WAZUH The Open Source Security Platform

With all-in-one deployment, you install and configure the Wazuh server and Elastic Stack on the same host.

The following components are installed:

• The Wazuh server, including the Wazuh manager as a single-node cluster, and the Wazuh API.
• Elastic Stack, including Open Distro for Elasticsearch as a single-node cluster, as well as Filebeat, Kibana, and the Wazuh Kibana plugin.

Step-by-step installation

Install Wazuh and Open Distro for Elasticsearch components in an all-in-one deployment. Follow the instructions to configure the official repositories to perform installations.

As an alternative to this installation method, you can install Wazuh using packages

Installing Wazuh

The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API and Filebeat.

To start setting up Wazuh, add the Wazuh repository to the server

Adding the Wazuh repository

Install the necessary packages for the installation:

#yum install curl unzip wget lib

Import the GPG key:

#rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Also, Add the repository:

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Installing the Wazuh manager

So, Install the Wazuh manager package:

yum install wazuh-manager

Enable and start the Wazuh manager service:

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Run the following command to check if the Wazuh manager is active

systemctl status wazuh-manager

Installing Elasticsearch

Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.

Install Open Distro for Elasticsearch:

yum install opendistroforelasticsearch

Configuring Elasticsearch

So, Run the following command to download the configuration file /etc/elasticsearch/elasticsearch.yml:

curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Elasticsearch users and roles

You need to add users and roles in order to use the Wazuh Kibana properly.

Run the following commands to add the Wazuh users and additional roles in Kibana:

curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml

Certificates creation

Remove the demo certificates:

rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

Generate and deploy the certificates:

Download the wazuh-cert-tool.sh:

curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml

Run the wazuh-cert-tool.sh to create the certificates:

bash ~/wazuh-cert-tool.sh

Move the Elasticsearch certificates to their corresponding location:

mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

Enable and start the Elasticsearch service:

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

Also, Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:

export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

Run the following command to ensure that the installation is successful:

curl -XGET https://localhost:9200 -u admin:admin -k

An example response should look as follows:

Installing Filebeat

So, Install the Filebeat package:

yum install filebeat

Download the preconfigured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml

Also Download the alerts template for Elasticsearch:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Also, Copy the Elasticsearch certificates into /etc/filebeat/certs:

mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/

Then enable and start the Filebeat service:

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

To ensure that Filebeat is successfully installed, run the following command:

filebeat test output

Installing Kibana

So, Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

Install the Kibana package:

yum install opendistroforelasticsearch-kibana

So, Download the Kibana configuration file:

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml

In the /etc/kibana/kibana.yml file, the setting server.host has the value 0.0.0.0. It means that Kibana can be accessed from the outside and accepts all the available IPs of the host. This value can be changed for a specific IP if needed.

Also, Create the /usr/share/kibana/data directory:

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data

Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.4_7.10.2-1.zip

Then, Copy the Elasticsearch certificates into /etc/kibana/certs:

mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

Link Kibana socket to privileged port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Enable and start the Kibana service:

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

Access the web interface:

URL: https://<wazuh_server_ip>
user: admin
password: admin

Wazuh Dashboard