Skip to content

techcodedu/wazuh_new_simplified_configuration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 

Repository files navigation

Complete Wazuh Lab Guide: Installation & Uninstallation on Windows 11

This document provides a complete lifecycle guide for setting up and tearing down a Wazuh security lab on a single Windows 11 PC.

Part 1: Introduction & Concepts 🕵️‍♀️

Our Lab Architecture

  • Wazuh Server (in WSL 2): The "brains" of the operation—the Wazuh Manager, Indexer, and Dashboard—will be installed inside the Windows Subsystem for Linux 2 (WSL 2). This lets us run a Linux-based server seamlessly on Windows without a separate virtual machine.
  • Wazuh Agent (on Windows 11): The "camera" or sensor. We will install the Wazuh Agent directly onto your Windows 11 machine. It will collect security data from your PC and forward it to the server running in WSL 2 for analysis.

Part 2: Installation Guide (Wazuh v4.13.1)

Step 1: Setting Up the Wazuh Server in WSL 2 🐧

  1. Install WSL 2 and Ubuntu

    • Click the Start Menu, type powershell, right-click on Windows PowerShell, and select "Run as administrator".
    • In PowerShell, run this command: 
      wsl --install -d Ubuntu-22.04
    • Reboot your computer when prompted.

  2. Set Up Your Ubuntu User Account

    • After rebooting, an Ubuntu terminal will open.
    • Enter a new UNIX username and password when prompted.

  3. Install the Wazuh 4.13.1 Server

    • In the Ubuntu terminal, download the installation script: 
      curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
    • Run the script to perform an all-in-one installation of version 4.13.1: 
      sudo bash ./wazuh-install.sh -v 4.13.1 -a

  4. Retrieve Your Admin Password

    • Once the installation finishes, it will display the password for the admin user. Copy and save this password.
    • If you miss it, retrieve it with this command: 
      sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

  5. Access the Wazuh Dashboard

    • Open a web browser on Windows and go to https://localhost.
    • Accept the security risk warning (due to a self-signed certificate).
    • Log in with the username admin and the password you saved.

Step 2: Deploying the Agent on Your Windows 11 Host 💻

  1. Find Your Server's IP Address

    • In your Ubuntu terminal, find the WSL IP address: 
      ip a | grep 'eth0' | grep 'inet'
    • Look for the inet address (e.g., 172.20.115.140). Copy this IP address.

  2. Install the Wazuh Agent 4.13.1

    • Open PowerShell as an administrator.
    • Download the agent installer: 
      Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.13.1-1.msi -OutFile ${env:tmp}\wazuh-agent.msi
    • Run the installer, replacing YOUR_WSL_IP_ADDRESS with the IP you copied: 
      msiexec.exe /i ${env:tmp}\wazuh-agent.msi /q WAZUH_MANAGER='YOUR_WSL_IP_ADDRESS' WAZUH_REGISTRATION_SERVER='YOUR_WSL_IP_ADDRESS'

  3. Verify the Connection

    • In the Wazuh Dashboard, navigate to Wazuh > Agents.
    • After a few minutes, your agent should appear with a status of "Active".

Step 3: Detecting a Malicious PowerShell Command 👾

  1. Run the "Malicious" Command

    • Open a new PowerShell window (non-admin is fine).
    • Run this safe command to simulate a malicious download: 
      Invoke-WebRequest -Uri https://wazuh.com -OutFile C:\Users\Public\testfile.html

  2. Find the Alert in the Dashboard

    • In the Wazuh Dashboard, go to Wazuh > Security Events.
    • Look for an alert with a description like "PowerShell downloading a file".
    • Expand the alert to see details like rule.id, rule.description, and the full powershell.command.

Part 3: Uninstallation Guide

Follow these steps in order to ensure a clean removal of all lab components.

Step 1: Uninstall the Wazuh Agent from Windows 11

  1. Stop the Wazuh Agent Service

    • Open PowerShell as an administrator.
    • Run the command: 
      Stop-Service -Name "Wazuh"

  2. Uninstall the Wazuh Agent Program

    • Press Windows Key + I to open Settings.
    • Go to Apps > Installed apps.
    • Search for Wazuh, click the three dots (...), and select Uninstall.

Step 2: Remove the Wazuh Server & WSL 2 Environment

  1. List Your Installed WSL Distributions

    • In an administrator PowerShell window, run: 
      wsl --list --verbose
    • Confirm you see Ubuntu-22.04 in the list.

  2. Unregister (Uninstall) the Ubuntu Distribution

    • WARNING: This is irreversible and will delete the entire Ubuntu file system.
    • In the same PowerShell window, run: 
      wsl --unregister Ubuntu-22.04

Step 3: Disable the Windows Subsystem for Linux (Optional)

If you do not plan on using WSL for anything else, you can disable the underlying Windows features.

  1. Disable WSL and Virtual Machine Platform Features

    • In an administrator PowerShell window, run the following two commands: 
      dism.exe /online /disable-feature /featurename:Microsoft-Windows-Subsystem-Linux /norestart
      dism.exe /online /disable-feature /featurename:VirtualMachinePlatform /norestart

  2. Reboot Your Computer

    • Restart your computer to complete the uninstallation process.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published