Jasper Alblas
TryHackMe: Wazuh Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Wazuh Room on TryHackMe. Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring. Wuzah is a Endpoint Detection and Response (EDR), which is an integrated, layered approach to endpoint protection that combines real-time continuous monitoring and endpoint data analytics with rule-based automated response.
Room URL:
https://tryhackme.com/room/wazuhct
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Task 1: Introduction
This room introduces the Wazuh EDR (Endpoint Detection and Response) solution, covering:
- What EDRs are and their usefulness in detecting threats
- Where and how Wazuh is used
- How to access and navigate the Wazuh interface
- Understanding Wazuh rules, alerts, and log analysis for devices (Linux and Windows)
- Extending Wazuh with plugins and its API
EDR tools, like Wazuh, monitor devices for security threats, offering features such as vulnerability audits, real-time monitoring (e.g., for brute-force attacks), anomaly detection, and data visualization.
Wazuh, launched in 2015, is an open-source EDR solution that uses a manager-agent model, where the manager oversees agents installed on the devices to be monitored. Logs from agents are sent to the central Wazuh server for analysis.
Questions
When was Wazuh released?
Answer: 2025
What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats?
Agents are installed on the devices to be monitored.
Answer: Agent
Lastly, what is the term for a device that is responsible for managing these devices?
All agents are managed by a manager.
Answer: Manager
Task 2: Required: Deploy Wazuh Server
Connect to the TryHackMe network and deploy the Wazuh management server attached to this task and wait a minimum of five minutes before visiting the Wazuh server on HTTP://MACHINE_IP.
If you load the Wazuh management server too early, it will say “Kibana Server is not ready yet” Please wait a few more minutes before refreshing the page and trying again.
Once it has started, log in using the following credentials:
Username: wazuh (make sure that this is lowercase!)
Password: eYa0M1-hG0e7rjGi-lRB2qGYVoonsG1K
Select “Global Tenant” after successfully logging in.
Questions
Login to the Wazuh management server on HTTP://MACHINE_IP before proceeding with this room’s tasks.
Answer: No answer needed
Task 3: Wazuh Agents
Agents are software components installed on devices to monitor events and processes (e.g., authentication, user management). These agents send logs to a central collector like Wazuh.
To deploy Wazuh agents:
- Install the agent on the target device.
- Provide:
- The device’s Operating System.
- The Wazuh server address (DNS or IP).
- An optional group for organizing agents in Wazuh.
Use the Wazuh interface to navigate to:
Wazuh → Agents → Deploy New Agent
This launches an installation wizard that guides you through the process.
At step 4, you’ll receive a command to copy and run on the target device, which installs and configures the agent.
Questions
Ensure that you are logged in to the Wazuh management server on HTTPS://<IP>
Just make sure you started the Wazuh server attached to the room. Then access the IP from your AttackBox (or own machine if you are connected through the VPN).
Answer: No answer needed
Navigate to the “Agents” tab by pressing Wazuh -> Agents
Easy enough!
Answer: No answer needed
How many agents does this Wazuh management server manage?
Look at the Agents screen that you just opened. On it you should see the following list of agents:
Answer: 2
What are the status of the agents managed by this Wazuh management server?
As seen above, both agents have a red circle under Status. Click on any of the two agents to view a detailed screen. Here it mentions that the status is disconnected.
Answer: disconnected
Task 4: Wazuh Vulnerability Assessment & Security Events
Wazuh’s Vulnerability Assessment module scans an agent’s operating system for installed applications and their versions. It then compares this data with a CVE database to identify known vulnerabilities (e.g., a vulnerable version of Vim detected via CVE-2019-12735).
Key features:
- Initial full scan occurs upon agent installation.
- Scheduled scans can be configured (default: every 5 minutes).
- Configuration is managed via
/var/ossec/etc/ossec.conf.
Wazuh also checks agents for compliance using predefined rulesets, which can be overly sensitive out of the box. Routine system actions (e.g., deleting files) may be flagged as security events.
Events can be analyzed individually and sorted by factors like timestamp, tactics, or description, allowing for more targeted review and management.
Questions
Ensure that you are logged in to the Wazuh management server on HTTP://<ip>
Yup, done!
Answer: No answer needed
Navigate to the Agents tab by pressing Wazuh -> Agents like so
Still there..
