Secure your Arch Linux with Wazuh
Happy Share Arch Linux
Wazuh is a free, open-source security monitoring platform that can be used to monitor your Arch Linux system. In this guide, we install Wazuh on Arch Linux with single node setup.
Install the Server in Docker
We first clone the Wazuh Docker repository and checkout the latest release. In this case, we are using version 4.7.4.
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.4
Next, we navigate to the single-node
directory and generate the self-signed certificates.
cd wazuh-docker/single-node
docker-compose -f generate-indexer-certs.yml run --rm generator
Finally, we start the Wazuh server, including wazuh-manager
, wazuh-indexer
, and wazuh-dashboard
.
docker-compose up -d
You may access the Wazuh dashboard at https://localhost with default username admin
and password SecretPassword
.
Install the Agent in Arch Linux
We first install the Wazuh agent on Arch Linux.
yay -S wazuh-agent
Next, we configure the agent to connect to the Wazuh server. To do that, we need to know the IP address of the Wazuh server. In this case, the default container name is single-node-wazuh_manager_1
and default value in the ossec.conf
file is MANAGER_IP
. You will need sudo su
to edit the file.
export WAZUH_MANAGER=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' single-node-wazuh.manager-1) && sed -i "s|MANAGER_IP|$WAZUH_MANAGER|g" /var/ossec/etc/ossec.conf
Finally, we enable and start the Wazuh agent.
systemctl enable wazuh-agent
systemctl start wazuh-agent
systemctl status wazuh-agent
Final Result
Back to the Wazuh dashboard(https://localhost), you should see the Arch Linux agent connected to the server.
Clean Up
In case you want to clean up the Wazuh server and agent, you can stop and remove the agent and containers.
systemctl disable wazuh-agent.service
yay -Rs wazuh-agent
docker compose down --rmi all --volumes --remove-orphans
References
Wazuh Docker deployment - Deployment on Docker · Wazuh documentation