Skip to main content

How to set up a log relay Part 2 - Client Setup

· 12 min read
Eason Taylor
Eason Taylor
Cyber Security Analyst

In Part 1 of this tutorial, you learned how to set up a log relay server that uses mTLS to securely receive logs from only specifically registered devices and forward them to a SIEM like Wazuh.

In this, Part 2 of the tutorial, you'll learn how to configure agents (or clients) to authenticate themselves to that log relay and send their logs securely to the SIEM server.

Overview

Before diving in, review these steps to get an idea for what's ahead:

  1. Create a certificate for your client
    • Use the CA (Certificate Authority) you created in Part 1 to generate and sign a certificate for each client
  2. Install and configure the software necessary to handle mTLS on your client machine
  3. Install your SIEM agent and configure it to use the log relay you've created

Certificate preparation

First, we need to create a certificate to be used by the device you want to monitor. On the machine you're using as your certificate authority (CA), perform the following steps:

  1. Create the key

    openssl genrsa -out agent-hostname.key 4096
    chmod 600 agent-hostname.key

This gives you a file called <agent-hostname>.key. Hold onto that.

  1. Create a CSR (Certificate Signing Request) for the key

    Use the following command, making sure to replace agent-hostname and YourOrg with the names of the device to be monitored and the name you want to represent your "organization".

    NOTE

    This command uses the name of the file you created in the previous step. Remember to copy that exactly and provide it in the -key parameter of the command.

    openssl req -new \
        -key agent-hostname.key \
        -out agent-hostname.csr \
        -subj "/C=US/O=YourOrg/CN=agent-hostname"

  2. Use the CSR to create and sign a certificate for the host to be monitored.

    Remember to replace agent-hostname and mtls-ca with the names of the host to be monitored and the name of your certificate authority, respectively.

    This command includes several flags (parameters), so click here for a quick breakdown of the whole command if you're interested:
    FlagMeaningPurpose in This Command
    openssl x509Invokes the OpenSSL X.509 certificate utility.Used to create, inspect, or sign X.509 certificates.
    -reqTreats the input as a Certificate Signing Request (CSR).Tells OpenSSL to read and sign the CSR specified by -in.
    -in agent-hostname.csrSpecifies the input CSR file.Reads the certificate request from agent-hostname.csr.
    -CA mtls-ca.pemSpecifies the CA certificate to use for signing.Uses mtls-ca.pem as the issuing Certificate Authority certificate.
    Change this to the name of your CA's .pem file.
    -CAkey mtls-ca.keySpecifies the private key corresponding to the CA certificate.Uses mtls-ca.key to cryptographically sign the new certificate.
    Change this to the name of your CA's .key file.
    -CAcreateserialCreates a CA serial number file if one does not already exist.Generates a file (typically mtls-ca.srl) to track certificate serial numbers issued by this CA.
    -out agent-hostname.crtSpecifies the output certificate file.Writes the signed certificate to agent-hostname.crt.
    -days 825Sets the certificate validity period in days.Makes the issued certificate valid for 825 days from the time of signing.
    You can change this duration or omit it if you want. However, if you don't provide a value, it will expire after 30 days by default.
    -sha256Uses SHA-256 as the message digest algorithm for signing.Signs the certificate using a SHA-256 hash, which is a widely accepted secure algorithm.
    \Shell line-continuation character (not an OpenSSL option).Allows the command to be split across multiple lines for readability while being executed as a single command.
    openssl x509 -req \
        -in agent-hostname.csr \
        -CA mtls-ca.pem \
        -CAkey mtls-ca.key \
        -CAcreateserial \
        -out agent-hostname.crt \
        -days 825 \
        -sha256
    chmod 644 agent-hostname.crt

  3. Copy the key and certificate to the system you want to monitor.

    These are the files that end with .crt and .key.

    These files were created on the machine that's acting as your certificate authority, but they need to be on the machine you want to enroll in monitoring. So, use whatever tool works best for you to transfer them to that device. You could copy them to a USB drive, use SCP, or whatever you prefer.

Install and configure stunnel

In Part 1 of this tutorial, we set up a log relay and used HAProxy to simultaneously terminate TLS and forward packets to the Wazuh server. We likewise need a tool to terminate TLS on the host to be monitored. For that, we're going to use Stunnel.

Windows vs Mac vs Linux

I've included variations of these instructions for Windows and Linux, as these are the platforms I have available to me for testing/validation. If you'd like to adapt this process to monitor a MacOS device, I encourage you to use the Linux steps as a general guide. You may also find success using an AI tool to help you adapt the instructions for MacOS.

  1. Install Stunnel

    1. Download and run the installer from https://stunnel.org/downloads.html.
    2. When you start the installer, make sure to install it at the system level, which tells the installer to put it in C:\Program Files (x86)\stunnel
    3. Then, just continue to follow the installer prompts to provide information about your org. It's not actually that important what you put here and you can provide a period (.) if you want to skip things.

  2. Organize your files and certificates.

    You should make sure this directory structure and these files exist.

