Hello everyone, how’s it going? So today I am going to write about how to deploy Wazuh in VMware or any virtual machine of your choice and connect to a Windows agent, so without further ado, let’s get started.
The first step is to download a Wazuh OVA file from here 👇
The file would start downloading automatically once you click the link. Since it’s around 3GB, it might take some time to download completely based on your internet speed.
Once it’s done, you can open your VM and press ctrl + O, since I prefer VMware, I would be using that.
Once you press Ctrl + O, you will see a pop-up window like this. From here, just navigate to the folder where your files are downloaded and select the Wazuh file, and click open.
Write anything you want in the name section, and then browse to where you want to keep your Wazuh files, or you can also leave it at the default path.
Do note that the files are around 50 GB’s so make sure to select a drive with enough space.
Now, you can click on the import button, and it will show you a loading like this:
It might take a few minutes depending in your machine’s specs but once it’s done, you will see an interference like this:
Make sure that the network adaptor here is set to bridged, otherwise you won’t be able to connect your agent with your Wazuh SIEM Solution.
After ensuring that the network is bridged, you can launch your Wazuh OVA. It should look something like this:
You just need to wait for a few minutes to let it load all the important files, and then you will see an interference like this:
The login is wazuh-user and the password is wazuh. So go ahead and log into it.
Note: if it’s your first time using a Kernal based machine, you won’t see any changes on your screen as you type your password but it is there, so just confidently enter your password and hit enter, it will work, Trust me.
So this is what it would look like after you’ve logged into it. Now we need to check for the IP of the agent so we can access the Wazuh Web interference. To check the IP, simply type ifconfig hit enter.
Once you hit enter, you would probably find the machine IP at the same spot I did, so now we also have our Wazuh’s IP., Now we can go ahead and access its web interference.
For that, we need to type the following in the search bar:
https://Your_IP
For me, it would be
Do note that only adding your IP like 192.169.1.112 wouldn’t work, you need to add “https://” manually before your IP to access the Wazuh Web interference or Wazuh Dashboard.
You might see a similar webpage or warning when you try to open the Wazuh Dashboard using the IP. Don’t worry, it’s normal, just click on Advanced and Proceed anyway.
If you see an error like this:
Just wait for like 2 minutes and refresh the page, it will start working properly.
On a side note, if you can’t see anything, you can go back to your VM machine and try and run this command:
sudo systemctl status wazuh-dashboard
If you see the green text that says, Active (running), and still can’t access your Wazuh dashboard, then you can comment down below, and I’ll try to see if I can help you fix your error. But if it’s stopped
Like this, then you can run this command to activate it:
sudo systemctl start wazuh-dashboard
And try to see if you can now access the dashboard, it should look something like this:
You can log in to this using the following credentials:
Username : admin
Password: admin
Once you log in successfully, you will see this on your screen.
🎉Congratulations, you have successfully deployed Wazuh on your Device.🥳
Now let’s focus on how to connect your agent to your Wazuh dashboard. For that, there are two methods that I know about, but we will cover the easier one in this article:
Comment if you also want the other method.
Click on the deploy agent button:
You should see a screen like:
Since we are currently installing this on Windows, let’s click on that, now scroll down a bit, and you will see this:
The server address here is the address at which Wazuh’s agents will look for the Wazuh dashboard. Since we are on a private network, we can add our Wazuh IP address that we know.
But if we were on a different network, like a remote network, we would need to host our Wazuh dashboard on the public internet, which is not recommended due to security concerns.
Or you can also use a VPN client like OpenVPN to connect the two machines.
Once you’ve added the server address just go ahead and add whatever name you would like your agent to have in the agent name section, though make sure that it is unique for every device you connect.
Now, if you scroll toward the end, you would see something like this, just click on the command in the 4th section to copy it. Then go to your Windows search bar:
And type “PowerShell” in it.
When you see a screen like this, click on run as Administrator.
Once here, paste the command you’ve copied before from the Wazuh dashboard and hit enter.
A similar process should start on your terminal as well. Wait for it to be completed.
Now go to your Wazuh dashboard and copy this command:
And then paste it in the terminal like so:
Now hit enter.
You should see a message like this.
To confirm whether this is working properly or not, go to the Wazuh Dashboard and click here:
As you can see, it shows that my device was successfully connected.
Congrats, you have successfully deployed Wazuh Agent and Dashboard.