This manual explains how to install Wazuh and Logstash separately. If you want to install both applications at the same time, just follow the steps in section «2. Download and Execution” and choose “Wazuh” and “Logstash” when you are asked to choose the applications that you want to install.

1.   Download and Execution #

1. Download the main program called ApoloInstaller.exe. It is recommended to place it in a folder that is known and accessible.

2. Run the program and accept the windows that appear during the process. It should ask for Administrator permissions. If not, it is recommended to right-click the Installer and run as Administrator.

3. In case Windows detects it as a threat on the next screen, click on «More information» and «Run anyway».

The following screen will appear where we will have to enter the credentials provided by the organization to verify and receive the data necessary for the correct installation.

In case of error because it has already been installed previously, we will follow the following steps:

5.1. Windows Search “Add or Remove Programs”

5.2. Search “Wazuh Agent”

        5.3. Delete “Wazuh Agent”

5.4. We proceed to point 2. to return to installation

Verification of the customer may take a few seconds. If the verification is correct, the following configuration screen should appear, where we will select whether the installation is a PC or a server:

6.1. In case of error during authentication, the following pop-up will appear, and we will return to point 2.

It is advisable to put different names on the machines during the installation to facilitate in the future where the attacks and vulnerabilities come from, but it is optional.

8. The following window will appear, where we will have to choose «Wazuh”

We will wait for the download until the screen appears indicating that the installation has been successfully completed.

2.   Verification of the installation #

1. To verify that the installation has been successful, we will carry out some checks.  In the Windows search engine, we will search for «Manage Agent».

2. We will verify that «Authentication key» contains a sequence of characters. Sometimes it is necessary to click on «Refresh» and in the tab «Manage» > «Restart» if the installation was very recent.

3. In case of not appearing, we will have to restart the PC or Server and check again after a few minutes.

3.   Checking the installation #

1. We address our dashboard environment at the following URL: empresa.apoloanalytics.com

We will access our main dashboard, in which if we have installed Wazuh on PC computers, we should see them in the visual graph with the name of PCs:

We can also click on the servers section to see the dashboard where the inventory and general security alerts of the servers are displayed:

2. If in the list we see the servers on which we have installed the agent and the graphs show the data, the installation has been successful. This is how the dashboard of PCs looks once the agents have been installed correctly:

3. If we click on a PC or Server of the dashboards shown above, we can see the detail of that device:

4.   Uninstall Apolo #

In the event that it is necessary to uninstall Apolo, to  proceed with the uninstallation, go to section «2. Download and Execution» in subsection 5.  Until 5.3.

5.   Logstash Apolo installation #

We carry out the steps 1, 2, 3, 4, 6 i 7 of the section 2. Download and Execution. Once we do it, the following window will appear:

We will select Logstash and wait for the download to be made:

Finally, a window will appear as in section 8 of 2. Download and Execution.  We will select “Finish» and the download will have been completed correctly.

6.   Logstash Apolo configuration #

The installation of Logstash and its service is located in the ‘Apolo Analytics’ folder, at the default address: ‘C:\Program Files\Apolo Analytics’.

• To correctly configure Logstash, once we are done with point 5. Installation Logstash Apolo.  We will have Logstash with a default configuration however, we will have to add it according to the needs.
• We will enter the folder of ‘C:\Program Files\Apolo Analytics\logstash-version.  Where we will find the following files:

• The file that we will need to modify is ‘logstash.conf’ located in  the previous location which will have a configuration similar to the following.

• By default, we have port 5144 as input.  We will have to configure the output of the logs of our systems such as those of Firewall or Switch on port 5144 with UDP protocol, so that they reach Logstash.  If we want to use another port, we will also have to change it in the input.
• By default, we also have port 514 to send the logs to Wazuh. We will check that the nomclientempresa is our company name and it is correct. We recommend NOT to change this port 514 with TCP protocol.  It will travel encrypted on the correct port to apoloanalytics.com.
• Finally, the filter section that will be used to modify the format of the logs in the correct format for Wazuh to generate alerts.  If we get different sources that we want to format, we will have to separate them with ifs as follows.

if [host][ip] == «192.168.X.X» {

       }

 Among the («») we will place the ip from where we receive the logs (example: Firewall, Switch, …).

NOTE: The default configuration allows the transmission of any log format, the formatting is used so that Apollo can distinguish the different variables of a log and be able to make a correct correlation with other logs.

Example for Fortigate Firewall:

if [host][ip] == «192.168.X.X» {

   grok {

     match => {«message» => «%{SYSLOG5424PRI}%{GREEDYDATA:message}»}

     overwrite => [ «message» ]

    }

}

By adding the grok in the if, it is enough to correctly receive formatted and sectioned logs.