With all-in-one deployment, you install and configure the Wazuh server and Elastic Stack on the same host.
The following components are installed:
- The Wazuh server, including the Wazuh manager as a single-node cluster, and the Wazuh API.
- Elastic Stack, including Open Distro for Elasticsearch as a single-node cluster, as well as Filebeat, Kibana, and the Wazuh Kibana plugin.
Step-by-step installation
Install Wazuh and Open Distro for Elasticsearch components in an all-in-one deployment. Follow the instructions to configure the official repositories to perform installations.
As an alternative to this installation method, you can install Wazuh using packages
Installing Wazuh
The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API and Filebeat.
To start setting up Wazuh, add the Wazuh repository to the server
Adding the Wazuh repository
#yum install curl unzip wget lib
Import the GPG key:
#rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Also, Add the repository:
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
Installing the Wazuh manager
So, Install the Wazuh manager package:
yum install wazuh-manager
Enable and start the Wazuh manager service:
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
Run the following command to check if the Wazuh manager is active
systemctl status wazuh-manager
Installing Elasticsearch
Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.
Install Open Distro for Elasticsearch:
yum install opendistroforelasticsearch
Configuring Elasticsearch
So, Run the following command to download the configuration file /etc/elasticsearch/elasticsearch.yml
:
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
Elasticsearch users and roles
You need to add users and roles in order to use the Wazuh Kibana properly.
Run the following commands to add the Wazuh users and additional roles in Kibana:
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
Certificates creation
Remove the demo certificates:
rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
Generate and deploy the certificates:
Download the wazuh-cert-tool.sh
:
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
Run the wazuh-cert-tool.sh
to create the certificates:
bash ~/wazuh-cert-tool.sh
Move the Elasticsearch certificates to their corresponding location:
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/
Enable and start the Elasticsearch service:
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
Also, Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
Run the following command to ensure that the installation is successful:
curl -XGET https://localhost:9200 -u admin:admin -k
An example response should look as follows:
Installing Filebeat
So, Install the Filebeat package:
yum install filebeat
Download the preconfigured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
Also Download the alerts template for Elasticsearch:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
Also, Copy the Elasticsearch certificates into /etc/filebeat/certs
:
mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/
Then enable and start the Filebeat service:
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
To ensure that Filebeat is successfully installed, run the following command:
filebeat test output
Installing Kibana
So, Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Install the Kibana package:
yum install opendistroforelasticsearch-kibana
So, Download the Kibana configuration file:
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
In the /etc/kibana/kibana.yml
file, the setting server.host
has the value 0.0.0.0
. It means that Kibana can be accessed from the outside and accepts all the available IPs of the host. This value can be changed for a specific IP if needed.
Also, Create the /usr/share/kibana/data
directory:
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.4_7.10.2-1.zip
Then, Copy the Elasticsearch certificates into /etc/kibana/certs
:
mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*
Link Kibana socket to privileged port 443:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
Access the web interface:
URL: https://<wazuh_server_ip>
user: admin
password: admin
Wazuh Dashboard