Wazuh
Wazuh is a SIEM for information protection and security event management. It prevents and finds vulnerabilities with a security agent, detects threats and responds to incidents.
You can create a cloud server with a ready-made Wazuh application.
Create a cloud server with Wazuh
For Wazuh to work, the cloud server must be accessible from the Internet. To do this, you need to create a private subnet and connect a public IP address — you can do this when creating the server. To configure Wazuh when creating the server, you need to specify user data — user configuration parameters of the operating system.
Once the server is created, you can automatically release a free TLS Certificate from Let's Encrypt® for the domain you specify. To issue a certificate, you must add an A record for the domain and specify the public IP address of the server in the record value. The domain can be add to Selectel DNS hosting (actual).
-
In control panel go to Cloud platform → Servers.
-
Click Create a server.
-
In the block Name and location:
3.1 In the field Name enter the server name. This will be set as the host name in the operating system.
3.2 In the fields Region and Poole select region and pool segment The pool segment determines the list of available server configurations and the cost of resources. The list of available server configurations and the cost of resources depends on the pool segment. Once the server is created, the pool segment cannot be changed.
-
In the block Source select the source from which the server will be created.
Click on the default source name, open the tab Appendicesselect
Cloud Wazuh <version> 64-bit
and press Select. -
In the block Configuration select a server configuration based on the number of Wazuh agents. If there are less than 100 agents, select a configuration from 4 vCPUs, RAM from 8 GB and boot disk size from 16 GB. You can select:
- fixed configuration — rulers in which the ratio of resources is fixed;
- or arbitrary configuration, where any resource ratio can be specified.
The configurations use different processors depending on the lineup and pool segment.
5.1. To select a fixed configuration, press FixedOpen the tab with the desired ruler and select the configuration.
5.2 To select an arbitrary configuration, press Arbitrary, specify the number of vCPUs and the size of RAM.
5.3. To select the following as the server boot disk local disk and check the box Local SSD NVMe disk. To select a boot disk as the boot disk network disk don't check the box.
The amount of RAM that is allocated to the server may be less than specified in the configuration — the operating system kernel reserves some RAM depending on the kernel version and distribution. You can check the allocated amount on the server using the command
sudo dmesg | grep Memory
.Once the server is created, you can reconfigure.
-
If you have not checked the checkbox Local SSD NVMe disk in step 5.3, the first specified network disk will be used as the server boot disk. In the block Disks:
6.1 In the field Disk type select network boot disk type.
6.2 Specify the size of the network boot disk in GB or TB. Take into account network disk limits to the maximum size.
-
Optional: add additional network drives of the server. In the block Disks:
7.1 In the field Disk type select network drive type.
7.2 Specify the size of the network disk in GB or TB. Take into account network disk limits to the maximum size.
7.3 To add another additional drive, press AddSelect the type of disk and specify its size.
Once the server is created, you can disconnect additional disks from it or connect new ones.
-
In the block Network create a private subnet and a static public IP address. In the Subnetwork select Private + 1 public IP. A private network will be automatically created
nat
, private subnet, router.router-nat
and a public IP address.If a private subnet and a cloud router connected to an external network are created, in the field Subnetwork select Private + 1 public IPin the field Private subnet select the created subnet, in the Private IP specify the private IP address of the server. If a public IP address is created, click Connect existing and select a public IP address.
-
In the block Access:
9.1 Place on the server SSH key for a secure connection.
To add a new SSH key to the cloud platform, click Add an SSH keyenter the key name, insert the public SSH key in OpenSSH format, and then click Add.
If an SSH key is added to the cloud platform, in the field SSH key select an existing key.
9.2 Optionally: in the field Password for "root" copy the user's password
root
(a user with unlimited rights to all system operations). Save the password in a safe place and do not share it in public. -
In the block Additional settings:
10.1 Optionally, if you plan to create multiple servers and want to increase the fault tolerance of your infrastructure, add a server in the placement group. To create a new group, press Create a group, enter a group name, and select a policy for hosting on different hosts:
- preferably soft-anti-affinity. The system will try to place servers on different hosts. If there is no suitable host when creating a server, it will be created on the same host;
- anti-affinity is mandatory. Servers in a group must be located on different hosts. If there is no suitable host when creating a server, the server will not be created.
If the group is created, in the field Accommodation group select a placement group.
10.2 Optional: add tags servers to add additional information or filter the servers in the list. Operating system and configuration tags are automatically added. To add a new tag, in the Tags enter tag.
-
In the block Automation in the field User data insert a script that will be executed when the system boots. You can add additional parameters:
Creating a server with TLS certificate issuance
Creating a server without issuing a TLS certificate
#cloud-config
write_files:
- path: "/opt/gomplate/values/user-values.yaml"
permissions: "0644"
content: |
admin_password: "<administrator_password>"
wazuhDomain: <example.com>
leEmail: <root@example.com>
useLE: trueSpecify:
<administrator_password>
— Wazuh administrator password. The password must contain:- more than eight characters;
- at least one capital letter;
- at least one lowercase letter;
- at least one digit;
<example.com>
— domain to access Wazuh. For the domain, you must add an A record and specify the public IP address you specified in step 8 in the record value. If the domain added to Selectel DNS hosting (actual) use the instruction manual. Add a resource record. After the server is created, a TLS certificate from Let's Encrypt® will be automatically issued for the domain;<root@example.com>
— Wazuh administrator email to create an account and receive Let's Encrypt® notifications;useLE: true
— parameter to automatically issue a TLS certificate from Let's Encrypt®.
#cloud-config
write_files:
- path: "/opt/gomplate/values/user-values.yaml"
permissions: "0644"
content: |
admin_password: "<administrator_password>"Specify:
<administrator_password>
— Wazuh administrator password. The password must contain:- more than eight characters;
- at least one capital letter;
- at least one lowercase letter;
- at least one digit.
-
Check the price of the cloud server.
-
Click Create.
Parameters
To configure a cloud server with Wazuh in the field User data you can specify parameters from the table.