    C:\Program Files (x86)\stunnel\

    ├── config\
    │   └── stunnel.conf
    ├── moreconfig\
    |   ├── wazuh-1514.conf
    |   └── wazuh-1515.conf
    ├── certs\
    │   ├── agent-hostname.crt
    │   ├── agent-hostname.key
    │   └── mtls-ca.pem (This is the .pem file you created for your CA in part 1)
    1. Start by copying your certificate and key files to the certs folder.
    2. Next, make sure the stunnel.conf file exists in the config directory.
    3. Lastly, create a moreconfig directory and create two empty files inside it named wazuh-1515.conf and wazuh-1514.conf.

  3. Make sure file permissions are sufficiently permissive but otherwise locked down for the certificate files you imported.

    1. OPTION 1: Open the certs folder in File Explorer, right-click it, and select Properties > Security. Then make sure the only users with access are your user, SYSTEM, and the Administrators group.

    2. OPTION 2: Run these commands in PowerShell as Administrator:

      icacls "C:\Program Files (x86)\stunnel\certs" /inheritance:r
      icacls "C:\Program Files (x86)\stunnel\certs" /grant:r "$($env:USERNAME):(F)"

  4. Edit the configuration files:

    1. Edit the stunnel.conf file you created at C:\Program Files (x86)\stunnel\config\stunnel.conf with Notepad and make sure it includes this line:

      include = C:\Program Files (x86)\stunnel\moreconfig

    2. Edit C:\Program Files (x86)\stunnel\wazuh-1514.conf in Notepad and insert the following contents:

      NOTE

      In this step and the next step, make sure to replace lr.example.com with the IP address or URL of the log relay you set up in Part 1 of this tutorial.

      Additionally, replace agent-hostname and mtls-ca with the names of your device and your CA server, respectively.

      The checkHost parameter tells Stunnel to verify that the relay server certificate matches the server’s hostname. In this config, it should be set to the hostname that appears on the certificate for the relay; Otherwise, you can omit that line from the config if you do not want to enforce hostname verification.

      client = yes

      [wazuh-agent-1514]
      accept = 127.0.0.1:1514
      connect = lr.example.com:1514
      cert = C:\Program Files (x86)\stunnel\certs\agent-hostname.crt
      key = C:\Program Files (x86)\stunnel\certs\agent-hostname.key
      CAfile = C:\Program Files (x86)\stunnel\certs\mtls-ca.pem

      verifyChain = yes
      checkHost = lr.example.com

    3. Edit C:\Program Files (x86)\stunnel\wazuh-1515.conf in Notepad and insert the following contents:

      client = yes

      [wazuh-agent-1515]
      accept = 127.0.0.1:1515
      connect = lr.example.com:1515
      cert = C:\Program Files (x86)\stunnel\certs\agent-hostname.crt
      key  = C:\Program Files (x86)\stunnel\certs\agent-hostname.key
      CAfile = C:\Program Files (x86)\stunnel\certs\mtls-ca.pem

      verifyChain = yes
      checkHost = lr.example.com

  5. Install Stunnel as a Windows Service so it runs automatically at startup.

    1. Run these commands in Command Prompt as Administrator:

      cd C:\Users\<USERNAME>\AppData\Local\Programs\stunnel\bin
      .\stunnel.exe -install

    2. To verify it's running properly, run this command:

      netstat -ano | findstr 1514

      Look for a line that looks like this:

      127.0.0.1:1514 LISTENING

      You can also verify that it was properly configured to autostart after a reboot. Make sure to run this in Command Prompt and not Powershell:

      sc qc stunnel

      You should see AUTO_START in the results of that command.

Install and configure the Wazuh agent

Now that stunnel is set up, you're ready to install the Wazuh agent on your device! Start by following the official Wazuh documentation to install the agent on your machine.

tip

If you're using Arch Linux or another Linux distribution that's not supported by default, you can install the Wazuh agent by compiling it from source.

Refer to the official Wazuh documentation for those instructions.

Once the Wazuh agent is installed, you just need to edit the ossec.conf configuration file and replace the server address with 127.0.0.1. When that is properly configured, Wazuh will send all logs to the local port where Stunnel is listening and ready to route to the log relay through TLS. Here is a sample of the server section of the Wazuh agent configuration that will show you what that should look like:

<server>
  <address>127.0.0.1</address>
  <port>1514</port>
</server>
  1. Edit the configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf
  2. Restart the service by running this command in PowerShell 
    Restart-Service -Name wazuh

Summary & Conclusion

Congratulations! With these steps completed, you should have successfully enrolled a new device with Wazuh, allowing it to send logs through your secure log relay using mTLS.

Now, you're using a configuration that reduces exposure while providing you with better endpoint visibility.

Quirks of this setup

One quirk of this setup is all the agents you enroll this way will display the IP address 127.0.0.1 in the Wazuh manager. I'm sure there is a workaround that can fix this, but I haven't found a way to do that yet because it hasn't been important to me.