# Wazuh Server Installation {% hint style="info" %} {% endhint %} {% hint style="info" %} If we are deploying the wazuh components in different instances then we need to copy the `certificates.tar` file generated in the step installing indexer into all the instances to ensure the communication between the components of wazuh are encrypted. {% endhint %} *** ## Wazuh Server Installation ```bash apt-get install gnupg apt-transport-https ``` Installation the GPG keys and the repository (NOTE : Not needed if installing in single node) 
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
Installing wazuh Server : ```bash apt-get -y install wazuh-manager=4.10.1-1 ``` Installing Filebeat: ```bash apt-get -y install filebeat ``` We will start configuring the filebeat service , Download the preconfigured Filebeat configuration file. {% code overflow="wrap" %} ```bash curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.yml ``` {% endcode %} Edit the `/etc/filebeat/filebeat.yml` configuration file and replace the following value: `hosts`: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost `hosts: ["127.0.0.1:9200"]`. Replace it with your Wazuh indexer address accordingly. > If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, `hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]` > > ``` > # Wazuh - Filebeat configuration file > output.elasticsearch: > hosts: ["192.168.146.157:9200"] > protocol: https > username: ${username} > password: ${password} > ``` Create a Filebeat keystore to securely store authentication credentials. > ``` > # filebeat keystore create > ``` Add the default username and password `admin`:`admin` to the secrets keystore. > ``` > # echo admin | filebeat keystore add username --stdin --force > # echo admin | filebeat keystore add password --stdin --force > ``` Download the alerts template for the Wazuh indexer. ``` # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.1/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json ``` Install the Wazuh module for Filebeat. > ``` > # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/mo > ``` #### Deploying Certificates : ```bash NODE_NAME= # NODE_NAME=server-node-1 ``` ```bash mkdir /etc/filebeat/certs tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs ``` #### Configuring the Wazuh indexer connection Save the Wazuh indexer username and password into the Wazuh manager keystore using the wazuh-keystore tool: ```bash echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k password ``` Edit `/var/ossec/etc/ossec.conf` to configure the indexer connection. ```bash yes https://192.168.146.157:9200 <--CHANGE THIS--> /etc/filebeat/certs/root-ca.pem /etc/filebeat/certs/filebeat.pem /etc/filebeat/certs/filebeat-key.pem ``` Starting the wazuh manager ```bash systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager ``` Starting the filebeat service ```bash systemctl daemon-reload systemctl enable filebeat systemctl start filebeat ``` Run the following command to verify that Filebeat is successfully installed. ```bash filebeat test output ``` The output should look like : ```bash elasticsearch: https://192.168.146.157:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.146.157 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` The server is installed successfully now we will install the wazuh dashboard to complete our single node installation.