Answer: No answer needed
Select the agent named “AGENT-001“
Go ahead and click on the first of the two agents.
Answer: No answer needed
How many “Security Event” alerts have been generated by the agent “AGENT-001”? Note: You will need to make sure that your time range includes the 11th of March 2022
Go to the Events tab as shown below, and make sure that you change the date filter to something that includes the 11th of March 2022. I was lazy and just added “Last 15 years”, to make sure all data was included.
As you can see, there are 196 hits.
Answer: 196
Task 5: Wazuh Policy Auditing
Wazuh audits and monitors agent configurations, recording event logs and scoring systems like MITRE, NIST, and GDPR. It offers visualizations to explore this data further, as shown with a Windows domain controller example.
Questions
Ensure that you are logged in to the Wazuh management server on MACHINE_IP
Answer: No answer needed
Navigate to the “Modules” tab by pressing Wazuh -> Modules and open the “Policy Management” module
Answer: No answer needed
Task 6: Task 6
Monitoring Logons with Wazuh
Wazuh monitors both successful and failed authentication attempts. Rule ID 5710 detects failed SSH logins, such as attempts with non-existent users. Alerts include detailed metadata like IP, hostname, rule description, MITRE ID, and log location. These alerts are stored in /var/ossec/logs/alerts/alerts.log and can be manually searched. Wazuh also logs successful logins, assigning lower severity by default, though this can be customized. Visualizations help track login activity, like narrowing 285 Windows login events to 79 for further analysis.
Questions
Ensure that you are logged in to the Wazuh management server on HTTP://<ip>
Answer: No answer needed
Navigate to the “Management” tab by pressing Wazuh -> Management and open the “Rules” module
Answer: No answer needed
Task 7: Collecting Windows Logs with Wazuh
Windows logs a wide range of system events using Sysmon, such as authentication, file access, and process behavior. By configuring Sysmon with an XML file, like one that monitors PowerShell activity, and linking it to Wazuh, we can forward these logs for analysis. This involves updating both the Sysmon config and the Wazuh agent’s ossec.conf, then restarting the agent. On the Wazuh server, a custom rule must be added to process these events. After restarting the server, Wazuh can successfully collect and visualize Sysmon data from the Windows agent.
Questions
What is the name of the tool that we can use to monitor system events?
A lot of different information is stored in the Windows event log using a tool called Sysmon.
Answer: Sysmon
What standard application on Windows do these system events get recorded to?
The system events get recorded in Event Viewer.
Answer: Event Viewer
Task 8: Collecting Linux Logs with Wazuh
Capturing logs from a Linux agent with Wazuh is straightforward and similar to Windows. Wazuh comes with many rules that enable Wazuh to analyze log files and can be found in /var/ossec/ruleset/rules.
Some common applications include:
- Docker
- FTP
- WordPress
- SQL Server
- MongoDB
- Firewalld
In this example, Apache2 web server logs are monitored by configuring the Wazuh agent’s ossec.conf file to specify the log file location and format. Wazuh uses built-in rulesets, like 0250-apache_rules.xml, to analyze logs for warnings and errors. After updating the configuration, the Linux agent must be restarted to begin sending logs to the Wazuh management server.
Questions
What is the full file path to the rules located on a Wazuh management server?
As discussed in the theory: /var/ossec/ruleset/rules.
Answer: /var/ossec/ruleset/rules
Task 9: Auditing Commands on Linux with Wazuh
Wazuh uses the auditd package to monitor system events, which can be installed on Debian/Ubuntu and CentOS systems. In this task, we’ll focus on configuring auditd on an Ubuntu system. Auditd tracks specific system actions and logs them, which can be processed by Wazuh via the log collector module.
Steps include:
- Install the auditd package with
sudo apt-get install auditd audispd-pluginsand enable the service withsudo systemctl enable auditd.serviceandsudo systemctl start auditd.service. - Configure auditd to monitor specific commands, like those executed by root, by editing the
/etc/audit/rules.d/audit.rulesfile. An example rule is-a exit,always -F arch=b64 -F euid=0 -S execve -k audit-wazuh-c. - Apply the new rule using
sudo auditctl -R /etc/audit/rules.d/audit.rules. - On the Wazuh agent, configure it to monitor the auditd log by editing
/var/ossec/etc/ossec.confand adding the audit log location with: php-templateCopyEdit<localfile> <location>/var/log/audit/audit.log</location> <log_format>audit</log_format> </localfile>
This setup allows Wazuh to monitor and process events related to commands executed as root, or other monitored events on the system.
