FREE SIEM Stack in Seconds! - Deploy a Wazuh SIEM Within Seconds with Docker!

Поделиться
HTML-код
  • Опубликовано: 7 янв 2025
  • НаукаНаука

Комментарии • 68

  • @alexdeo8869
    @alexdeo8869 Месяц назад +1

    love the video, I'm tasked in my organization to deploy this service on a multi-node swarm cluster, and I would like to ask if this setup in the video would also apply on a docker swarm. Please if you can make a video on how to deploy on a 3 node docker swarm cluster, or if you could point out what steps would be different from the video to getting the stack on a 3 node cluster VM
    Thanks in advance for any replies.

  • @enderst81
    @enderst81 2 года назад +2

    Looks like things have changed a bit with 4.3.8.
    Also compose is included as a plugin, no longer need to download and install that. So 'docker compose ...' instead of 'docker-compose ...'

  • @RaSh_100India
    @RaSh_100India 2 года назад +2

    Where are the file under /ossec/bin be stored, that is the config file of the wazuh manager ? Because I checked /var/ossec doesn;t exist when we follow docker type of installation.

  • @adjidarmawan7640
    @adjidarmawan7640 2 года назад +2

    Thanks for awsome video, but i have an error about opendistro_security plugin. Error Messages like ["kibana_1 | Unable to remove plugin because of error: "Plugin [opendistro_security] is not installed"]. For your information, I am using latest version for kibana.

  • @erickespinosa1517
    @erickespinosa1517 2 года назад +2

    Hello, first of all thank you very much, your videos have helped me a lot for my university laboratories, I wanted to ask a question about Wazuh, how can I add an agent to an Esxi server? I have had a hard time finding reliable and working information
    Thank you very much in advance and you have a new subscriber

  • @gregg718
    @gregg718 2 года назад +2

    I followed and installed everything in this video first. Now I'm currently doing the same for videos part 1-5, Wazuh Indexer, GrayLog, Wazuh Manger, Wazuh Agent and pt5 Security Log Routing... I'm sooo confused. Help?

  • @dotcaodin
    @dotcaodin 2 года назад +2

    Amazing! Thanks for the video.

  • @daleyounk8005
    @daleyounk8005 Год назад +1

    So I am totally new to the implementation of using containers in proxmox as well as docker. Can you help me better understand if I should be installing docker on separate container or vm or would it be more proper to have a dedicated docker server for this and any other projects I do. For instance I did an uptime kuma install not long ago. Should one docker install be utilized for both projects or continue creating separate proxmox containers with an instance for their own category of use?

    • @darkveg41
      @darkveg41 Год назад

      Think as Docker = Your Phone
      UptimeKuma = any app in your phone
      So you don't need a new phone everyTime you install an APP

  • @CyberTeach
    @CyberTeach Год назад

    I want to set this up and work with this and VT

  • @abzalabdimanov6395
    @abzalabdimanov6395 2 года назад +4

    Hello, thanks for great video. I've installed all components, installation has been finished successfully. I installed on Ubuntu 20.04. But when I access to the Kibana's web insterface, "Kibana server is not ready yet" error appears. Could you help me to resolve the problem?

    • @TylerHodges1988
      @TylerHodges1988 2 года назад +1

      Same issue here im assuming that is why he cut that part from the video.

    • @abraham202020
      @abraham202020 Год назад

      I’m having the same problem

    • @nithinraj3551
      @nithinraj3551 Год назад

      You need to change the base URL in production-cluster.yml.
      ADD The Local IP of the server and rebuild the docker.
      Worked for me.

    • @s____u-lo1dx
      @s____u-lo1dx 9 месяцев назад

      same!

  • @robinsondurai
    @robinsondurai Год назад

    Great tutorial, one one suggestion the ubutu command screen should be little bit visible .

  • @LuisVentura-p4o
    @LuisVentura-p4o Год назад

    Great video! Super Informative! But I had a quick question. I know that you were very detailed and informative but I'm fairly new to SIEMs and Wazuh in general. Aside from the points you made about elastic search storing the logs, and kibana being able to query the logs stored, are there really any other major differences? For example, would wazuh work on its own without elastic search and kibana (would I be able to see alerts in real time and the details)? I managed to install the wazuh manager and add an agent but didn't notice any major difference (within the interface). Perhaps it's because I'm new to wazuh, but I asked because I was using wazuh for a home lab that I'm currently setting up.
    Thanks in advance

  • @vandilizer
    @vandilizer Год назад

    Taylor, would this setup work on a Synology DS220+ 2-Bay NAS ?

