Wazuh Manager
This role will install and configure Wazuh Manager and Wazuh API, there are several variables you can use to customize the installation or configuration, for example:
json_output: enabling or not JSON output (default:
yes
)email_notification: enabling email notifications (default:
no
)mail_to: email notifications recipients (array, defaults:
admin@example.net
)mail_smtp_server: SMTP server to be used by email notifications ( defaults:
localhost
)mail_from: email notification sender ( defaults:
ossec@example.com
)
By creating a YAML file wazuh-manager.yml
you can specify the usage of this role:
- hosts: wazuh-manager
roles:
- ansible-wazuh-manager
- ansible-role-filebeat
Setting the variables in a separate YAML file is recommended when configuring the installation. For this example we used: vars-production.yml
:
filebeat_output_elasticsearch_hosts: '10.1.1.11:9200'
wazuh_manager_fqdn: "wazuh-manager"
wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
log_format: 'plain'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'no'
force_time: 0
purge: 'no'
use_password: 'no'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: null
ssl_manager_key: null
ssl_auto_negotiate: 'no'
You can configure Wazuh API user credentials by including them in htpasswd
format in the file ansible-wazuh-manager/vars/wazuh_api_creds.yml
located on your Ansible control server:
# Be sure you encrypt this file with ansible-vault
wazuh_api_user:
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1
Also, you can configure agentless host credentials via the file: ansible-wazuh-manager/vars/agentless_creds.yml
, set many as you need:
# Be sure you encrypt this file with ansible-vault.
agentless_creds:
- type: ssh_integrity_check_linux
frequency: 3600
host: root@example1.net
state: periodic
arguments: '/bin /etc/ /sbin'
passwd: qwerty
- type: ssh_integrity_check_bsd
frequency: 3600
host: user@example2.net
state: periodic
arguments: '/bin /etc/ /sbin'
passwd: qwerty
And the authd
service password could be set in the file ansible-wazuh-manager/vars/authd_pass.yml
:
# Be sure you encrypt this file with ansible-vault
authd_pass: foobar
Warning
We recommend the use of Ansible Vault to protect Wazuh API and agentless credentials.
Next, run the playbook:
$ ansible-playbook wazuh-manager.yml -e@vars-production.yml
The example above will install Wazuh Manager and Filebeat, Filebeat will be configured to forward data to 10.1.1.11:9200
as Elasticsearch node, also it will set various agentless
hosts configurations including their credentials, the Wazuh API and the authd
will be configured as well.
Please review the references section to see all variables available for this role.