Rizwan
Senior Devops Engineer

WAZUH The Open Source Security Platform

With all-in-one deployment, you install and configure the Wazuh server and Elastic Stack on the same host.

The following components are installed:

  • The Wazuh server, including the Wazuh manager as a single-node cluster, and the Wazuh API.
  • Elastic Stack, including Open Distro for Elasticsearch as a single-node cluster, as well as Filebeat, Kibana, and the Wazuh Kibana plugin.

Step-by-step installation

Install Wazuh and Open Distro for Elasticsearch components in an all-in-one deployment. Follow the instructions to configure the official repositories to perform installations.

As an alternative to this installation method, you can install Wazuh using packages

Installing Wazuh

The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API and Filebeat.

To start setting up Wazuh, add the Wazuh repository to the server

Adding the Wazuh repository

  • Install the necessary packages for the installation:
  • #yum install curl unzip wget lib

    Import the GPG key:

    #rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

    Also, Add the repository:

    cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF

    Installing the Wazuh manager

    So, Install the Wazuh manager package:

    yum install wazuh-manager

    Enable and start the Wazuh manager service:

    systemctl daemon-reload
    systemctl enable wazuh-manager
    systemctl start wazuh-manager

    Run the following command to check if the Wazuh manager is active

    systemctl status wazuh-manager

    Installing Elasticsearch

    Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.

    Install Open Distro for Elasticsearch:

    yum install opendistroforelasticsearch

    Configuring Elasticsearch

    So, Run the following command to download the configuration file /etc/elasticsearch/elasticsearch.yml:

    curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

    Elasticsearch users and roles

    You need to add users and roles in order to use the Wazuh Kibana properly.

    Run the following commands to add the Wazuh users and additional roles in Kibana:

    curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
    curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
    curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml

    Certificates creation

    Remove the demo certificates:

    rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

    Generate and deploy the certificates:

    Download the wazuh-cert-tool.sh:

    curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
    curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml

    Run the wazuh-cert-tool.sh to create the certificates:

    bash ~/wazuh-cert-tool.sh

    Move the Elasticsearch certificates to their corresponding location:

    mkdir /etc/elasticsearch/certs/
    mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
    mv ~/certs/admin* /etc/elasticsearch/certs/
    cp ~/certs/root-ca* /etc/elasticsearch/certs/

    Enable and start the Elasticsearch service:

    systemctl daemon-reload
    systemctl enable elasticsearch
    systemctl start elasticsearch

    Also, Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:

    export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

    Run the following command to ensure that the installation is successful:

    curl -XGET https://localhost:9200 -u admin:admin -k
    

    An example response should look as follows:

    Installing Filebeat

    So, Install the Filebeat package:

    yum install filebeat

    Download the preconfigured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:

    curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml

    Also Download the alerts template for Elasticsearch:

    curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
    chmod go+r /etc/filebeat/wazuh-template.json

    Download the Wazuh module for Filebeat:

    curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

    Also, Copy the Elasticsearch certificates into /etc/filebeat/certs:

    mkdir /etc/filebeat/certs
    cp ~/certs/root-ca.pem /etc/filebeat/certs/
    mv ~/certs/filebeat* /etc/filebeat/certs/

    Then enable and start the Filebeat service:

    systemctl daemon-reload
    systemctl enable filebeat
    systemctl start filebeat

    To ensure that Filebeat is successfully installed, run the following command:

    filebeat test output

    Installing Kibana


    So, Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

    Install the Kibana package:

    yum install opendistroforelasticsearch-kibana

    So, Download the Kibana configuration file:

    curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml

    In the /etc/kibana/kibana.yml file, the setting server.host has the value 0.0.0.0. It means that Kibana can be accessed from the outside and accepts all the available IPs of the host. This value can be changed for a specific IP if needed.

    Also, Create the /usr/share/kibana/data directory:

    mkdir /usr/share/kibana/data
    chown -R kibana:kibana /usr/share/kibana/data

    Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:

    cd /usr/share/kibana
    sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.4_7.10.2-1.zip

    Then, Copy the Elasticsearch certificates into /etc/kibana/certs:

    mkdir /etc/kibana/certs
    cp ~/certs/root-ca.pem /etc/kibana/certs/
    mv ~/certs/kibana* /etc/kibana/certs/
    chown kibana:kibana /etc/kibana/certs/*

    Link Kibana socket to privileged port 443:

    setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    

    Enable and start the Kibana service:

    systemctl daemon-reload
    systemctl enable kibana
    systemctl start kibana

    Access the web interface:

    URL: https://<wazuh_server_ip>
    user: admin
    password: admin

    Wazuh Dashboard

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    Latest articles

    x