Proj 6x: Monitoring File Integrity with Wazuh 3 (15 pts.)

What you need

• A Wazuh 3 server and a Windows server with the Wazuh client installed, which you prepared in a previous project.

Purpose

In this project, you monitor activity in a single folder.

Creating a Folder to Monitor

Right-click an empty portion of the window and click New, Folder.

Give the new folder a name of YOURNAME, replacing "YOURNAME" with your own name, as shown below.

Double-click the YOURNAME folder.

Right-click an empty portion of the window and click New, "Text Document".

Give the new file a name of YOURNAME-SECRETS, replacing "YOURNAME" with your own name, as shown below.

Repeat the process to make another text file named YOURNAME-IMPORTANT, replacing "YOURNAME" with your own name, as shown below.

Launching ossec_agents

C:\Program Files (x86)\ossec-agent

(Note: the Start menu no longer works on Windows Server 2016. This is a feature, not a bug.)

Configuring Folder Monitoring

In the "ossec.conf" window, scroll down to the "Syscheck" section, as shown below.

Backing Up the Configuration File

Close the "ossec.conf" window.

In "Wazah Agent Manager", from the menu bar, click View, "View Config"

Configuring Monitoring of the C:\YOURNAME Folder

Change the frequency to 120

Add this line below the "<disabled>no</disabled>" line:

<directories report_changes="yes" check_all="yes" realtime="yes">C:\YOURNAME</directories>

In the "ossec.conf" window, from the menu bar, click File, Save.

Close the "ossec.conf" window.

Restarting the Wazuh Agent

Unfortunately, the Wazuh agent frequently fails to start. To check it, click Manage, Status.

If the box says "Agent stopped", Click OK and then click Manage, Start.

Viewing Wazuh Logs

An "ossec - Notepad" window opens. Scroll to the bottom. You should see the message "Syscheck scan frequency: 120 seconds", as shown below.

Scroll up a page or two. You should see the message "Monitoring directory: 'C:\YOURNAME'", as shown below.

Modifying the Monitored Folder

C:\YOURNAME

Name the new file YOURNAME-NEW.

Right-click the YOURNAME-IMPORTANT file and click Delete.

Double-click the YOURNAME-SECRETS file. Type a new line in that file, click File, Save, and close Notepad.

Your window should now look like the example below.

Viewing Wazuh Alerts

In the next page, click Win-YOURNAME, as shown below.

In the next page, you should see some colorful circular charts at the bottom, as shown below.

If you don't, see the Troubleshooting box below.

Troubleshooting If you see no results, first try changing the time interval. At the top right, click the time range, which may say "Last 15 minutes" or some other time range, as shown below. On the next page, at the top right, click Quick. Click "This week", as shown below. If you still see no events, try creating another file in the C:\YOURNAME folder, and restarting the agent again. It seems unreliable--it did not detect all the changes I made.

Viewing File Integrity Alerts

Below the word "GENERAL", in the search bar, type

YOURNAME

Press Enter.

You should see some events, in the charts, as shown below.

Scroll to the bottom to see the alerts.

You should see alerts about the files in C:\YOURNAME, as shown below.

Saving a Screen Image

Capture a whole-desktop image.

Save the image with the filename "Your Name Proj 6xa". Use your real name, not the literal text "Your Name".

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Turning in your Project

Sources

Docs: Welcome to Wazuh

Posted 12-26-17 by Sam Bowne