  • @georgewere100
    @georgewere100 2 года назад +1

    Yes!! you are awesome dude,, 2 questions, How do you interact with individual containers? and when making configuration changes to the wazuh-master, do i have to log into that container ?

    • @taylorwalton_socfortress
      @taylorwalton_socfortress  2 года назад +1

      To interact with the containers themselves do a "docker ps" to get the container ID and then run "docker exec -it *containerid* /bin/bash"
      You can make all config changes from within the Wazuh APP plugin within Kibana...but I plan to make a video soon detailing how to get custom scripts into the wazuh manager container.
      Thanks for watching :)

  • @J..123
    @J..123 2 года назад +1

    Thanks for the video! is very interesting, i have a question: can i install this in the same server where i have a MISP working?

  • @vilaysackvorachack2395
    @vilaysackvorachack2395 2 года назад

    Hi Taylor, I appreciated your videos. But, I have a question that can we remove the user that on the describe line said "Demo" or not?

  • @elmoe718
    @elmoe718 2 года назад

    Can you help me with this question. If we are running the VMS on linux but I want to secure my windows. How does that work? I never really understood how company's secure there network running so many difference OS's im still new to the field and im trying to get a good understanding ! Please and thank you!

  • @jg1000c
    @jg1000c 5 месяцев назад

    Can you remake this for 4.8.0?

  • @FrenchSparda
    @FrenchSparda 2 года назад +1

    Great vid as usual. What are the minimal specs expected to run your "build" ?

    • @taylorwalton_socfortress
      @taylorwalton_socfortress  2 года назад +2

      To run just a demo environment you could probably get away with 2 core cpu and 4 gb of ram (ensure elasticsearch jvm is not configured too high) with 75gb of disk but if you are ingesting many more logs then you will need to scale up.

  • @youssefjaber4086
    @youssefjaber4086 Год назад

    "Kibana server is not ready yet"
    how did you fix it please

  • @dhanibux1259
    @dhanibux1259 Год назад

    How to handle kibana server not ready yet?

  • @karloa7194
    @karloa7194 2 года назад +1

    When the new version get released, how do you upgrade your container?

    • @taylorwalton_socfortress
      @taylorwalton_socfortress  2 года назад +1

      You would just change the image version in the docker-compose file : so you could change "image: wazuh/wazuh-odfe:4.4.0" to "image: wazuh/wazuh-odfe:**VERSION_OF_CHOICE**"

    • @karloa7194
      @karloa7194 2 года назад +1

      @@taylorwalton_socfortress Got some issues with the container. Ss says 514 was open but somehow it would not receive any logs. Tcpdump showed it was receiving the logs, but wazuh got nothing. I Nmap'd the host and it 514 was closed.

  • @MrAzizihassan
    @MrAzizihassan 2 года назад +1

    Great video!
    I don't have any error while installing, but the 502 bad gateway appears on my browser. Any idea?

  • @trev8813
    @trev8813 2 года назад +1

    Great video! I noticed the Wazuh API password was a default password as well. Would you just change that directly in the production-cluster.yml file or is there anywhere else that would need the API password changed to a custom one? Thanks!

    • @taylorwalton_socfortress
      @taylorwalton_socfortress  2 года назад

      Hey Trev, check out these steps provided by the Wazuh team here: documentation.wazuh.com/current/user-manual/api/securing-api.html
      Thanks for watching!

  • @KvngWxrd
    @KvngWxrd Год назад

    can some one please help me I keep getting Kibana server is not ready yet

  • @sujenrios2902
    @sujenrios2902 Год назад

    Thanks for awsome video bro

  • @sugamdangal5950
    @sugamdangal5950 2 года назад

    How do i start the SIEM docker again after I restart my virtual box where the stack is deployed??

    • @DunChuanFu
      @DunChuanFu 8 месяцев назад

      You can set to restart on your docker compose yml file

  • @marlonoliveira4810
    @marlonoliveira4810 2 года назад +1

    Which SSH client are you using?

  • @Duser024
    @Duser024 8 месяцев назад

    thank you so much from thai

  • @garethstewart3273
    @garethstewart3273 2 года назад +1

    How long does it take for the kibana server to load? trying to login to my Wazuh server and it is saying that the "Kibana server is not ready yet"

    • @avecaesar9934
      @avecaesar9934 2 года назад +1

      I also have this issue. The Kibana server will never be ready (left it up for 8hrs) it is definitely an error that was caused by one of the steps, I believe it was caused by something to do with changing the default password from SecretPassword. Perhaps we have missed an environment variable?

