Wazuh SIEM

Overview

Wazuh 4.14.5 runs on SOC (CT105, 192.168.5.211). It monitors all active hosts in the infrastructure using a manager + agent model.

Component	Location	Port
Manager (remoted)	192.168.5.211	1514 TCP (agents)
Manager (authd)	192.168.5.211	1515 TCP (registration)
Syslog receiver	192.168.5.211	514 UDP
Wazuh Indexer (OpenSearch)	192.168.5.211	9200
Wazuh Dashboard	192.168.5.211	443

Agent registration uses automatic auth — no password required. Run on any host to register:

/var/ossec/bin/agent-auth -m 192.168.5.211 -A "$(hostname)"

Active Agents (21)

ID	Name	Host	IP	Status
000	soc (server)	PVE2 CT105	127.0.0.1	Active/Local
001	ptu-pc	Workstation	any	✅ Active
003	pve	PVE1 host	192.168.1.5	✅ Active
007	pbs	Proxmox Backup Server	any	✅ Active
008	CF-HQ	PVE2 CT103	192.168.127.55	✅ Active
009	tdai	PVE1 VM108	192.168.1.22	✅ Active
010	pve2	PVE2 host	192.168.5.114	✅ Active
011	ispconfig-backup	PVE2 CT102	192.168.5.209	✅ Active
012	pulse	PVE2 CT104	192.168.5.145	✅ Active
013	mx2.mail-gateway.edge.optination.net	PVE2 CT106	192.168.5.154	✅ Active
014	zabbix-appliance	PVE2 VM101	192.168.5.x	✅ Active
015	mx1	PVE1 CT105	192.168.1.15	✅ Active
016	corp-optination	PVE1 CT114	192.168.1.23	✅ Active
017	prod	PVE1 CT115	192.168.1.111	✅ Active
018	master-control	PVE1 VM110	192.168.1.21	✅ Active
019	mail.optination-hosting.local	PVE1 VM111	192.168.1.20	✅ Active
020	optination-panel	PVE1 VM113	192.168.1.50	✅ Active
022	energonhub	PVE2 CT100	192.168.5.9	✅ Active
023	corp	PVE1 CT102	192.168.1.102	✅ Active
024	Prod-DNS-Server-2	PVE1 CT104	192.168.1.25	✅ Active
025	optination-phase-vault	PVE1 VM112	192.168.1.32	✅ Active

Disconnected (expected — VMs/CTs are stopped):

ID	Name	Reason
004	optimus-woo-prod-store	VM100 stopped
005	Forum	PVE1 CT106 stopped

Not Monitored (by design)

• UDM-Pro — Alpine Linux embedded; no Wazuh package available
• Stopped VMs/CTs — no agent needed while offline

Manager Config — Key Settings

Config file: /var/ossec/etc/ossec.conf on SOC (CT105)

<!-- Syslog receiver — accepts pfSense and all LAN segments -->
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>192.168.5.0/24</allowed-ips>
  <allowed-ips>192.168.1.0/24</allowed-ips>
  <allowed-ips>192.168.100.0/24</allowed-ips>   <!-- pfSense -->
  <allowed-ips>192.168.11.0/24</allowed-ips>    <!-- WAN link -->
</remote>

SCA Policies Enabled

Policy	Applies To
CIS Debian Linux 12	All Debian 12 hosts
CIS AlmaLinux 8	PVE2 VM101 (Zabbix)

Policy files: /var/ossec/ruleset/sca/ on SOC.

Installing an Agent (Debian/Ubuntu)

# 1. Set up repo
curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
  gpg --batch --dearmor > /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
  https://packages.wazuh.com/4.x/apt/ stable main" \
  > /etc/apt/sources.list.d/wazuh.list

# 2. Install
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq && apt-get install -y wazuh-agent

# 3. Fix manager address (if postinstall left placeholder)
sed -i 's|<address>MANAGER_IP</address>|<address>192.168.5.211</address>|g' \
  /var/ossec/etc/ossec.conf

# 4. Register
/var/ossec/bin/agent-auth -m 192.168.5.211 -A "$(hostname)"

# 5. Enable and start
systemctl daemon-reload && systemctl enable wazuh-agent && systemctl start wazuh-agent

gpg —batch flag

Always use gpg --batch --dearmor when running inside LXC containers or via pct exec / qm guest exec — without it gpg tries to open /dev/tty and fails.

Long installs on VMs

qm guest exec has a 30-second default timeout. For apt installs on VMs, use nohup:

qm guest exec VMID -- bash -c "nohup bash /tmp/install.sh > /tmp/install.log 2>&1 &"

Known Issues & Fixes

pfSense 1213 syslog spam

Symptom: ~14/sec "Message from 192.168.100.2 not allowed" errors in Wazuh.
Root cause: pfSense syslog was hitting port 514 but 192.168.100.0/24 wasn’t in the allowed-ips list.
Fix: Added 192.168.100.0/24 and 192.168.11.0/24 to the syslog remote block in ossec.conf. Fixed 2026-05-24.

TDAI agent disconnects

Symptom: Agent 009 (tdai) goes Disconnected periodically.
Fix: qm guest exec 108 -- systemctl restart wazuh-agent

energonhub key conflict (resolved)

Symptom: CT100 (energonhub) was running under the “PVE1” key (agent 002), masking its real identity.
Fix: Stopped agent, deleted /var/ossec/etc/client.keys, re-ran agent-auth. Now registered as agent 022 “energonhub”. Fixed 2026-05-25.

Useful Commands

# List all agents from manager
pct exec 105 -- /var/ossec/bin/agent_control -l

# Check agent status on a host
systemctl is-active wazuh-agent

# View manager logs
pct exec 105 -- tail -f /var/ossec/logs/ossec.log

# Remove a stale agent (interactive)
pct exec 105 -- bash -c "printf 'r\nAGENT_ID\ny\n' | /var/ossec/bin/manage_agents"

# Restart manager
pct exec 105 -- systemctl restart wazuh-manager