Wazuh Server Installation
Wazuh Server Installation
apt-get install gnupg apt-transport-httpsInstallation the GPG keys and the repository (NOTE : Not needed if installing in single node)
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get updateInstalling wazuh Server :
apt-get -y install wazuh-manager=4.10.1-1Installing Filebeat:
apt-get -y install filebeatWe will start configuring the filebeat service , Download the preconfigured Filebeat configuration file.
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.ymlEdit the /etc/filebeat/filebeat.yml configuration file and replace the following value:
hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer address accordingly.
If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example,
hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]# Wazuh - Filebeat configuration file output.elasticsearch: hosts: ["192.168.146.157:9200"] protocol: https username: ${username} password: ${password}
Create a Filebeat keystore to securely store authentication credentials.
# filebeat keystore create
Add the default username and password admin:admin to the secrets keystore.
# echo admin | filebeat keystore add username --stdin --force # echo admin | filebeat keystore add password --stdin --force
Download the alerts template for the Wazuh indexer.
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.1/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.jsonInstall the Wazuh module for Filebeat.
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/mo
Deploying Certificates :
NODE_NAME=<SERVER_NODE_NAME>
# NODE_NAME=server-node-1mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certsConfiguring the Wazuh indexer connection
Save the Wazuh indexer username and password into the Wazuh manager keystore using the wazuh-keystore tool:
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k passwordEdit /var/ossec/etc/ossec.conf to configure the indexer connection.
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://192.168.146.157:9200</host> <--CHANGE THIS-->
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Starting the wazuh manager
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-managerStarting the filebeat service
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeatRun the following command to verify that Filebeat is successfully installed.
filebeat test outputThe output should look like :
elasticsearch: https://192.168.146.157:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.146.157
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2The server is installed successfully now we will install the wazuh dashboard to complete our single node installation.
Last updated