Install the Wazuh app for Splunk

The Wazuh app for Splunk offers a UI to visualize Wazuh alerts and Wazuh API data. Wazuh helps you gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.

Install the Wazuh app for Splunk in an all-in-one architecture

Note

  • This guide will install and configure the Wazuh app for Splunk 8.2.6. If you intend to configure a different version of Splunk with the Wazuh app, change the Splunk version number in the requests for the configuration files and the Wazuh app for Splunk. For example, if you intend to configure Splunk 8.2.2:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.6-1.tar.gz
    

    Becomes

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.2-1.tar.gz
    
  1. Download the latest Wazuh app for Splunk to the all-in-one server:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.6-1.tar.gz
    
  2. Install the Wazuh app for Splunk:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
    

    Apps -> Manage apps -> Install app from file

  3. Restart Splunk:

    # /opt/splunk/bin/splunk restart
    
  4. Restart the Splunk forwarder:

    # /opt/splunkforwarder/bin/splunk restart
    
  5. Open Splunk in your desired browser and log in with the username and password created when the Splunk package was installed. Click on the Wazuh app icon.

  6. The app will redirect you to the Settings tab. Fill out the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.

    By default, the Wazuh API port is 55000. The default username and password is wazuh:wazuh. Once the API has been added, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears at the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API section.

    When the Wazuh app for Splunk is installed, the next step is installing and configuring the Splunk forwarder.

  7. In order to configure the index and source type of the app, go to Settings/Index (view image).

    The default values are wazuh for the index and All for the source type.

    Note

    The Wazuh app considers as a valid index all indices that contain the word wazuh in the source type. The default value from the installation guide for source type is wazuh.

    You can also select the API, Index, and Source Type using the Quick settings menu.

  8. Open the “Overview” tab, and you should start seeing alerts and events.

Install the Wazuh app for Splunk in a minimal distributed architecture

Note

  • This guide will install and configure the Wazuh app for Splunk 8.2.6. If you intend to configure a different version of Splunk with the Wazuh app, change the Splunk version number in the requests for the configuration files and the Wazuh app for Splunk. For example, if you intend to configure Splunk 8.2.2:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.6-1.tar.gz
    

    Becomes

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.2-1.tar.gz
    
  1. Download the latest Wazuh app for Splunk to the indexer node:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.6-1.tar.gz
    
  2. Install the Wazuh app for Splunk:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
    # /opt/splunk/bin/splunk restart
    

    Apps -> Manage apps -> Install app from file

  3. Open Splunk in your desired browser and log in with the username and password created when the Splunk package was installed. Click on the Wazuh app icon.

  4. The app will redirect you to the Settings tab. If you are not redirected to the Settings tab, select the settings icon, this will take you to the “Settings” page.

    Fill out the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.

    By default, the Wazuh API port is 55000. The default username and password is wazuh:wazuh. Once the API has been added, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears at the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API section.

  5. In order to configure the index and source type of the app, go to Settings/Index (view image).

    The default values are wazuh for the index and All for the source type.

    Note

    The Wazuh app considers as a valid index all indices that contain the word wazuh in the source type. The default value from the installation guide for source type is wazuh.

    You can also select the API, Index, and Source Type using the Quick settings menu.

  6. Open the “Overview” tab, and you should start seeing alerts and events.

Install the Wazuh app for Splunk in a multi-instance cluster

Note

  • We can install the Wazuh app for Splunk in each search-head manually, but in cases where there are many search-heads, it is more convenient to install it automatically. For this purpose, the deployer will be used. The deployer is an endpoint that installs the Wazuh app for Splunk in every search-head automatically.

  • The official Splunk documentation for deploying a search head cluster is here.

  • This guide will install and configure the Wazuh app for Splunk 8.2.6. If you intend to configure a different version of Splunk with the Wazuh app, change the Splunk version number in the requests for the configuration files and the Wazuh app for Splunk. For example, if you intend to configure Splunk 8.2.2:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.6-1.tar.gz
    

    Becomes

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.2-1.tar.gz
    

Install the Wazuh app for Splunk on the deployer machine and follow the steps below:

  1. Download the latest Wazuh app for Splunk to the deployer node:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.3.8_8.2.6-1.tar.gz
    
  2. Install the Wazuh app for Splunk on the deployer:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
    # /opt/splunk/bin/splunk restart
    
  3. Copy the Wazuh app for Splunk into the Splunk cluster folder:

    # cp -r $SPLUNK_HOME/etc/apps/SplunkAppForWazuh /opt/splunk/etc/shcluster/apps
    
  4. Create the file that listens for outputs from the Wazuh API:

    # touch /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh/default/outputs.conf
    
  5. Fill the outputs.conf file with the next lines:

    [indexer_discovery:cluster1]
    pass4SymmKey = changeme
    master_uri = https://<master_ip>:<management_port>
    
    [tcpout:cluster1_tcp]
    indexerDiscovery = cluster1
    
    [tcpout]
    defaultGroup = cluster1_tcp
    

    Note

    • The indexerDiscovery attribute is used for setting the connection to peer nodes. More information about the indexerDiscovery attribute can be found here.

    • <master_ip> references the indexers master IP address.

    • changeme references the security key used with communication between the cluster master and the forwarders.

    Warning

    https is required by default and the default port is 8089.

  6. Apply the changes:

    # /opt/splunk/bin/splunk apply shcluster-bundle -target https://<NODE_IP>:<management_port> -auth <user>:<password>
    

    Where:

    <NODE_IP> references the search head captain IP address.
    <port> references the search head captain management port.

    Now, we should have the /opt/splunk/etc/apps/SplunkAppForWazuh in every search head.

  7. Open a Splunk search head instance in your desired browser and log in with the username and password created when the Splunk search head package was installed. Click on the Wazuh app icon.

  8. The app will redirect you to the Settings tab. If you are not redirected to the Settings tab, select the settings icon, this will take you to the “Settings” page.

    Fill out the form with your Wazuh API credentials. Use the URL and port from your Wazuh master node.

    By default, the Wazuh API port is 55000. The default username and password is wazuh:wazuh. Once the API has been added, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears at the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API section.

  9. In order to configure the index and source type of the app, go to Settings/Index (view image).

    The default values are wazuh for the index and All for the source type.

    Note

    The Wazuh app considers as a valid index all indices that contain the word wazuh in the source type. The default value from the installation guide for source type is wazuh.

    You can also select the API, Index, and Source Type using the Quick settings menu.

  10. Open the “Overview” tab, and you should start seeing alerts and events.

Update the Wazuh app for Splunk

  1. To perform the update, the Wazuh app for Splunk must be deleted from the deployer and reinstalled by following the previous steps:

    # rm -rf /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh
    
  2. Then, synchronize the search heads with the option -force.This will delete the Wazuh app for Splunk from the search heads:

    # /opt/splunk/bin/splunk apply shcluster-bundle -force true -target https://<NODE_IP>:<management_port> -auth <user>:<password> -f
    

Troubleshooting the Wazuh app for Splunk installation errors

In some situations, after installing the Wazuh app for Splunk, the API input boxes do not show. Follow the steps below to fix this behavior:

  1. Check the permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key:

    # ls -lhs /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key
    
  2. If the permissions are not set to 400, update them:

    # chmod -R 400 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key