Install the Wazuh app for Splunk

The Wazuh app for Splunk offers a UI to visualize the Wazuh alerts and the Wazuh API data. Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.

Installation

  1. Download the latest Wazuh app for Splunk:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/wazuhapp-splunk-3.13.2_8.0.4.tar.gz
    
  2. Install the Wazuh app for Splunk:

    1. CLI mode:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
    
    # /opt/splunk/bin/splunk restart
    
    1. Web GUI:

    Apps -> Manage apps -> Install app from file
    
  3. Open Splunk in your desired browser and click on the Wazuh app icon:

    ../../_images/app-icon.png
  4. You will be redirected to the Settings tab to fill the form with the Wazuh API credentials. Use the URL and port from your Wazuh API server.

    By default, the Wazuh API port is 55000. The default username and password is foo:bar. It is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears on the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API.

    If you want to add the Wazuh API credentials more quickly (for instance, for deployment purposes) you can execute the following command:

    # curl -X POST "http://<SPLUNK_IP>:<SPLUNK_PORT>/en-US/custom/SplunkAppForWazuh/manager/add_api?url=<WAZUH_API_URL>&portapi=<WAZUH_API_PORT>&userapi=<WAZUH_API_USERNAME>&passapi=<WAZUH_API_PASSWORD>"
    

    Note the following:

    • <SPLUNK_IP> is the hostname or IP address of the Splunk instance where the Wazuh app for Splunk was installed.

    • <SPLUNK_PORT> is the port of the Splunk instance where the Wazuh app for Splunk was installed. By default, it is 8000.

    • <WAZUH_API_URL>, <WAZUH_API_PORT>, <WAZUH_API_USERNAME> and <WAZUH_API_PASSWORD> represent the Wazuh API credentials to be stored on the Wazuh app for Splunk. Keep in mind that the Wazuh API URL must include http:// or https://, depending on the current configuration.

When the Wazuh app for Splunk is installed, the next step consists on installing and configuring Splunk forwarder.

Installing the Wazuh app for Splunk in a Splunk cluster

Note

We can install the Wazuh app for Splunk in each search-head manually, but in case of having hundreds or even thousands of search-heads, it is more convenient to install it automatically. For this purpose, the deployer will be used, a machine that installs the Wazuh app for Splunk in every search-head at the same time and automatically.

Install the Wazuh app for Splunk on the deployer machine and follow the steps:

  1. Copy the Wazuh app for Splunk into the Splunk cluster folder:

    # cp -r installation_path/SplunkAppForWazuh /opt/splunk/etc/shcluster/apps
    
  2. Create the file that listens the outputs from the Wazuh API:

    # touch /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh/default/outputs.conf
    
  3. Fill the outputs.conf file with the next lines:

    [indexer_discovery:cluster1]
    pass4SymmKey = changeme
    master_uri = https://<master_ip>:<management_port>
    
    [tcpout:cluster1_tcp]
    indexerDiscovery = cluster1
    
    [tcpout]
    defaultGroup = cluster1_tcp
    

    Note

    The indexerDiscovery attribute is used for setting the connection to peer nodes. More information about the indexerDiscovery attribute can be found here.

    Note

    <master_ip> references to the indexers master ip.

    Warning

    The https is required by default and the default port is 8089.

  4. Apply the changes:

    # /opt/splunk/bin/splunk apply shcluster-bundle -target https://<NODE_IP>:<management_port> -auth <user>:<password>
    

Now, we should have the /opt/splunk/etc/apps/SplunkAppForWazuh in every search head.

Update the Wazuh app for Splunk

  1. To perform the update, the Wazuh app for Splunk must be deleted from the deployer and reinstalled by following the previous steps:

    # rm -rf /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh
    
  2. Then, synchronized with the option -force and will be deleted from the search heads:

    # /opt/splunk/bin/splunk apply shcluster-bundle -force true -target https://<NODE_IP>:<management_port> -auth <user>:<password> -f