FREE SIEM Stack in Seconds! - Deploy a Wazuh SIEM Within Seconds with Docker!

  Рет қаралды 27,260

Taylor Walton

Taylor Walton

Күн бұрын

Пікірлер: 68
@alexdeo8869
@alexdeo8869 Ай бұрын
love the video, I'm tasked in my organization to deploy this service on a multi-node swarm cluster, and I would like to ask if this setup in the video would also apply on a docker swarm. Please if you can make a video on how to deploy on a 3 node docker swarm cluster, or if you could point out what steps would be different from the video to getting the stack on a 3 node cluster VM Thanks in advance for any replies.
@abzalabdimanov6395
@abzalabdimanov6395 2 жыл бұрын
Hello, thanks for great video. I've installed all components, installation has been finished successfully. I installed on Ubuntu 20.04. But when I access to the Kibana's web insterface, "Kibana server is not ready yet" error appears. Could you help me to resolve the problem?
@TylerHodges1988
@TylerHodges1988 2 жыл бұрын
Same issue here im assuming that is why he cut that part from the video.
@abraham202020
@abraham202020 Жыл бұрын
I’m having the same problem
@nithinraj3551
@nithinraj3551 Жыл бұрын
You need to change the base URL in production-cluster.yml. ADD The Local IP of the server and rebuild the docker. Worked for me.
@s____u-lo1dx
@s____u-lo1dx 8 ай бұрын
same!
@daleyounk8005
@daleyounk8005 Жыл бұрын
So I am totally new to the implementation of using containers in proxmox as well as docker. Can you help me better understand if I should be installing docker on separate container or vm or would it be more proper to have a dedicated docker server for this and any other projects I do. For instance I did an uptime kuma install not long ago. Should one docker install be utilized for both projects or continue creating separate proxmox containers with an instance for their own category of use?
@darkveg41
@darkveg41 Жыл бұрын
Think as Docker = Your Phone UptimeKuma = any app in your phone So you don't need a new phone everyTime you install an APP
@RaSh_100India
@RaSh_100India 2 жыл бұрын
Where are the file under /ossec/bin be stored, that is the config file of the wazuh manager ? Because I checked /var/ossec doesn;t exist when we follow docker type of installation.
@enderst81
@enderst81 2 жыл бұрын
Looks like things have changed a bit with 4.3.8. Also compose is included as a plugin, no longer need to download and install that. So 'docker compose ...' instead of 'docker-compose ...'
@gregg718
@gregg718 2 жыл бұрын
I followed and installed everything in this video first. Now I'm currently doing the same for videos part 1-5, Wazuh Indexer, GrayLog, Wazuh Manger, Wazuh Agent and pt5 Security Log Routing... I'm sooo confused. Help?
@CyberTeach
@CyberTeach Жыл бұрын
I want to set this up and work with this and VT
@MrAzizihassan
@MrAzizihassan 2 жыл бұрын
Great video! I don't have any error while installing, but the 502 bad gateway appears on my browser. Any idea?
@long-gp9bc
@long-gp9bc 2 жыл бұрын
i'm having the same issue
@inocentiusdamar5538
@inocentiusdamar5538 2 жыл бұрын
same
@ryanfadhillah4510
@ryanfadhillah4510 Жыл бұрын
have you guys found a way to fix this error?
@Rildeng
@Rildeng Жыл бұрын
@@ryanfadhillah4510 have you fixxed this one?
@eliezerortiz8546
@eliezerortiz8546 Жыл бұрын
Did you find a solution?
@LuisVentura-p4o
@LuisVentura-p4o Жыл бұрын
Great video! Super Informative! But I had a quick question. I know that you were very detailed and informative but I'm fairly new to SIEMs and Wazuh in general. Aside from the points you made about elastic search storing the logs, and kibana being able to query the logs stored, are there really any other major differences? For example, would wazuh work on its own without elastic search and kibana (would I be able to see alerts in real time and the details)? I managed to install the wazuh manager and add an agent but didn't notice any major difference (within the interface). Perhaps it's because I'm new to wazuh, but I asked because I was using wazuh for a home lab that I'm currently setting up. Thanks in advance
@adjidarmawan7640
@adjidarmawan7640 2 жыл бұрын
Thanks for awsome video, but i have an error about opendistro_security plugin. Error Messages like ["kibana_1 | Unable to remove plugin because of error: "Plugin [opendistro_security] is not installed"]. For your information, I am using latest version for kibana.
@georgewere100
@georgewere100 2 жыл бұрын
Yes!! you are awesome dude,, 2 questions, How do you interact with individual containers? and when making configuration changes to the wazuh-master, do i have to log into that container ?
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
