18 hours ago3 min read

Wazuh XDR & SIEM setup on Azure Linux virtual machine

Updated: 1 hour ago

Wazuh is an open source free security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads.

This guide will show you how to setup a Wazuh server in Azure and connect your Windows clients for security monitoring within the Azure hosted SIEM (Security information and Event Management).

XDR = Extended Detection and Response

SIEM = Security Information and Event Management

This solution is composed of a single universal agent for Windows, Mac, Cloud etc and consists of three central components:

Wazuh server, the Wazuh indexer, and the Wazuh dashboard.

As you are reading this I would presume you have some knowledge of creating virtual machines in Azure, if not contact me for further tuition.

Skills covered

Install Ubuntu server on Azure
Setup Azure port rules to allow ssh (22), https (443) and wazah agent (1514)
Install Wazuh server on Azure hosted Ubuntu server via ssh
Install Wazuh client on a Windows PC
Extract connection keys
Connect from Windows PC to the Azure hosted Wazuh server using the keys
Monitor the clients from the Wazuh SIEM portal - this is the front end goal.

Installing Ubuntu server in Azure

For my test lab I created a Ubuntu server (24.04) virtual machine in Azure for 1-25 agent specification and SSH port 22, HTTPS 443 and 1514 ports enabled.

Create the virtual machine:

Create a Ubuntu server with the following specs:

Ubuntu 24.04 server

8GB ram / 50GB SSD

Azure port setup

To enable the next tasks you need to ensure the following:

SSH terminal port 22 is open for administration
Web access port 443 for web site access
Agent communicated from client to server on port 1514

Once the virtual machine is created and the ports are setup as above, connected from your Windows PC to the public IP address via SSH using Putty.

Installation of Wazuh on Azure Ubuntu server

(https://wazuh.com/install/)

Run the following to install the application: curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Once installed head over to: https://<Public IP>:443 which gives you the login:

Agent Installation and enrollment

Now that your Wazuh server installation is ready and the 3 ports are setup, you can start deploying the Wazuh agent. First is making sure your client can see your public IP and services on port 1514, otherwise nothing will appear in the management portal.

Ports

Check your client can see the 1514 port by running a telnet command:

telnet <wazuh server ip> 1514

The connection didn't fail, but if yours does check the log files here:

C:\Program Files (x86)\ossec-agent\ossec.log file.

This is my earlier failure during testing, which I resolved by enabling port 1514 in Azure:

Unable to connect to '[172.<public ip>]:1514/tcp': 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'.

Resolved port configuration:

C:\Program Files (x86)\ossec-agent\ossec.log

2025/01/08 19:29:09 wazuh-agent: INFO: (4102): Connected to the server ([172.<public ip>]:1514/tcp).

Enabled port 1514 in Azure - Networking

I can see it's now connected!

Install the Agent

Once the log files are looking successful your ready to deploy the client and connect!

From the management console head over to:

https://172.public ip/app/endpoints-summary#/agents-preview/deploy

The generated powershell command to install the client generated is:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='172.<public ip>' WAZUH_AGENT_GROUP='default'