Copy and paste the entire configuration below that commented out line. You can continue to add more active response configs below that line.

   <active-response>
     <command>firewall-drop</command>
     <location>local</location>
     <rules_id>5763</rules_id>
     <timeout>180</timeout>
   </active-response>
   

   • This configures a local response, triggering on rule 5763 (SSH brute-force detection), with a 180-second block.

4. Restart Wazuh Manager:

   podman restart lme-wazuh-manager
   

How It Works

• When rule 5763 triggers (detecting SSH brute-force attempts), the firewall-drop script executes.
• The script uses iptables to block the attacker's IP address for the specified timeout period.
• Wazuh logs the action in /var/ossec/logs/active-responses.log.

Monitoring

• Wazuh dashboard displays alerts when rule 5763 triggers and when an active response occurs.
• The active response alert is typically associated with rule ID 651. These alerts will be displayed in Kibana in the wazuh alerts dashboard.

Testing

1. Use a tool like Hydra to simulate a brute-force attack, or you can attempt to SSH into the machine multiple times until it triggers. You will need eight failed SSH attempts to trigger Brute Force. (This can be adjusted in the ruleset manually)
2. Verify that the attacker's IP is blocked by attempting to ping the target machine.

Custom Responses

• You can create custom scripts for different actions.
• For custom scripts, ensure you create corresponding rules to analyze the generated logs.

This setup provides an automated defense against SSH brute-force attacks, enhancing the security of your Linux/Unix systems monitored by Wazuh.

See a list of Wazuh Rules that trigger here: Wazuh Ruleset

Consult Wazuh Documentation for more on active response configuration.