Wazuh

Wazuh is a SIEM for information protection and security event management. It prevents and finds vulnerabilities with a security agent, detects threats and responds to incidents.

You can create a cloud server with a ready-made Wazuh application.

Create a cloud server with Wazuh

For Wazuh to work, the cloud server must be accessible from the Internet. To do this, you need to create a private subnet and connect a public IP address — you can do this when creating the server. To configure Wazuh when creating the server, you need to specify user data — user configuration parameters of the operating system.

Once the server is created, you can automatically release a free TLS Certificate from Let's Encrypt® for the domain you specify. To issue a certificate, you must add an A record for the domain and specify the public IP address of the server in the record value. The domain can be add to Selectel DNS hosting (actual).

В control panels go to Cloud platform → Servers.
Click Create a server.
In the block Name and location:

3.1 In the field Name enter the server name. This will be set as the host name in the operating system.

3.2 In the fields Region и Poole select region and pool segmentThe pool segment determines the list of available server configurations and the cost of resources. The list of available server configurations and the cost of resources depends on the pool segment. Once the server is created, the pool segment cannot be changed.
In the block Source select the source from which the server will be created.

Click on the default source name, open the tab Appendicesselect Cloud Wazuh <version> 64-bit and press Select.
In the block Configuration select a server configuration depending on the number of Wazuh agents. If there are less than 100 agents, select a configuration from 4 vCPUs, RAM from 8 GB and boot disk size from 16 GB. You can select:
- fixed configuration — rulers in which the ratio of resources is fixed;
- or arbitrary configuration, where any resource ratio can be specified.
The configurations use different processors depending on the lineup and pool segment.

5.1. To select a fixed configuration, press FixedOpen the tab with the desired ruler and select the configuration.

5.2 To select an arbitrary configuration, press Arbitrary, specify the number of vCPUs and the size of RAM.

5.3. To select the following as the server boot disk local diskand check the box Local SSD NVMe disk. To select a boot disk as the boot disk network diskdon't check the box.

The amount of RAM that is allocated to the server may be less than specified in the configuration — the operating system kernel reserves some RAM depending on the kernel version and distribution. You can check the allocated amount on the server using the command sudo dmesg | grep Memory.

Once the server is created, you can reconfigure.
If you have not checked the checkbox Local SSD NVMe disk in step 5.3, the first specified network disk will be used as the server boot disk. In the block Disks:

6.1 In the field Disk type select network boot disk type.

6.2 Specify the size of the network boot disk in GB or TB. Take into account network disk limits to the maximum size.
Optional: add additional network drives of the server. In the block Disks:

7.1 In the field Disk type select network drive type.

7.2 Specify the size of the network disk in GB or TB. Take into account network disk limits to the maximum size.

7.3 To add another additional drive, press AddSelect the type of disk and specify its size.

Once the server is created, you can disconnect additional disks from it or connect new ones.
In the block Network create a private subnet and a static public IP address. In the Subnetwork select Private + 1 public IP. A private network will be automatically created nat, private subnet, router. router-nat and a public IP address.

If a private subnet and a cloud router connected to an external network are created, in the field Subnetwork select Private + 1 public IPin the field Private subnet select the created subnet, in the Private IP specify the private IP address of the server. If a public IP address is created, click Connect existing and select a public IP address.
In the block Access:

9.1 Place on the server SSH key for the project for a secure connection.

To add a new SSH key for a project to the cloud platform, click Add an SSH keyenter the key name, insert the public SSH key in OpenSSH format, and click Add.

If an SSH key is added to the cloud platform, in the field SSH key select an existing key.

The SSH key is only available in the pool in which it is hosted.

9.2 Optionally: in the field Password for "root" copy the user's password root (a user with unlimited rights to all system operations). Save the password in a safe place and do not share it in public.
In the block Additional settings:

10.1 Optionally: if you plan to create multiple servers and want to increase the fault tolerance of your infrastructure, add a server in the placement group. To create a new group, press Create a group, enter a group name, and select a policy for hosting on different hosts:
- preferably soft-anti-affinity. The system will try to place servers on different hosts. If there is no suitable host when creating a server, it will be created on the same host;
- anti-affinity is mandatory. Servers in a group must be located on different hosts. If there is no suitable host when creating a server, the server will not be created.
If the group is created, in the field Accommodation group select a placement group.

10.2 Optional: add tags servers to add additional information or filter the servers in the list. Operating system and configuration tags are automatically added. To add a new tag, in the Tags enter tag.
In the block Automation in the field User data insert a script that will be executed when the system boots. You can add additional parameters:
- Creating a server with TLS certificate issuance
- Creating a server without issuing a TLS certificate
#cloud-config write_files: - path: "/opt/gomplate/values/user-values.yaml" permissions: "0644" content: | admin_password: "<administrator_password>" wazuhDomain: <example.com> leEmail: <root@example.com> useLE: true
Specify:
- <administrator_password> — Wazuh administrator password. The password must contain:
  
  more than eight characters;
  
  at least one capital letter;
  
  at least one lowercase letter;
  
  at least one digit;
- <example.com> — domain to access Wazuh. For the domain, you must add an A record and specify the public IP address you specified in step 8 in the record value. If the domain added to Selectel DNS hosting (actual)use the instruction manual. Add a resource record. After the server is created, a TLS certificate from Let's Encrypt® will be automatically issued for the domain;
- <root@example.com> — Wazuh administrator email to create an account and receive Let's Encrypt® notifications;
- useLE: true — parameter to automatically issue a TLS certificate from Let's Encrypt®.
#cloud-config write_files: - path: "/opt/gomplate/values/user-values.yaml" permissions: "0644" content: | admin_password: "<administrator_password>"
Specify:
- <administrator_password> — Wazuh administrator password. The password must contain:
  
  more than eight characters;
  
  at least one capital letter;
  
  at least one lowercase letter;
  
  at least one digit.
Check the price of the cloud server.
Click Create.

Parameters

To configure a cloud server with Wazuh in the field User data you can specify parameters from the table.

Name	Type	Default value	Description
admin_username	string	admin	Administrator's name is Wazuh
admin_password	string	✗	Mandatory parameter. Wazuh administrator password. Must be more than eight characters, contain at least one upper and one lowercase letter and at least one number
api_username	string	wazuh-wui	User name for API access and internal component interaction
api_password	string	✗	User password for API access and internal component interaction. Must be at least 8 characters and no more than 64 characters, contain at least one uppercase and one lowercase letter, a number and a symbol (`!`, `?`, `@`, `#`, `$`, `%`, `^`, `&`, `*`). If the field is left blank, the generated password will be used
dashboard_username	string	kibanaserver	User name for interaction between the dashboard and the storage server
dashboard_password	string	✗	User password for interaction between the dashboard and the storage server. Must be more than eight characters, contain at least one upper and one lowercase letter and at least one digit. If the field is left empty, the generated password will be used
agent_password	string	✗	Password for agent authentication on the management server. Must be more than eight characters long, contain at least one upper and one lowercase letter and at least one digit
utilLE	bool	false	Parameter to automatically issue a TLS certificate from Let's Encrypt®: `true` — the certificate will be issued; `false` — the certificate will not be issued
wazuhDomain	string	✗	The domain to access Wazuh, for which a TLS certificate from Let's Encrypt® will be automatically issued.
leEmail	string	✗	Wazuh administrator email to create an account and receive Let's Encrypt® notifications