To interact with the containers themselves do a "docker ps" to get the container ID and then run "docker exec -it *containerid* /bin/bash" You can make all config changes from within the Wazuh APP plugin within Kibana...but I plan to make a video soon detailing how to get custom scripts into the wazuh manager container. Thanks for watching :)
@karloa7194
@karloa7194 2 жыл бұрын
When the new version get released, how do you upgrade your container?
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
You would just change the image version in the docker-compose file : so you could change "image: wazuh/wazuh-odfe:4.4.0" to "image: wazuh/wazuh-odfe:**VERSION_OF_CHOICE**"
@karloa7194
@karloa7194 2 жыл бұрын
@@taylorwalton_socfortress Got some issues with the container. Ss says 514 was open but somehow it would not receive any logs. Tcpdump showed it was receiving the logs, but wazuh got nothing. I Nmap'd the host and it 514 was closed.
@robinsondurai
@robinsondurai Жыл бұрын
Great tutorial, one one suggestion the ubutu command screen should be little bit visible .
@erickespinosa1517
@erickespinosa1517 Жыл бұрын
Hello, first of all thank you very much, your videos have helped me a lot for my university laboratories, I wanted to ask a question about Wazuh, how can I add an agent to an Esxi server? I have had a hard time finding reliable and working information Thank you very much in advance and you have a new subscriber
@vandilizer
@vandilizer Жыл бұрын
Taylor, would this setup work on a Synology DS220+ 2-Bay NAS ?
@jg1000c
@jg1000c 4 ай бұрын
Can you remake this for 4.8.0?
@J..123
@J..123 2 жыл бұрын
Thanks for the video! is very interesting, i have a question: can i install this in the same server where i have a MISP working?
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
Yes, as long as you have enough resources allocated to the box
@youssefjaber4086
@youssefjaber4086 Жыл бұрын
"Kibana server is not ready yet" how did you fix it please
@dhanibux1259
@dhanibux1259 Жыл бұрын
How to handle kibana server not ready yet?
@FrenchSparda
@FrenchSparda 2 жыл бұрын
Great vid as usual. What are the minimal specs expected to run your "build" ?
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
To run just a demo environment you could probably get away with 2 core cpu and 4 gb of ram (ensure elasticsearch jvm is not configured too high) with 75gb of disk but if you are ingesting many more logs then you will need to scale up.
@elmoe718
@elmoe718 2 жыл бұрын
Can you help me with this question. If we are running the VMS on linux but I want to secure my windows. How does that work? I never really understood how company's secure there network running so many difference OS's im still new to the field and im trying to get a good understanding ! Please and thank you!
@KvngWxrd
@KvngWxrd Жыл бұрын
can some one please help me I keep getting Kibana server is not ready yet
@vilaysackvorachack2395
@vilaysackvorachack2395 Жыл бұрын
Hi Taylor, I appreciated your videos. But, I have a question that can we remove the user that on the describe line said "Demo" or not?
@garethstewart3273
@garethstewart3273 2 жыл бұрын
How long does it take for the kibana server to load? trying to login to my Wazuh server and it is saying that the "Kibana server is not ready yet"
@avecaesar9934
@avecaesar9934 2 жыл бұрын
I also have this issue. The Kibana server will never be ready (left it up for 8hrs) it is definitely an error that was caused by one of the steps, I believe it was caused by something to do with changing the default password from SecretPassword. Perhaps we have missed an environment variable?
@garethstewart3273
@garethstewart3273 2 жыл бұрын
@@avecaesar9934 I think so as well, I started from scratch and just skipped changing the hash and it has worked.
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
Did you also change the password within the production-cluster.yml and ensure it was the clear text value?
@garethstewart3273
@garethstewart3273 2 жыл бұрын
@@taylorwalton_socfortress I changed the password in the yml file to a match the hash i created in plain text, unfortunately wasnt working. I decided to rebuild the server without changing the hash and its working. Not sure if it was the problem or if there wasnt enough ram as it was set to 6 but now its 8
@dotcaodin
@dotcaodin 2 жыл бұрын
Amazing! Thanks for the video.
@sugamdangal5950
@sugamdangal5950 2 жыл бұрын
How do i start the SIEM docker again after I restart my virtual box where the stack is deployed??
@DunChuanFu
@DunChuanFu 8 ай бұрын
You can set to restart on your docker compose yml file
@Sh4d0wZ0n3
@Sh4d0wZ0n3 2 жыл бұрын
I'm using the exact same config as you, followed it to the letter and it just flat out doesn't work. Just consistent XML errors from the wazuh agents.
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
xml errors? How are you deploying the agents?
@Sh4d0wZ0n3
@Sh4d0wZ0n3 2 жыл бұрын
