Debian from sources

This guide describes how to install the manager and API for Debian 7 or greater from source code. In addition, for distributed architectures, you will find some guidance on how to install Filebeat.

Installing Wazuh manager

  1. Install the development tools and compilers. In Linux, this can easily be done using your distribution's package manager:

    # apt-get install python gcc make libc6-dev curl policycoreutils automake autoconf libtool
    

    1.1 Optional. Install the following dependencies only if the installation directory is not /var/ossec. Since v3.9.0, make deps will download a pre-compiled version of CPython, built to be installed in /var/ossec. Otherwise, it will download a modified version of CPython sources and it will be necessary to compile it.

    To install the build dependencies of CPython, follow these steps:

    # echo "deb-src http://deb.debian.org/debian $(lsb_release -cs) main" >> /etc/apt/sources.list
    # apt-get update
    # apt-get build-dep python3.5 -y
    

    Note

    The Python version from the previous command may change depending of the OS used to build the binaries. More information in Install dependencies.

  2. Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v3.13.6.tar.gz | tar zx
  1. Run the install.sh script. This will display a wizard to guide you through the installation process using the Wazuh sources:

Warning

If you want to enable the database output, check out this section before running the installation script.

# cd wazuh-*
# ./install.sh

If you have previously compiled for another platform, you must clean the build using the Makefile in src:

# cd wazuh-*
# make -C src clean
# make -C src clean-deps
  1. When the script asks what kind of installation you want, type manager to install the Wazuh manager:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager

Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to manager, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt.

Warning

Be extremely careful not to select a critical installation directory if you choose a different path than the default. If the directory already exist the installer will ask if delete the directory or if installing Wazuh inside.

  1. The installer asks if you want to start Wazuh at the end of the installation. If you chosen not to, you can start it later with:

  1. For Systemd:

# systemctl start wazuh-manager
  1. For SysV Init:

# service wazuh-manager start

If you want to confirm that it started:

  1. For Systemd:

# systemctl status wazuh-manager
  1. For SysV Init:

# service wazuh-manager status

Installing Wazuh API

  1. NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend you add the official repository as this has more recent versions.

    # curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
    # apt-get install -y nodejs
    # npm config set user 0
    

Note

If you are using Debian 7 (Wheezy) you must install NodeJS 6 using the command below: # curl -sL https://deb.nodesource.com/setup_6.x | bash -

For more information, see the Official guide to install NodeJS.

  1. Download and execute the installation script:

# curl -s -o install_api.sh https://raw.githubusercontent.com/wazuh/wazuh-api/v3.13.6/install_api.sh && bash ./install_api.sh download
  1. Once the process is complete, you can check the service status with:

  • For Systemd:

    # systemctl status wazuh-api
    
  • For SysV Init:

    # service wazuh-api status
    

Note

You can also run an unattended installation for the Wazuh manager and API.

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

While Filebeat can be installed from sources, the process is more complex than you may like and it is beyond the scope of Wazuh documentation. We recommend installing Filebeat via repository package.

Next steps

Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install Elastic Stack.

Uninstall

To uninstall Wazuh manager and Wazuh API:

# OSSEC_INIT="/etc/ossec-init.conf"
# . $OSSEC_INIT 2> /dev/null

Stop the service:

# service wazuh-manager stop 2> /dev/null
# service wazuh-api stop 2> /dev/null

Stop the daemon:

# $DIRECTORY/bin/ossec-control stop 2> /dev/null

Remove files and service artifacts:

# rm -rf $DIRECTORY $OSSEC_INIT

Delete the service:

For SysV Init:

# [ -f /etc/rc.local ] && sed -i'' '/ossec-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh" | xargs rm -f

For Systemd:

# find /etc/systemd/system -name "wazuh*" | xargs rm -f
# systemctl daemon-reload

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null