Install Elastic Stack with Debian packages
The DEB package is suitable for Debian, Ubuntu, and other Debian-based systems.
Note
Many of the commands described below need to be executed with root user privileges.
Preparation
Oracle Java JRE is required by Logstash and Elasticsearch:
For Debian:
# echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list # echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list # apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
For Ubuntu:
# add-apt-repository ppa:webupd8team/java
Once the repository is added, install Java JRE:
# apt-get update # apt-get install oracle-java8-installer
Install the Elastic repository and its GPG key:
# apt-get install curl apt-transport-https # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list # apt-get update
Elasticsearch
Elasticsearch is a highly scalable full-text search and analytics engine. For more info please see Elasticsearch.
Install the Elasticsearch package:
# apt-get install elasticsearch=6.1.0
Enable and start the Elasticsearch service:
For Systemd:
# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.service
For SysV Init:
# update-rc.d elasticsearch defaults 95 10 # service elasticsearch start
Load Wazuh Elasticsearch templates:
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://localhost:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
Insert sample alert:
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
Note
It is recommended to edit the default configuration to improve the Elasticsearch performance. To do so, please see Elasticsearch tuning.
Logstash
Logstash is the tool that will collect, parse, and forward to Elasticsearch for indexing and storage all logs generated by Wazuh server. For more info please see Logstash.
Install the Logstash package:
# apt-get install logstash=1:6.1.0-1
Download the Wazuh config for Logstash:
Local configuration:
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-local.confBecause the Logstash user needs to read the alerts.json file, please add it to OSSEC group by running:
# usermod -a -G ossec logstash
Remote configuration:
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-remote.conf
Enable and start the Logstash service:
For Systemd:
# systemctl daemon-reload # systemctl enable logstash.service # systemctl start logstash.service
For SysV Init:
# update-rc.d logstash defaults 95 10 # service logstash start
Note
If you are running Wazuh server and the Elastic Stack server on separate systems (distributed architecture), then it is important to configure encryption between Filebeat and Logstash. To do so, please see Setting up SSL for Filebeat and Logstash.
Kibana
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. More info at Kibana.
Install the Kibana package:
# apt-get install kibana=6.1.0
Install the Wazuh App plugin for Kibana:
2.1) Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh App. Set the limit as follow:
# export NODE_OPTIONS="--max-old-space-size=3072"2.2) Install Wazuh App:
# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zipWarning
The Kibana plugin installation process may take several minutes. Please wait patiently.
Note
If you want to download a different Wazuh App plugin for another version of Wazuh or the Elastic Stack, you can check the table available at GitHub and use the appropiate installation command.
Optional. Kibana will listen only on the loopback interface (localhost) by default. To set up Kibana to listen on all interfaces, edit the file
/etc/kibana/kibana.yml
. Uncomment the settingserver.host
and change the value to:
server.host: "0.0.0.0"Note
It is recommended to set up an Nginx proxy for Kibana in order to use SSL encryption and to enable authentication. Instructions to set the proxy up can be found at Setting up SSL and authentication for Kibana.
Enable and start the Kibana service:
For Systemd:
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
For SysV Init:
# update-rc.d kibana defaults 95 10 # service kibana start
Disable the Elastic repository:
We recommend to disable the Elasticsearch repository in order to prevent an upgrade to a newer Elastic Stack version due to possible breaking changes with our App, so you should do it as follow:
# sed -i -r '/deb https:\/\/artifacts.elastic.co\/packages\/6.x\/apt stable main/ s/^(.*)$/#\1/g' /etc/apt/sources.list.d/elastic-6.x.list
Connecting the Wazuh App with the API
Follow the next guide in order to connect the Wazuh App with the API: