Install the Wazuh app for Splunk

The Wazuh app for Splunk offers a UI to visualize Wazuh alerts and Wazuh API data. Wazuh helps you gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.

For the correct operation and communication, the Wazuh app for Splunk and the Wazuh server must run the same version, for example version 4.4.5.

The following sections show how to install it, update it, and troubleshoot eventual installation errors.

Wazuh app for Splunk

Note

  • This guide installs and configures the Wazuh app for Splunk 8.2. If you intend to configure another version, such as 8.1, change the Splunk version number in the requests for the configuration files and the Wazuh app for Splunk. For example:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.4.5_8.2-1.tar.gz

    Becomes

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.4.5_8.1-1.tar.gz

    Check the Splunk compatiblity matrix for more information.

Install the Wazuh app for Splunk in an all-in-one architecture

  1. Download the latest Wazuh app for Splunk to the all-in-one server:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.4.5_8.2-1.tar.gz

  2. Install the Wazuh app for Splunk:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz

  3. Restart Splunk:

    # /opt/splunk/bin/splunk restart

  4. Restart the Splunk forwarder:

    # /opt/splunkforwarder/bin/splunk restart

  5. Open Splunk in your desired browser and log in with the username and password created when the Splunk package was installed. Click on the Wazuh app icon.

  6. The app will redirect you to the Settings tab. Fill out the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.

    By default, the Wazuh API port is 55000. The default username and password is wazuh:wazuh. Once the API has been added, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears at the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API section.

    Wazuh API configuration

    When the Wazuh app for Splunk is installed, the next step is installing and configuring the Splunk forwarder.

  7. In order to configure the index and source type of the app, go to Settings/Index (view image).

    The default values are wazuh for the index and All for the source type.

    Note

    The Wazuh app considers as a valid index all indices that contain the word wazuh in the source type. The default value from the installation guide for source type is wazuh.

    Configure the index and source type

    You can also select the API, Index, and Source Type using the Quick settings menu.

  8. Open the “Overview” tab, and you should start seeing alerts and events.

    Alerts dashboard

Install the Wazuh app for Splunk in a minimal distributed architecture

  1. Download the latest Wazuh app for Splunk to the indexer node:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.4.5_8.2-1

  2. Install the Wazuh app for Splunk:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
# /opt/splunk/bin/splunk restart

  3. Open Splunk in your desired browser and log in with the username and password created when the Splunk package was installed. Click on the Wazuh app icon.

  4. The app will redirect you to the Settings tab. If you are not redirected to the Settings tab, select the settings icon, this will take you to the “Settings” page.

    Settings icon

    Fill out the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.

    By default, the Wazuh API port is 55000. The default username and password is wazuh:wazuh. Once the API has been added, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears at the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API section.

    Wazuh API credentials

  5. In order to configure the index and source type of the app, go to Settings/Index (view image).

    The default values are wazuh for the index and All for the source type.

    Note

    The Wazuh app considers as a valid index all indices that contain the word wazuh in the source type. The default value from the installation guide for source type is wazuh.

    Settings/Index

    You can also select the API, Index, and Source Type using the Quick settings menu.

  6. Open the “Overview” tab, and you should start seeing alerts and events.

    Alerts dashboard

Install the Wazuh app for Splunk in a multi-instance cluster

Install the Wazuh app for Splunk on the deployer machine and follow the steps below:

  1. Download the latest Wazuh app for Splunk to the deployer node:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.4.5_8.2-1.tar.gz

  2. Install the Wazuh app for Splunk on the deployer:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
# /opt/splunk/bin/splunk restart

  3. Copy the Wazuh app for Splunk into the Splunk cluster folder:

    # cp -r $SPLUNK_HOME/etc/apps/SplunkAppForWazuh /opt/splunk/etc/shcluster/apps

  4. Create the file that listens for outputs from the Wazuh API:

    # touch /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh/default/outputs.conf

  5. Fill the outputs.conf file with the next lines:

    [indexer_discovery:cluster1]
pass4SymmKey = changeme
master_uri = https://<master_ip>:<management_port>

[tcpout:cluster1_tcp]
indexerDiscovery = cluster1

[tcpout]
defaultGroup = cluster1_tcp

    Note

    • The indexerDiscovery attribute is used for setting the connection to peer nodes. More information about the indexerDiscovery attribute can be found here.

    • <master_ip> references the indexers master IP address.

    • changeme references the security key used with communication between the cluster master and the forwarders.

    Warning

    https is required by default and the default port is 8089.

  6. Apply the changes:

    # /opt/splunk/bin/splunk apply shcluster-bundle -target https://<NODE_IP>:<management_port> -auth <user>:<password>

    Where:

    <NODE_IP> references the search head captain IP address.
    <port> references the search head captain management port.

    Now, we should have the /opt/splunk/etc/apps/SplunkAppForWazuh in every search head.

  7. Open a Splunk search head instance in your desired browser and log in with the username and password created when the Splunk search head package was installed. Click on the Wazuh app icon.

  8. The app will redirect you to the Settings tab. If you are not redirected to the Settings tab, select the settings icon, this will take you to the “Settings” page.

    Settings page

    Fill out the form with your Wazuh API credentials. Use the URL and port from your Wazuh master node.

    By default, the Wazuh API port is 55000. The default username and password is wazuh:wazuh. Once the API has been added, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears at the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API section.

    Wazuh API setting

  9. In order to configure the index and source type of the app, go to Settings/Index (view image).

    The default values are wazuh for the index and All for the source type.

    Note

    The Wazuh app considers as a valid index all indices that contain the word wazuh in the source type. The default value from the installation guide for source type is wazuh.

    Index tab

    You can also select the API, Index, and Source Type using the Quick settings menu.

  10. Open the “Overview” tab, and you should start seeing alerts and events.

    Alerts dashboard

Update the Wazuh app for Splunk

  1. To perform the update, the Wazuh app for Splunk must be deleted from the deployer and reinstalled by following the previous steps:

    # rm -rf /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh

  2. Then, synchronize the search heads with the option -force.This will delete the Wazuh app for Splunk from the search heads:

    # /opt/splunk/bin/splunk apply shcluster-bundle -force true -target https://<NODE_IP>:<management_port> -auth <user>:<password> -f

Troubleshooting the Wazuh app for Splunk installation errors

In some situations, after installing the Wazuh app for Splunk, the API input boxes do not show. Follow the steps below to fix this behavior:

  1. Check the permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key:

    # ls -lhs /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key

  2. If the permissions are not set to 400, update them:

    # chmod -R 400 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key