This is the documentation for Wazuh 3.12. Check out the docs for the latest version of Wazuh!

Launch the EC2 instances

Here we will launch the Wazuh Server, the Elastic Server, and the Linux Agent as CentOS 7 EC2 instances.

Launch a Wazuh Server instance

  • From your EC2 Dashboard, click on [Launch Instance].
  • On the left, click on “AWS Marketplace”.
  • Type “centos 7” into the search field and hit <Enter>.
  • Find the image below and click on [Select] next to it.
  • Click on [Continue].
  • Select the General purpose t2.micro image and click on [Next: Configure Instance Details]
  • For Network, choose your VPC, and for the Primary IP of eth0, put in “172.30.0.10”.
  • Expand the Advanced Details section and paste the following launch script text into the window.
#!/bin/bash
IP=`ip -o -4 addr show dev eth0 | cut -d ' ' -f 7 | cut -f 1 -d '/'`
if [ "$IP" == "172.30.0.10" ]; then
    hostnamectl set-hostname --static wazuh-manager
fi
if [ "$IP" == "172.30.0.20" ]; then
    hostnamectl set-hostname --static elastic-server
fi
if [ "$IP" == "172.30.0.30" ]; then
    hostnamectl set-hostname --static linux-agent
fi
echo "preserve_hostname: true" >> /etc/cloud/cloud.cfg
echo "172.30.0.10 wazuh-manager" >> /etc/hosts
echo "172.30.0.20 elastic-server" >> /etc/hosts
echo "172.30.0.30 linux-agent" >> /etc/hosts
echo "172.30.0.40 windows-agent" >> /etc/hosts
echo "PATH=$PATH:$HOME/bin:/var/ossec/bin" >> /root/.bashrc
  • Click on [Next: Add Storage]
  • Choose a recommended Size of 20GB. As low as 8GB should work on this instance if you are careful.
  • Choose a Volume Type of “General Purpose SSD”
  • Checkmark Delete on Termination.
  • Click on [Next: Add Tags] and then on [Add Tag].
  • Click on [Next: Configure Security Group]
  • Choose Select an existing security group and then select only the Wazuh Linux security group.
  • Click on [Review and Launch] and on [Launch].
  • Select the “Wazuh_Lab” key pair, check the acknowledgment box and click on [Launch Instances]
  • Click on [View Instances] to confirm your new instance is on its way up.

Launch a Linux Agent instance

Repeat the process for “Launch a Wazuh Server instance” with the following exceptions:

  • Select the General purpose t2.micro image
  • Set the Primary IP to 172.30.0.30.
  • Leave the Storage Size at the default 8GB unless you plan to make extra disk space demands on this instance.
  • Don’t forget to expand the Advanced Details section and paste the same launch script.
  • Set the Name Tag to “Linux Agent”.

Launch an Elastic Server instance

Repeat the process for “Launch a Wazuh Server instance” changing the following:

  • Choose a recommended instance type of General Purpose t2.xlarge. An instance as small as a t2.large should still work but it will not be as responsive.
  • Set the Primary IP to 172.30.0.20.
  • Choose a recommended Storage Size of 100GB. As low as 8GB should generally be adequate if you are careful with disk space management and don’t leave the lab running for a long time.
  • Don’t forget to expand the Advanced Details section and paste the same launch script.
  • Set the Name Tag to “Elastic Server”.

Launch a Windows Agent instance

Repeat the process for “Launch a Wazuh Server instance” with the following exceptions:

  • When choosing an image (AMI) click on Quick Start and Select “Microsoft Windows Server 2016 Base”
  • Choose an instance type of General Purpose t2.small.
  • Set the Primary IP to 172.30.0.40.
  • Do not put any launch script into the User data box.
  • Do not change the Storage Size to smaller than the default of 30GB. Larger is fine if you wish.
  • Set the Name Tag to “Windows Agent”.
  • Pick the “Wazuh Windows” security group instead of the “Wazuh Linux” one.