Loading...
2025 © Ty Qualters. Built with .
Setting up Wazuh in DigitalOcean
First off, what is Wazuh?
Wazuh is used for Extended Detection and Response (XDR) — which essentially just extends Endpoint Detection and Response (EDR) — and Security Information and Event Management (SIEM) system.
Secondly, why DigitalOcean?
AWS, Azure, and GCP are all pretty expensive and pretty complex. They have numerous features and capabilities that make them enticing for small teams and production environments. DigitalOcean is simpler, providing an easier and more direct way to get services running at a cheaper price. It likewise also provides initial credit to new users and offers additional credit to students through the GitHub Student Developer Pack.
What’s the point?
Companies use SIEM for Log Management, Threat Analysis, Threat Hunting, and Incident Response. It is used alongside Security Orchestration, Automation, and Response (SOAR) to quickly resolve incidents as or before they arise.
Sounds good. Let’s get started!
Setting up a Droplet
A Droplet is just DigitalOcean’s name for a VM.
Creating a Droplet is pretty easy. On the side panel, navigate to the Droplets link. Then click on “Create Droplet.”
For the region and data center, select the ones that are closest to you.
Please note: Each datacenter falls under its own VPC. By not explicitly creating your own VPC, other Droplets on the same datacenter can access this Droplet from its Private IP address.
Wazuh’s documentation suggests the following Operating Systems to run its Manager:
| Operating Systems |
|---|
| Amazon Linux 2, Amazon Linux 2023 |
| CentOS 7, 8 |
| Red Hat Enterprise Linux 7, 8, 9 |
| Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04 |
I selected Ubuntu 24.04 LTS because it is still supported, stable, and it just works.
Wazuh also has recommended specs for the VM.
| Agents | CPU | RAM | Storage (90 days) |
|---|---|---|---|
| 1-25 | 4 vCPU | 8 GiB | 50 GB |
| 25-50 | 8 vCPU | 8 GiB | 100 GB |
| 50-100 | 8 vCPU | 8 GiB | 200 GB |
Wazuh can also be deployed as a multi-node cluster for high availability and performance.
For this Droplet, I chose the following.
Don’t forget to either create an SSH keypair to connect with, or set a password. If this is being used outside of a learning environment, I would also recommend turning on automatic backups and metrics monitoring.
You can also enable IPv6 (for free) and add initialization scripts to automatically run (for free) if you wish to.
Set a host name and click on “Create Droplet.”
Once completed, go ahead and complete this step for as many agents as you would wish to set up. I would personally recommend setting them to use lower resources (2 GB RAM and 1 vCPU should be fine).
Installing the Manager
Firstly, we will need to grab the IP address of the manager.
Then in your terminal, type: ssh root@159.223.xxx.xxx
If asked about authenticity, just type “yes” into the prompt followed by your password upon request.
Run this command (as root or with sudo permissions): curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
This will take some time to install, but will then give you what you need to log into Wazuh.
You will just need to navigate to https://159.223.xxx.xxx (don’t forget the https) in your browser to log in.
If a warning appears, select “Advanced” then “Continue to 159.223.xxx.xxx (unsafe).” This appears because the certificate is not issued by a trusted authority. Do not fret, this is still safe to use.
You will then get to the dashboard.
Adding agents
Adding agents is actually incredibly easy.
Navigate to your Agents Summary, either on the Side Bar or on the Dashboard.
That should take you to this page:
Select the appropriate option for the Agent OS. For Ubuntu 24.04 LTS, this would be the “DEB amd64” option.
For the server address, this will be the IP address of the manager (NOT the agent).
159.223.xxx.xxx (Refer to your URL bar.) In this case, I used the manager’s Private IP address instead of its Public IP address, which works under the same VPC.
Then, connect to your agent: ssh root@104.248.xxx.xxx
After, complete the steps by copying, pasting, and running the generated commands on your agent machine.
You can confirm everything worked by running: sudo systemctl status wazuh-agent
You should be able to now see it under the Agent Summary.
And that is essentially it! You have successfully set up Wazuh and added an agent!
Practical Considerations
Unfortunately for everybody, life is not really simple. There are some problems to acknowledge here.
- We did not isolate our network by using a VPC. This is actually incredibly simple to do, but I did not feel the need to show it here. Implementation of VPCs and how to configure them depends on the CSP.
- We did not set up network or host firewalls. This is a big no-no, but was skipped because this was just a temporary experiment. (These Droplets were destroyed soon after.)
- Wazuh is under its default configuration. To be fully effective, Wazuh should be configured to meet your needs (including installing additional software like
auditdto monitor more logs). - We did not update our Droplets. No
sudo apt update -yorsudo apt upgrade -ywas seen here.
Summary
After this was all said and done, I learned how to set up and configure Wazuh for SIEM. I believe this is important experience for cybersecurity – to be able to log and monitor systems for potential intrusions and be able to respond quickly and accordingly.