Questions
What application do we use on Linux to monitor events such as command execution?
Wazuh utilises the auditd package that can be installed on Wazuh agents.
Answer: auditd
What is the full path & filename for where the aforementioned application stores rules?
Answer: /etc/audit/rules.d/audit.rules
Task 10: Wazuh API
The Wazuh management server provides a comprehensive API for interaction via the command line. To use the API, you first authenticate with a set of credentials, receiving a token that is used for subsequent interactions. This token can be stored as an environment variable on a Linux machine.
Using the curl tool, you can make requests such as verifying authentication, checking server status, and retrieving information about the Wazuh manager and its agents. Standard HTTP methods like GET, POST, PUT, and DELETE are supported.
Additionally, Wazuh offers an integrated API console on its website, allowing for easier query execution, though it’s less customizable than using a local environment. For more complex interactions, the full API documentation provides further details on available endpoints.
Questions
What is the name of the standard Linux tool that we can use to make requests to the Wazuh management server?
We can use the Linux tool called curl to make web requests.
Answer: curl
What HTTP method would we use to retrieve information for a Wazuh management server API?
We use a GET request here, as we do not post any data along with the request. The command to use is:
curl -k -X GET "https://MACHINE_IP:55000/manager/configuration?pretty=true§ion=global" -H "Authorization: Bearer $TOKEN"Answer: GET
What HTTP method would we use to perform an action on a Wazuh management server API?
This question is quite vague, as the API covers a lot of different endpoints which perform actions. But the answer here is PUT (used to edit data). An example of an action using PUT is found here:
Answer: PUT
Navigate to Wazuh’s API console.
Press Wazuh > Tools > API console.
Answer: No answer needed
Use the API console to find the Wazuh server’s version. Note: You will need to add the “v” prefix to the number for this answer. For example v1.2.3
Select the line saying GET /manager/info, and press the Play button on the right side.
You should see JSON shown as output, including the version number. But uhm? v4.10.1 is not working. It seems that Wazuh has been updated. According to other source the answer is v4.2.5 instead.
Answer: v4.2.5
Task 11: Generating Reports with Wazuh
Wazuh includes a reporting module that lets you generate summarized reports of security events on agents. To create a report for events from the past 24 hours, navigate to Modules → Security Events. If relevant data exists, you can click the report button to generate it—if the button is greyed out, adjust the query or date range.
Report generation may take a few seconds to minutes. Once ready, go to Wazuh → Management → Reporting under Status and Reports to access the report overview dashboard. From there, reports can be downloaded as PDFs using the save icon under “Actions”.
Questions
Use Wazuh’s “Report” feature to generate a report of an agent.
Go ahead and follow the instructions to generate a report.
Answer: No answer needed.
Navigate to the Wazuh “Report” dashboard
Now you can find the report file at https://machine_ip/app/wazuh#/manager/?tab=reporting.
Answer: No answer needed.
Analyse the report. What is the name of the agent that has generated the most alerts?
Open the wazuh-overview-general report by pressing the download button on the right side.
You should see the above graph. You might think the answer is thm-wazuh but this is actually the manger. The agent with the most alerts is agent-001.
Answer: agent-001
Task 12: Loading Sample Data
The Wazuh management server includes optional sample data that can be loaded to showcase its features. It’s not enabled by default to maintain performance. To import it:
- Go to Wazuh → Settings → Sample Data.
- Click “Add Data” on each of the three cards.
Each import may take up to a minute. Once the button changes to “Remove data”, the import is complete. You can then return to the dashboard—modules like Security Events will now display much more data.
Note: Adjust the date range to Last 7 days or more, and refresh the dashboard to see the imported data.
Questions
I’ve imported the sample data!
Simply follow the instruction if you want to play with the import data.
Answer: No answer needed.
I have played around with the sample data.
Have fun! I highly recommend you to get more experience with Wazuh. It’s pretty awesome!
Answer: No answer needed.
Congratulations on completing Wazuh!!!
Congratulations on completing Wazuh. I think it was a great tool to learn about, although the room was highly theoretical. I guess we are going to hear a lot more about this program as it is build to work together with the Elastic stack.
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find my other walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
