Install Wazuh server with RPM packages
For CentOS/RHEL/Fedora platforms, installing Wazuh server components is just install relevant packages by previously adding the appropriate repositories.
Note
Many of the commands described below need to be executed with root user privileges.
Adding the Wazuh repository
The first thing you need is to add the Wazuh repository to your server. If you want to download the wazuh-manager package directly, or check the compatible versions, you can do it from here.
To set up the repository, run this command:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
For CentOS-5 and RHEL-5:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH5 enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/5/ protect=1 EOF
Installing Wazuh manager
The next will install Wazuh manager on your system:
# yum install wazuh-manager-3.0.0-2
Once the process is completed, you can check the service status with:
For Systemd:
# systemctl status wazuh-manager
For SysV Init:
# service wazuh-manager status
Installing Wazuh API
NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed, or your version is older than 4.6.1, we recommend you add the official NodeJS repository like this:
# curl --silent --location https://rpm.nodesource.com/setup_6.x | bash -and then, install nodejs:
# yum install nodejs
Python >= 2.7 is required in order to run the Wazuh API. It is installed by default or included in the official repositories in most Linux distributions.
It is possible to set a custom Python path for the API in
/var/ossec/api/configuration/config.js
, in case the stock version of Python in your distro is too old:config.python = [ // Default installation { bin: "python", lib: "" }, // Package 'python27' for CentOS 6 { bin: "/opt/rh/python27/root/usr/bin/python", lib: "/opt/rh/python27/root/usr/lib64" } ];
CentOS 6 and Red Hat 6 come with Python 2.6, you can install Python 2.7 in parallel maintaining older version:
For CentOS 6:
# yum install -y centos-release-scl # yum install -y python27
For RHEL 6:
# yum install python27 # You may need to first enable a repository in order to get python27, with a command like this: # yum-config-manager --enable rhui-REGION-rhel-server-rhscl # yum-config-manager --enable rhel-server-rhscl-6-rpms
Note
Follow this step if your python version is lower than 2.7. You can check this running python --version
.
Install the Wazuh API. It will update NodeJS if it is required:
# yum install wazuh-api-3.0.0-1
Once the process is completed, you can check the service status with:
For Systemd:
# systemctl status wazuh-api
For SysV Init:
# service wazuh-api status
Installing Filebeat
Filebeat is the tool on the Wazuh server that will securely forward the alerts and archived events to the Logstash service on the Elastic Stack server(s).
Warning
In a single-host architecture (where Wazuh server and Elastic Stack are installed in the same system), you may entirely skip installing Filebeat, since Logstash will be able to read the event/alert data directly from the local filesystem without the assistance of a forwarder.
The RPM package is suitable for installation on Red Hat, CentOS and other modern RPM-based systems.
Install the GPG keys from Elastic, and the Elastic repository:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install Filebeat:
# yum install filebeat-6.1.0
Download the Filebeat config file from the Wazuh repository, which is preconfigured to forward Wazuh alerts to Logstash:
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/filebeat/filebeat.yml
Edit the file
/etc/filebeat/filebeat.yml
and replaceELASTIC_SERVER_IP
with the IP address or the hostname of the Elastic Stack server. For example:
output: logstash: hosts: ["ELASTIC_SERVER_IP:5000"]
Enable and start the Filebeat service:
For Systemd:
# systemctl daemon-reload # systemctl enable filebeat.service # systemctl start filebeat.service
For SysV Init:
# chkconfig --add filebeat # service filebeat start
Next steps
Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install Elastic Stack.