With all-in-one deployment, you install and configure the Wazuh server and Elastic Stack on the same host.
The following components are installed:
- The Wazuh server, including the Wazuh manager as a single-node cluster, and the Wazuh API.
- Elastic Stack, including Open Distro for Elasticsearch as a single-node cluster, as well as Filebeat, Kibana, and the Wazuh Kibana plugin.
Step-by-step installation
Install Wazuh and Open Distro for Elasticsearch components in an all-in-one deployment. Follow the instructions to configure the official repositories to perform installations.
As an alternative to this installation method, you can install Wazuh using packages
Installing Wazuh
The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API and Filebeat.
To start setting up Wazuh, add the Wazuh repository to the server
Adding the Wazuh repository
#yum install curl unzip wget libImport the GPG key:
#rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUHAlso, Add the repository:
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOFInstalling the Wazuh manager
So, Install the Wazuh manager package:
yum install wazuh-managerEnable and start the Wazuh manager service:
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-managerRun the following command to check if the Wazuh manager is active
systemctl status wazuh-managerInstalling Elasticsearch
Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.
Install Open Distro for Elasticsearch:
yum install opendistroforelasticsearchConfiguring Elasticsearch
So, Run the following command to download the configuration file /etc/elasticsearch/elasticsearch.yml:
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.ymlElasticsearch users and roles
You need to add users and roles in order to use the Wazuh Kibana properly.
Run the following commands to add the Wazuh users and additional roles in Kibana:
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.ymlCertificates creation
Remove the demo certificates:
rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -fGenerate and deploy the certificates:
Download the wazuh-cert-tool.sh:
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.ymlRun the wazuh-cert-tool.sh to create the certificates:
bash ~/wazuh-cert-tool.shMove the Elasticsearch certificates to their corresponding location:
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/Enable and start the Elasticsearch service:
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearchAlso, Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pemRun the following command to ensure that the installation is successful:
curl -XGET https://localhost:9200 -u admin:admin -k
An example response should look as follows:
Installing Filebeat
So, Install the Filebeat package:
yum install filebeatDownload the preconfigured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.ymlAlso Download the alerts template for Elasticsearch:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.jsonDownload the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/moduleAlso, Copy the Elasticsearch certificates into /etc/filebeat/certs:
mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/Then enable and start the Filebeat service:
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeatTo ensure that Filebeat is successfully installed, run the following command:
filebeat test output
Installing Kibana
So, Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Install the Kibana package:
yum install opendistroforelasticsearch-kibanaSo, Download the Kibana configuration file:
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.ymlIn the /etc/kibana/kibana.yml file, the setting server.host has the value 0.0.0.0. It means that Kibana can be accessed from the outside and accepts all the available IPs of the host. This value can be changed for a specific IP if needed.
Also, Create the /usr/share/kibana/data directory:
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/dataInstall the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.4_7.10.2-1.zipThen, Copy the Elasticsearch certificates into /etc/kibana/certs:
mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*Link Kibana socket to privileged port 443:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
systemctl daemon-reload
systemctl enable kibana
systemctl start kibanaAccess the web interface:
URL: https://<wazuh_server_ip>
user: admin
password: admin
Wazuh Dashboard
