Install the Wazuh app for Splunk¶
The Wazuh app for Splunk offers a UI to visualize the Wazuh alerts and the Wazuh API data. Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
Download the latest Wazuh app for Splunk:
# curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/wazuhapp-splunk-3.13.2_8.0.4.tar.gz
Install the Wazuh app for Splunk:
# /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
# /opt/splunk/bin/splunk restart
Apps -> Manage apps -> Install app from file
Open Splunk in your desired browser and click on the Wazuh app icon:
You will be redirected to the Settings tab to fill the form with the
Wazuh API credentials. Use the URL and port from your Wazuh API server.
By default, the Wazuh API port is
55000. The default username and password is
foo:bar. It is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears on the bottom right corner if the connection is established.
You can get more information about how to set up the credentials at Securing the Wazuh API.
If you want to add the
Wazuh API credentialsmore quickly (for instance, for deployment purposes) you can execute the following command:
# curl -X POST "http://<SPLUNK_IP>:<SPLUNK_PORT>/en-US/custom/SplunkAppForWazuh/manager/add_api?url=<WAZUH_API_URL>&portapi=<WAZUH_API_PORT>&userapi=<WAZUH_API_USERNAME>&passapi=<WAZUH_API_PASSWORD>"
Note the following:
hostname or IP addressof the Splunk instance where the Wazuh app for Splunk was installed.
portof the Splunk instance where the Wazuh app for Splunk was installed. By default, it is 8000.
Wazuh API credentialsto be stored on the Wazuh app for Splunk. Keep in mind that the Wazuh API URL must include
https://, depending on the current configuration.
When the Wazuh app for Splunk is installed, the next step consists on installing and configuring Splunk forwarder.
Installing the Wazuh app for Splunk in a Splunk cluster¶
We can install the Wazuh app for Splunk in each search-head manually, but in case of having hundreds or even thousands of search-heads, it is more convenient to install it automatically.
For this purpose, the
deployer will be used, a machine that installs the Wazuh app for Splunk in every search-head at the same time and automatically.
Install the Wazuh app for Splunk on the
deployer machine and follow the steps:
Copy the Wazuh app for Splunk into the Splunk cluster folder:
# cp -r installation_path/SplunkAppForWazuh /opt/splunk/etc/shcluster/apps
Create the file that listens the outputs from the Wazuh API:
# touch /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh/default/outputs.conf
outputs.conffile with the next lines:
[indexer_discovery:cluster1] pass4SymmKey = changeme master_uri = https://<master_ip>:<management_port> [tcpout:cluster1_tcp] indexerDiscovery = cluster1 [tcpout] defaultGroup = cluster1_tcp
indexerDiscoveryattribute is used for setting the connection to peer nodes. More information about the
indexerDiscoveryattribute can be found here.
<master_ip>references to the indexers master ip.
httpsis required by default and the default port is 8089.
Apply the changes:
# /opt/splunk/bin/splunk apply shcluster-bundle -target https://<NODE_IP>:<management_port> -auth <user>:<password>
Now, we should have the
/opt/splunk/etc/apps/SplunkAppForWazuh in every
Update the Wazuh app for Splunk¶
To perform the update, the Wazuh app for Splunk must be deleted from the deployer and reinstalled by following the previous steps:
# rm -rf /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh
Then, synchronized with the option
-forceand will be deleted from the search heads:
# /opt/splunk/bin/splunk apply shcluster-bundle -force true -target https://<NODE_IP>:<management_port> -auth <user>:<password> -f