Wazuh Server Installation

https://documentation.wazuh.com/4.10/installation-guide/wazuh-server/step-by-step.html

If we are deploying the wazuh components in different instances then we need to copy the certificates.tar file generated in the step installing indexer into all the instances to ensure the communication between the components of wazuh are encrypted.

---

Wazuh Server Installation

apt-get install gnupg apt-transport-https

Installation the GPG keys and the repository (NOTE : Not needed if installing in single node)

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

Installing wazuh Server :

apt-get -y install wazuh-manager=4.10.1-1

Installing Filebeat:

apt-get -y install filebeat

We will start configuring the filebeat service , Download the preconfigured Filebeat configuration file.

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:

hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer address accordingly.

If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]

 # Wazuh - Filebeat configuration file
 output.elasticsearch:
 hosts: ["192.168.146.157:9200"]
 protocol: https
 username: ${username}
 password: ${password}

Create a Filebeat keystore to securely store authentication credentials.

# filebeat keystore create

Add the default username and password admin:admin to the secrets keystore.

# echo admin | filebeat keystore add username --stdin --force
# echo admin | filebeat keystore add password --stdin --force

Download the alerts template for the Wazuh indexer.

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.1/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat.

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/mo

Deploying Certificates :

NODE_NAME=<SERVER_NODE_NAME>
# NODE_NAME=server-node-1

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Configuring the Wazuh indexer connection

Save the Wazuh indexer username and password into the Wazuh manager keystore using the wazuh-keystore tool:

echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Edit /var/ossec/etc/ossec.conf to configure the indexer connection.

<indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://192.168.146.157:9200</host> <--CHANGE THIS-->
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>

Starting the wazuh manager

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Starting the filebeat service

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Run the following command to verify that Filebeat is successfully installed.

filebeat test output

The output should look like :

elasticsearch: https://192.168.146.157:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.146.157
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

The server is installed successfully now we will install the wazuh dashboard to complete our single node installation.