Applying RAG for Working with Wazuh Documentation: A Step-by-Step Guide (Part 2)

Preparing for Code Development

For local code development for RAG, you will need to install the following tools:

• Ollama
• Python v3.9+
• Basic Python knowledge
• Wazuh documentation in PDF format

Running and Configuring Ollama

1. Install Ollama
2. Obtain the necessary models: llama3.2 and nomic-embed-text.

Developing a Mechanism for Loading PDF Documentation

For development, we will use the following tools:

• LangChain - for creating data processing chains.
• Ollama - for running and configuring models.
• Python - as the main programming language.
• ChromaDB - as a vector store.

Install the dependencies:

Applying RAG for Wazuh Documentation: A Step-by-Step Guide (Part 1)

Introduction to RAG

Retrieval-Augmented Generation (RAG) is a method that allows the use of information from various sources to generate more accurate and useful responses to questions.

In the context of Wazuh, RAG can be used to automate data processing, optimize access to information, and improve information retrieval.

Preparing for RAG Integration

Before integrating RAG with the Wazuh documentation, you need to complete the following steps:

Continuing the Series: Integrating a Wazuh Cluster with Ollama — Part 4. Configuration and Implementation

In the previous section, we explored the core principles of building integrations. Now, it’s time to bring all the pieces together and finalize the integration of Wazuh with Ollama.

Complete Code for Ollama Integration

Let’s start by installing the essential dependencies required for Ollama.

/var/ossec/framework/python/bin/pip3 install ollama

Earlier, I walked you through setting up Wazuh using Docker Compose, but simply launching it won’t suffice.

Wazuh and Ollama: Part 3. Creating Integration Between Your Wazuh Cluster and Ollama

Wazuh offers vast and nearly limitless possibilities for integration with various systems. Even if a specific feature is missing, you can always create your own custom integration. Интеграции с внешними системами могут быть двух видов:

• External API integrations: This method enables interaction with external systems via APIs to automate tasks. The data obtained can be used to create events in Wazuh or trigger other automated actions, enhancing the efficiency of threat monitoring and response.
• Command: This method allows you to schedule commands or scripts for the automatic creation of events in Wazuh. I often use this approach when I need to gather data from sources that aren’t supported by default. It helps expand monitoring capabilities and integrate with non-standard systems.

To integrate with Ollama, we will use the External API integrations method.

Wazuh and Ollama: Part 2. Deploying the Wazuh Cluster

Now it’s time to set up Wazuh, which we will integrate with Ollama.

The fastest and easiest way to deploy a Wazuh cluster is by using Docker Compose.

Start by cloning the official wazuh-docker repository:

git clone -b v4.11.0 https://github.com/wazuh/wazuh-docker && cd wazuh-docker/multi-node

The next step is to create certificates for the configuration.

docker compose -f generate-indexer-certs.yml run --rm generator

Once the certificates are generated, you can start the Wazuh cluster.

Introduction

Welcome to the first part of our guide on enhancing Wazuh with Ollama!

In this post, we’ll dive into integrating Wazuh — a powerful open-source security platform — with Ollama, a tool for running large language models (LLMs) locally.

This combination will help improve threat detection, automate security workflows, and simplify incident response with the magic of artificial intelligence. Ready to take your cybersecurity to the next level? Let’s break down the benefits and walk through the setup process step by step.

To create a custom integration between Wazuh and MARK, follow these steps:

Step 1: Clone the Repository

Start by cloning the repository that contains the integration script:

git clone https://github.com/pyToshka/wazuh-mark-integration.git  

Step 2: Deploy the Integration Script

Copy the integration script (custom-integration-mark.py) to the Wazuh integrations directory:

cp custom-integration-mark.py /var/ossec/integrations  

Step 3: Configure Script Permissions

Set the required permissions and ownership to ensure the integration script can be executed securely:

About Me

Accomplished Site Reliability Engineer and Cloud Architect specializing in scalable, secure cloud infrastructures and container orchestration with Kubernetes and OpenShift.

Proficient in automating cloud deployments and integrating security into DevOps processes to build resilient, high-availability systems.

Passionate about leveraging automation to improve operational efficiencies and achieve significant cost reductions.

Adept at leading technology teams and promoting a culture that embraces DevSecOps and SRE principles to enhance system reliability and performance.