Wazuh Manager

This role will install and configure Wazuh Manager and Wazuh API, there are several variables you can use to customize the installation or configuration, for example:

  • json_output: enabling or not JSON output (default: yes)

  • email_notification: enabling email notifications (default: no)

  • mail_to: email notifications recipients (array, defaults: admin@example.net)

  • mail_smtp_server: SMTP server to be used by email notifications ( defaults: localhost)

  • mail_from: email notification sender ( defaults: ossec@example.com)

By creating a YAML file wazuh-manager.yml you can specify the usage of this role:

- hosts: wazuh-manager
  roles:
    - ansible-wazuh-manager
    - ansible-role-filebeat

Setting the variables in a separate YAML file is recommended when configuring the installation. For this example we used: vars-production.yml:

filebeat_output_elasticsearch_hosts: '10.1.1.11:9200'

wazuh_manager_fqdn: "wazuh-manager"

wazuh_manager_config:
  json_output: 'yes'
  alerts_log: 'yes'
  logall: 'no'
  log_format: 'plain'
  connection:
    - type: 'secure'
      port: '1514'
      protocol: 'tcp'
  authd:
    enable: true
    port: 1515
    use_source_ip: 'no'
    force_insert: 'no'
    force_time: 0
    purge: 'no'
    use_password: 'no'
    ssl_agent_ca: null
    ssl_verify_host: 'no'
    ssl_manager_cert: null
    ssl_manager_key: null
    ssl_auto_negotiate: 'no'

You can configure Wazuh API user credentials by including them in htpasswd format in the file ansible-wazuh-manager/vars/wazuh_api_creds.yml located on your Ansible control server:

# Be sure you encrypt this file with ansible-vault
wazuh_api_user:
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1

Also, you can configure agentless host credentials via the file: ansible-wazuh-manager/vars/agentless_creds.yml, set many as you need:

# Be sure you encrypt this file with ansible-vault.
agentless_creds:
 - type: ssh_integrity_check_linux
   frequency: 3600
   host: root@example1.net
   state: periodic
   arguments: '/bin /etc/ /sbin'
   passwd: qwerty
 - type: ssh_integrity_check_bsd
   frequency: 3600
   host: user@example2.net
   state: periodic
   arguments: '/bin /etc/ /sbin'
   passwd: qwerty

And the authd service password could be set in the file ansible-wazuh-manager/vars/authd_pass.yml:

# Be sure you encrypt this file with ansible-vault
authd_pass: foobar

Warning

We recommend the use of Ansible Vault to protect Wazuh API and agentless credentials.

Next, run the playbook:

$ ansible-playbook wazuh-manager.yml -e@vars-production.yml

The example above will install Wazuh Manager and Filebeat, Filebeat will be configured to forward data to 10.1.1.11:9200 as Elasticsearch node, also it will set various agentless hosts configurations including their credentials, the Wazuh API and the authd will be configured as well.

Please review the references section to see all variables available for this role.