type: Guide collections: BCM, Software title: Wazuh Setup on Rocky Linux 10 (Proxmox VM) description: Step-by-step guide for setting up and securing Wazuh on Rocky Linux 10 within a Proxmox VM environment. tags: [bcm, security, software]

Wazuh Setup on Rocky Linux 10 (Proxmox VM)

VM Specs (Proxmox)

• VM ID: 104
• Name: hme-log-002
• CPU: 8 cores (2 sockets)
• RAM: 16 GB
• Storage:
• 20 GB OS (scsi0)
• 400 GB logs (scsi1)
• Network: vmbr1 (VLAN reach: 10.10.10.0/24, 10.10.20.0/24)

1. Install Rocky Linux 10

• Upload ISO to Proxmox → Create VM with above specs.
• After install:
  bash sudo dnf update -y sudo dnf install -y epel-release curl wget gnupg qemu-guest-agent tuned sudo systemctl enable --now qemu-guest-agent tuned sudo tuned-adm profile virtual-guest
• Format & mount log disk:
  bash sudo mkfs.ext4 /dev/sdb sudo mkdir /var/ossec-data echo '/dev/sdb /var/ossec-data ext4 defaults 0 2' | sudo tee -a /etc/fstab sudo mount -a

2. Harden SSH

sudo useradd -m -G wheel sysadmin
sudo passwd sysadmin   # temp only
su - sysadmin
mkdir -p ~/.ssh && chmod 700 ~/.ssh

On local machine:

ssh-copy-id -i ~/.ssh/id_ed25519.pub sysadmin@SERVER_IP

Edit /etc/ssh/sshd_config:

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers sysadmin

Apply:

sudo sshd -t && sudo systemctl restart sshd

Update firewall:

sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

Test new login before closing root session.

3. Install Wazuh (All-in-One)

curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh
sudo bash wazuh-install.sh -a

Save admin credentials at the end.

4. Firewall Rules

sudo firewall-cmd --permanent --add-port=2222/tcp     # SSH
sudo firewall-cmd --permanent --add-port=443/tcp      # Dashboard
sudo firewall-cmd --permanent --add-port=1514/tcp     # Agent comms
sudo firewall-cmd --permanent --add-port=1515/tcp     # Agent enrollment
sudo firewall-cmd --permanent --add-port=55000/tcp    # Wazuh API
sudo firewall-cmd --permanent --add-port=514/udp      # UniFi syslog
sudo firewall-cmd --reload

5. Verify Install

sudo systemctl status wazuh-manager wazuh-indexer wazuh-dashboard
ss -tulpn | grep -E '(443|1514|1515|55000|514)'

Dashboard: https://SERVER_IP

6. UniFi Syslog

On UniFi Controller/UDM Pro: enable remote logging → point to SERVER_IP:514.

On Wazuh:/var/ossec/etc/ossec.conf

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>UDM_PRO_IP/32</allowed-ips>
</remote>

Restart:

sudo systemctl restart wazuh-manager

7. Agents

Windows:

msiexec /i wazuh-agent-4.12.0-1.msi /q WAZUH_MANAGER="SERVER_IP"

Linux:

sudo WAZUH_MANAGER="SERVER_IP" rpm -ihv wazuh-agent-4.12.0-1.x86_64.rpm
sudo systemctl enable --now wazuh-agent

macOS:

sudo installer -pkg wazuh-agent-4.12.0-1.pkg -target /
sudo /Library/Ossec/bin/agent-auth -m SERVER_IP
sudo /Library/Ossec/bin/wazuh-control start

8. Retention

• In Wazuh Dashboard → Management → Index Management → set ISM policy for 365 days (adjust for disk).
• Add logrotate for /var/ossec/logs/*.

9. Backups

• Proxmox scheduled backups.
• Config backup script for /var/ossec/etc, /var/ossec/rules, /var/ossec/bin.

10. Security Musts

1. Change default admin password.
2. Replace self-signed cert.
3. Restrict dashboard by IP.
4. Apply regular updates.
5. Tune email alerts to avoid spam (≥ level 12).

#personal