Mastering Wazuh FIM & Integrations
Learn how to deploy File Integrity Monitoring (FIM), configure real-time auditing (Syscheck/WhoData), integrate VirusTotal threat intelligence, map Tailscale remote networking, and manage agent configurations visually using DWService.
Windows File Auditing
Wazuh monitors folders (like C:\Users\Username\Desktop) in real-time. By enabling System Access Control Lists (SACLs) and WhoData auditing, Wazuh attributes who modified or deleted any file.
Key Concepts:
- directories options: check_all (integrity checks), report_changes (reports diffs), realtime (instant alerts).
- whodata: Tracks user name, process ID, and application path for any file change.
Ubuntu 24.04 Monitoring
Linux agents use the kernel-level auditd framework to intercept file write/modify syscalls, allowing Wazuh to generate robust integrity events showing lines changed.
Key Concepts:
- auditd: Linux auditing daemon used by Wazuh to collect WhoData context.
- diff details: Displays line-by-line modifications of the monitored files.
VirusTotal Threat Intel
Wazuh Manager can query the VirusTotal API using MD5/SHA256 hashes of modified files. Coupled with Active Response, it auto-remediates identified threats.
Key Concepts:
- VT Integration: Automatically checks hashes against 70+ AV scanner databases.
- Active Response: Automatically runs threat deletion or firewall scripts upon threat detection.
Classroom Network Routing & Centralized Management
Tailscale VPN vs. Proxmox Subnets
Our classroom VMs run in a Proxmox virtual environment. Remote students connect securely via Tailscale. You must understand which IP to use: the Private IP is for agent-to-manager communications (inside Proxmox LAN), while the Tailscale IP is for external access (e.g. SSH and loading the Wazuh Kibana Dashboard from your home PC).
Bonus: Visual File Management via DWService
DWService provides a web-based portal to view files, monitor resources, and edit endpoint configurations. In Lab 5, we show how DWService makes modifying agent ossec.conf settings easy without using shell-based text editors.
Lab Infrastructure Nodes
XML Configuration Editor
/var/ossec/etc/rules/local_rules.xmlVerify XML tag balance. Click Save & Apply Rules to load configuration changes into the simulated Wazuh Manager process.
Linux Terminal - wazuh-manager
Wazuh Security Alerts Dashboard
No alerts triggered yet. Run tests or generate security events to populate the Wazuh SIEM feed.
Lab 1: Reading Logs (Decoders & Rules Engineering)
Your Linux agent has a custom financial application writing events to `/var/log/finance.log`. You need to configure Wazuh rules to parse this application's custom events and raise high-severity alerts for failed transactions.