Install the Wazuh app for Splunk

Installation

1. Download the latest Wazuh app for Splunk:

   # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/wazuhapp-splunk-3.13.6_8.0.4.tar.gz
   

2. Install the Wazuh app for Splunk:

   1. CLI mode:

   # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
   

   # /opt/splunk/bin/splunk restart
   

   2. Web GUI:

   Apps -> Manage apps -> Install app from file
   

3. Open Splunk in your desired browser and click on the Wazuh app icon:

   

4. You will be redirected to the Settings tab to fill the form with the Wazuh API credentials. Use the URL and port from your Wazuh API server.

   By default, the Wazuh API port is 55000. The default username and password is foo:bar. It is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears on the bottom right corner if the connection is established.

   Note

   You can get more information about how to set up the credentials at Securing the Wazuh API.

   

   If you want to add the Wazuh API credentials more quickly (for instance, for deployment purposes) you can execute the following command:

   # curl -X POST "http://<SPLUNK_IP>:<SPLUNK_PORT>/en-US/custom/SplunkAppForWazuh/manager/add_api?url=<WAZUH_API_URL>&portapi=<WAZUH_API_PORT>&userapi=<WAZUH_API_USERNAME>&passapi=<WAZUH_API_PASSWORD>"
   

   Note the following:

   • <SPLUNK_IP> is the hostname or IP address of the Splunk instance where the Wazuh app for Splunk was installed.

   • <SPLUNK_PORT> is the port of the Splunk instance where the Wazuh app for Splunk was installed. By default, it is 8000.

   • <WAZUH_API_URL>, <WAZUH_API_PORT>, <WAZUH_API_USERNAME> and <WAZUH_API_PASSWORD> represent the Wazuh API credentials to be stored on the Wazuh app for Splunk. Keep in mind that the Wazuh API URL must include http:// or https://, depending on the current configuration.

When the Wazuh app for Splunk is installed, the next step consists on installing and configuring Splunk forwarder.

Installing the Wazuh app for Splunk in a Splunk cluster

Install the Wazuh app for Splunk on the deployer machine and follow the steps:

1. Copy the Wazuh app for Splunk into the Splunk cluster folder:

   # cp -r installation_path/SplunkAppForWazuh /opt/splunk/etc/shcluster/apps
   

2. Create the file that listens the outputs from the Wazuh API:

   # touch /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh/default/outputs.conf
   

3. Fill the outputs.conf file with the next lines:

   [indexer_discovery:cluster1]
   pass4SymmKey = changeme
   master_uri = https://<master_ip>:<management_port>
   
   [tcpout:cluster1_tcp]
   indexerDiscovery = cluster1
   
   [tcpout]
   defaultGroup = cluster1_tcp
   

   Note

   The indexerDiscovery attribute is used for setting the connection to peer nodes. More information about the indexerDiscovery attribute can be found here.

   Note

   <master_ip> references to the indexers master ip.

   Warning

   The https is required by default and the default port is 8089.

4. Apply the changes:

   # /opt/splunk/bin/splunk apply shcluster-bundle -target https://<NODE_IP>:<management_port> -auth <user>:<password>
   

Now, we should have the /opt/splunk/etc/apps/SplunkAppForWazuh in every search head.

Update the Wazuh app for Splunk

1. To perform the update, the Wazuh app for Splunk must be deleted from the deployer and reinstalled by following the previous steps:

   # rm -rf /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh
   

2. Then, synchronized with the option -force and will be deleted from the search heads:

   # /opt/splunk/bin/splunk apply shcluster-bundle -force true -target https://<NODE_IP>:<management_port> -auth <user>:<password> -f