Wazuh Yandex Cloud

Wazuh is a full-featured DevSecOps platform for threat detection, cloud resource monitoring, and incident response. Wazuh collects, aggregates, and analyzes data, helping detect intrusions, anomalies, and vulnerabilities and ensure compliance with security regulations.

1. Get an SSH key pair for connection to a virtual machine.

2. Create a security group in the network you are going to deploy your Wazuh VM in and configure the following incoming traffic rule:

   Traffic<br/>direction	Port range	Protocol	Destination /<br/>Source	CIDR blocks
   Inbound	443	Any	CIDR	0.0.0.0/0

3. Create a service account with the compute.viewer, logging.viewer, and logging.reader roles.

4. Create a log group. Save the log group ID. You’ll need it later.

5. Configure audit logs uploads to Cloud Logging.

6. Create a VM from a public image:

   1. Under Boot disk image on the Marketplace tab, enter Wazuh in the Product search field and select the Wazuh public image.

   2. Under Network settings:

      • In the Subnet field, specify the ID of a subnet in the new VM’s availability zone. Alternatively, you can select a cloud network from the list.
      • In the Security groups field, select the security group you created earlier.

   3. Under Access:

   • Enter the username in the Login field.
   • In the SSH key field, select the previously created SSH key from the list.
   1. Under Advanced, in the Service account field, select the previously created service account.

   It takes 5 to 10 minutes to set up the VM automatically.

7. Connect to the VM over SSH. Use the username you set when creating the VM and the private SSH key you created before.

8. Open the wazuh.sh file:

   sudo nano /etc/profile.d/wazuh.sh
   

9. Add the following line to the file:

   export YANDEX_LOG_GROUP_ID="<log_group_ID>"
   

   Where YANDEX_LOG_GROUP_ID is the ID of the previously created log group.

10. Unpack the wazuh-install-files.tar archive with passwords and certificates required for access to the Wazuh web interface and API:

    sudo tar -xvf /var/ossec/wazuh-install-files.tar
    

    The passwords and certificates are only stored on the VM.

11. Open the wazuh-new-passwords.txt file:

    sudo nano wazuh-install-files/wazuh-new-passwords.txt
    

12. Under Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard, copy the values of the parameters to access the Wazuh web interface:

    • indexer_username: Username.
    • indexer_password: Password.

13. Open https://<VM_public_IP_address>/ in your browser and log in with the credentials you got earlier.

14. To activate Wazuh, obtain the ID of the folder in which the VM is located and send it to support@opennix.ru.

• Analyzing the security of cloud resources, including containers.
• Detecting intrusions.
• Identifying vulnerabilities.
• Analyzing logs.
• Monitoring files.
• Evaluating the system configuration.
• Responding to security incidents.
• Performing security compliance checks.
• Analyzing security events in Yandex Cloud.

OpenNix
OpenNix provides technical support to Wazuh users in Yandex Cloud. You can contact their support team by email at support@opennix.ru. Support is available on business days from 9 a.m. to 6 p.m., GMT+3.

Yandex Cloud
Yandex Cloud does not provide technical support for this product. If you have any issues, please refer to the vendor’s information resources.