    • @garethstewart3273
      @garethstewart3273 2 года назад +1

      @@avecaesar9934 I think so as well, I started from scratch and just skipped changing the hash and it has worked.

    • @taylorwalton_socfortress
      @taylorwalton_socfortress  2 года назад +1

      Did you also change the password within the production-cluster.yml and ensure it was the clear text value?

    • @garethstewart3273
      @garethstewart3273 2 года назад +1

      @@taylorwalton_socfortress I changed the password in the yml file to a match the hash i created in plain text, unfortunately wasnt working.
      I decided to rebuild the server without changing the hash and its working. Not sure if it was the problem or if there wasnt enough ram as it was set to 6 but now its 8

  • @broph3n
    @broph3n 2 года назад

    Is there some sort of mind logging going on? I think of something I'd like to do with Wazuh and next thing I know you make a video about it

  • @Sh4d0wZ0n3
    @Sh4d0wZ0n3 2 года назад

    I'm using the exact same config as you, followed it to the letter and it just flat out doesn't work. Just consistent XML errors from the wazuh agents.

    • @taylorwalton_socfortress
      @taylorwalton_socfortress  2 года назад

      xml errors? How are you deploying the agents?

    • @Sh4d0wZ0n3
      @Sh4d0wZ0n3 2 года назад

      @@taylorwalton_socfortress Legit the exact same as you have in your video. wazuh-master has multiple binaries that run the api etc etc which fail to start due to the following:
      "Wazuh-Agent: Critical: (1226) Error reading XML file 'ossec.conf' (line 0)". I'm using the files directly from the repo unedited so there shouldn't be syntax errors ...

  • @damobiv
    @damobiv 2 года назад

    oof, I can't get the nginx container to start - anyone had this problem?

    • @Rildeng
      @Rildeng Год назад

      did you solve this problem?

    • @damobiv
      @damobiv Год назад

      Nope. I gave up

  • @adamadamadde
    @adamadamadde 11 месяцев назад

    Dude u totally clowned it, if u follow ur steps we get the same error at 17:58.... and then u cut to when uit actually works....

  • @JayTownsend1
    @JayTownsend1 2 года назад

    Awesome video but your microphone quality is terrible and has a lot of distortion on the treble. A good microphone setup from elgato would fix that right up as currently sounds like you are using a cheap headset

    • @eagle18hls
      @eagle18hls 6 месяцев назад

      sounds fine here. I would look at your speakers.

  • @ДмитрийНемна
    @ДмитрийНемна 2 года назад +1

    I watch all your videos. This is cool.
    There are several questions about this lesson.
    With SIEM in docker:
    - by edit Cluster configuration not saved after docker-compose down and up;
    - not work with configured to receive log events through syslog even with

    syslog
    514
    tcp
    xxx.xxx.x.x/24
    How to make it work?

    • @taylorwalton_socfortress
      @taylorwalton_socfortress  2 года назад

      try changing to tcp and use the loopback address as the . And make sure you change the port mapping to tcp in the docker-compose

  • @jimskyboy2
    @jimskyboy2 Год назад

    EDIT! I fixed it!
    Within the compose.yaml there's a memlock and soft -1 hard -1 and after that the ulimit 65k is there as needed. Docker users will have to remove the memlock and the duplicate soft/hard and the container will boot!
    Hoping you can give some assistance.
    Doing a fresh install of 4.4.5 in docker in a proxmox VM.
    After installing the Wazuh docker following the latest instructions, I receive this error
    Attaching to single-node-wazuh.dashboard-1, single-node-wazuh.indexer-1, single-node-wazuh.manager-1
    Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting rlimits for ready process: error setting rlimit type 8: operation not permitted: unknown
    I can get the container running if I set a Ulimit as so docker run --name single-node-wazuh.indexer-2 --ulimit nofile=20000:40000 -d wazuh/wazuh-indexer:4.4.5
    The issue is now that container is located in another stack that's called build-docker-images instead of "single-node"
    Do you have any ideas on how to fix it? If you install the latest version of docker wazuh through git-singlenode I'm sure you'll find the same issue.

    • @tbrand1968
      @tbrand1968 Год назад

      Can you give an example of "REMOVE THE MEMOLOCK AND DUPLICATE SOFT/HARD and the container will boot"
      I have this in each instance of the elasticsearch...
      memlock:
      soft: -1
      hard: -1
      Should I just delete that?