Wazuh, foo?
Getting Started with Wazuh - Part 1
Inspired by John Hammond's excellent video on Wazuh, I decided to break out my trusty Raspberry Pi and take a swing at firing up a mini-SOC. I haven't used it in a few years, and I wanted something I could leave running on my network versus just another VM on my laptop.
Did I read all of the instructions on how to do this? You know damn well I didn't. Between John's sultry voice and Wazuh's super-clean support pages, how long could it possibly take? (The answer should come as no surprise to anyone…)
To improve my documenting habits, I took notes on what I did as I proceeded on my odyssey.
Wazuh on Raspberry Pi Installation Guide
- Pull out Raspberry Pi and notice it's missing a memory card. Order a new microSD card from Amazon.
- Realize the old card is still in my Flipper Zero. Steal from the robo-dolphin and pop it into an adapter. Question why Er4k4 is always so angry…
- Download Ubuntu Server .iso file to the microSD card.
- Insert microSD into the Raspberry Pi. Power on the Pi. No green light.
- Remember that you can't boot up the OS until the drive is configured correctly (yada, yada, yada, drive partitions, yada, yada, boot loader…).
- Try to remember the name of that damn software I used to make a bootable Kali Linux USB stick.
- Search DuckDuckGo. Find Balena Etcher; download immediately.
- Install Balena Etcher and create a bootable drive for Raspberry Pi.
- Have an internal debate on the merits of writing a blog and cataloging my every misstep. Lose argument to my inner child.
- Boot up the Pi—no green light.
- Realize power requirements for the Raspberry Pi might be more significant than the output from my USB hub. Search for the Raspberry Pi power cable.
- Find the correct cable after a prolonged battle in the “Box of Forgotten Cables and Playstation Controllers.”
- Search for a space on the power strip for the power cable. Realize that the Anker USB Travel Charger I thought I lost last year is sitting under my desk, plugged into the power strip, with nothing connected.
- Boot up the Raspberry Pi—no green light.
- Let the sense of hopelessness wash over your body as you realize that the power issue was not why the Raspberry Pi did not boot up.
- Review documentation on Ubuntu Server to verify the Raspberry Pi can handle the OS. Fun Fact: 1 GHZ CPU and 1 GB RAM is all you need.
- Flash the disk a second time with CentOS instead.
- Pray to the Old Gods and the New Gods.
- Fail to appease the gods and get nothing. Check to ensure the OS is compatible with the Raspberry Pi. It is.
- Download the Raspberry Pi Image Installer (they didn't have this last time I installed RetroPi). Use the installer to adjust the initial settings. Configure Wifi and SSH login, default username (Stormshadow), and my default lab password (I know, I know).
- Re-image drive for the third time. We're on Ubuntu Desktop 23.10 now.
- Look back at my previous steps and wonder why I keep doing this to myself.
- Power up the Raspberry Pi one more time.
- Green light! SUCCESS!
- Try to remember why I was installing a new OS in the first place.
- Run OS updates. Run the command to install Wuzah.
- Nothing. Check directories. Nothing. Maybe no network connection? Check ifconfig. Realize ifconfig is not installed by default. Install net tools. Check ifconfig. Nothing.
- Realize I typed an '0' instead of 'O.' Retry the command to install Wuzah.
- Receive an error message stating the OS is incompatible with Wazuh.
- Fuck you, this is happening. Rerun the command with -i modifier (ignore compatibility checks).
- Wait.
- Nope. Same error. Damn.
- Do it again with Ubuntu Desktop 22 LTS.
But first, sleep because this shit has taken way longer than expected, and it is already midnight. Time flies when you’re troubleshooting.
- Come back refreshed a day later. Attempt to log in to Ubuntu. Fail. Repeat multiple times. Realize Ubuntu is just running painfully slow. Decide to try again with CentOS.
- Download CentOS.
- Realize it's the wrong architecture (AMD vice ARM), and re-download the right one. Oh, wait a minute, there is a Raspberry Pi-compatible version of Ubuntu Server... Son of a bitch.
- Download Ubuntu Server for the Raspberry Pi. Image drive. Install, and FUCK YEAH IT'S BOOTING UP AGAIN!!
Aaaaaand, we're at another dead end.
According to Wazuh, my OS is incompatible because it's not 64-bit. I'm not sure how that works (definitely running a 64-bit OS), but now I've got to figure something else out. I'm beginning to suspect it's an issue with the version of Wazuh I'm trying to install. I have the Ubuntu server up and running, but it's still giving me an error even when I try different Wazuh packages. It is now midnight again—time to break contact and re-attack later.
So, what did we learn?
- Read the documentation first and validate all requirements (hardware and software). The last time I messed with my Raspberry Pi was several years ago, and I forgot I was using a Raspberry Pi 3B+. This meant I was looking up the wrong information when searching for support. Although I did read Wazuh's documentation to verify requirements, what I failed to do was spend the same time validating I had chosen a compatible OS for both Wazuh AND the Raspberry Pi hardware.
- Plan your deployment. Ensure you have all the components ready. Download your .iso files, ensure you have the software to flash a boot drive, and prep the hardware in advance. Walkthrough the process first to potentially find and address issues before they crop up.
- Allocate sufficient time to accomplish the entire deployment. This will not be fast. Take your time and add that 30% waste factor. I don’t know about you, but even small tech projects can consume way more time than you anticipate. Particularly if you underestimate the complexity of your task, you may find yourself spending far more time troubleshooting.
- Take good notes on the process. Although this is the most I've recorded on a procedure like this, I usually don't write up anything when I'm configuring and testing new VMs. That doesn't help in the future when you need to either repeat those procedures or validate they were done correctly. Be sure to document all the pertinent details: file locations, OS versions, steps taken, and configuration changes. None of it seems important until it becomes important.
Tired, But Not Defeated
On a positive note, I have the Raspberry Pi running as a server again. It's not a powerful machine, but it's capable of the use case I have planned. For now, I'll need to pause and do some more research. I’m probably missing a small detail, like a specific command, or perhaps misunderstanding a step in the process. Sometimes, the obvious answer comes to you after stepping away from the problem.