@@taylorwalton_socfortress Legit the exact same as you have in your video. wazuh-master has multiple binaries that run the api etc etc which fail to start due to the following: "Wazuh-Agent: Critical: (1226) Error reading XML file 'ossec.conf' (line 0)". I'm using the files directly from the repo unedited so there shouldn't be syntax errors ...
@marlonoliveira4810
@marlonoliveira4810 2 жыл бұрын
Which SSH client are you using?
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
termius.com/
@trev8813
@trev8813 2 жыл бұрын
Great video! I noticed the Wazuh API password was a default password as well. Would you just change that directly in the production-cluster.yml file or is there anywhere else that would need the API password changed to a custom one? Thanks!
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
Hey Trev, check out these steps provided by the Wazuh team here: documentation.wazuh.com/current/user-manual/api/securing-api.html Thanks for watching!
@sujenrios2902
@sujenrios2902 Жыл бұрын
Thanks for awsome video bro
@jimskyboy2
@jimskyboy2 Жыл бұрын
EDIT! I fixed it! Within the compose.yaml there's a memlock and soft -1 hard -1 and after that the ulimit 65k is there as needed. Docker users will have to remove the memlock and the duplicate soft/hard and the container will boot! Hoping you can give some assistance. Doing a fresh install of 4.4.5 in docker in a proxmox VM. After installing the Wazuh docker following the latest instructions, I receive this error Attaching to single-node-wazuh.dashboard-1, single-node-wazuh.indexer-1, single-node-wazuh.manager-1 Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting rlimits for ready process: error setting rlimit type 8: operation not permitted: unknown I can get the container running if I set a Ulimit as so docker run --name single-node-wazuh.indexer-2 --ulimit nofile=20000:40000 -d wazuh/wazuh-indexer:4.4.5 The issue is now that container is located in another stack that's called build-docker-images instead of "single-node" Do you have any ideas on how to fix it? If you install the latest version of docker wazuh through git-singlenode I'm sure you'll find the same issue.
@tbrand1968
@tbrand1968 Жыл бұрын
Can you give an example of "REMOVE THE MEMOLOCK AND DUPLICATE SOFT/HARD and the container will boot" I have this in each instance of the elasticsearch... memlock: soft: -1 hard: -1 Should I just delete that?
@broph3n
@broph3n 2 жыл бұрын
Is there some sort of mind logging going on? I think of something I'd like to do with Wazuh and next thing I know you make a video about it
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
giphy.com/clips/collin-QMEkDP3yiIX5SDVG38
@damobiv
@damobiv 2 жыл бұрын
oof, I can't get the nginx container to start - anyone had this problem?
@Rildeng
@Rildeng Жыл бұрын
did you solve this problem?
@damobiv
@damobiv Жыл бұрын
Nope. I gave up
@Duser024
@Duser024 8 ай бұрын
thank you so much from thai
@adamadamadde
@adamadamadde 10 ай бұрын
Dude u totally clowned it, if u follow ur steps we get the same error at 17:58.... and then u cut to when uit actually works....
@JayTownsend1
@JayTownsend1 2 жыл бұрын
Awesome video but your microphone quality is terrible and has a lot of distortion on the treble. A good microphone setup from elgato would fix that right up as currently sounds like you are using a cheap headset
@eagle18hls
@eagle18hls 6 ай бұрын
sounds fine here. I would look at your speakers.
@ДмитрийНемна
@ДмитрийНемна 2 жыл бұрын
I watch all your videos. This is cool. There are several questions about this lesson. With SIEM in docker: - by edit Cluster configuration not saved after docker-compose down and up; - not work with configured to receive log events through syslog even with syslog 514 tcp xxx.xxx.x.x/24 How to make it work?
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
try changing to tcp and use the loopback address as the . And make sure you change the port mapping to tcp in the docker-compose
Quando eu quero Sushi (sem desperdiçar) 🍣
00:26
Los Wagners
Рет қаралды 15 МЛН
1% vs 100% #beatbox #tiktok
01:10
BeatboxJCOP
Рет қаралды 67 МЛН
Don’t Choose The Wrong Box 😱
00:41
Topper Guild
Рет қаралды 62 МЛН
Open Source Incident Response Platform - Your SOC Needs This!
21:46
Taylor Walton
Рет қаралды 35 М.
Wazuh Indexer Install - Installing our SIEM Backend Storage
41:15
Taylor Walton
Рет қаралды 39 М.
Detecting Abnormal Network Connections With Wazuh
14:16
Taylor Walton
Рет қаралды 21 М.
Wazuh Install - Worlds Best OpenSource EDR!
26:23
Taylor Walton
Рет қаралды 30 М.
Automate Your InfoSec Tasks with Wazuh's API!
29:14
Taylor Walton
Рет қаралды 8 М.
Wazuh SIEM & XDR Agent Installation - Virtual Lab Building Series: Ep9
24:41
LS111 Cyber Security Education
Рет қаралды 32 М.
Quando eu quero Sushi (sem desperdiçar) 🍣
00:26
Los Wagners
Рет қаралды 15 МЛН