Install the Wazuh app for Splunk

Wazuh app for Splunk offers a UI to visualize Wazuh alerts and Wazuh API data. Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.

Installation

  1. Download the latest Wazuh app for Splunk:

    # curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.2.1_8.1.3-1.tar.gz
    
  2. Install the Wazuh app for Splunk:

    # /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
    # /opt/splunk/bin/splunk restart
    
    Apps -> Manage apps -> Install app from file
    
  3. Open Splunk in your desired browser and click on the Wazuh app icon:

    ../../../_images/app-icon.png
  4. The app will redirect you to the Settings tab, where fill the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.

    By default, the Wazuh API port is 55000. The default username and password is wazuh:wazuh.

    Once added the API, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears on the bottom right corner if the connection is established.

    Note

    You can get more information about how to set up the credentials at Securing the Wazuh API.

When the Wazuh app for Splunk is installed, the next step consists on installing and configuring Splunk forwarder.

Installing the Wazuh app for Splunk in a Splunk cluster

Note

We can install the Wazuh app for Splunk in each search-head manually, but in case of having hundreds or even thousands of search-heads, it is more convenient to install it automatically. For this purpose, the deployer will be used, a machine that installs the Wazuh app for Splunk in every search-head at the same time and automatically.

Install the Wazuh app for Splunk on the deployer machine and follow the steps:

  1. Copy the Wazuh app for Splunk into the Splunk cluster folder:

    # cp -r installation_path/SplunkAppForWazuh /opt/splunk/etc/shcluster/apps
    
  2. Create the file that listens the outputs from the Wazuh API:

    # touch /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh/default/outputs.conf
    
  3. Fill the outputs.conf file with the next lines:

    [indexer_discovery:cluster1]
    pass4SymmKey = changeme
    master_uri = https://<master_ip>:<management_port>
    
    [tcpout:cluster1_tcp]
    indexerDiscovery = cluster1
    
    [tcpout]
    defaultGroup = cluster1_tcp
    

    Note

    The indexerDiscovery attribute is used for setting the connection to peer nodes. More information about the indexerDiscovery attribute can be found here.

    Note

    <master_ip> references to the indexers master ip.

    Warning

    The https is required by default and the default port is 8089.

  4. Apply the changes:

    # /opt/splunk/bin/splunk apply shcluster-bundle -target https://<NODE_IP>:<management_port> -auth <user>:<password>
    

Now, we should have the /opt/splunk/etc/apps/SplunkAppForWazuh in every search head.

Update the Wazuh app for Splunk

  1. To perform the update, the Wazuh app for Splunk must be deleted from the deployer and reinstalled by following the previous steps:

    # rm -rf /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh
    
  2. Then, synchronized with the option -force and will be deleted from the search heads:

    # /opt/splunk/bin/splunk apply shcluster-bundle -force true -target https://<NODE_IP>:<management_port> -auth <user>:<password> -f