Ubuntu from packages

For Ubuntu 12.04 or greater, installing the Wazuh server components entails the installation of the relevant packages after adding the repositories.

Note

All the commands described below need to be executed with root user privileges.

Adding the Wazuh repository

The first step to setting up Wazuh is to add the Wazuh repository to your server. YYou can download the wazuh-manager package directly or check the compatible versions in the Packages list section.

  1. To perform this procedure, the curl, apt-transport-https and lsb-release packages must be installed on your system. If they are not already present, install them using the commands below:

# apt-get update
# apt-get install curl apt-transport-https lsb-release gnupg2
  1. Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
  1. Add the repository:

# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  1. Update the package information:

# apt-get update

Installing the Wazuh manager

On your terminal, install the Wazuh manager:

# apt-get install wazuh-manager

Once the process is completed, you can check the service status with:

  • For Systemd:

    # systemctl status wazuh-manager
    
  • For SysV Init:

    # service wazuh-manager status
    

Installing the Wazuh API

  1. NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend that you add the official NodeJS repository like this:

# curl -sL https://deb.nodesource.com/setup_10.x | bash -

Note

If you are using Ubuntu 12.04 (Precise) you must install NodeJS 6 using the command below: # curl -sL https://deb.nodesource.com/setup_6.x | bash -

and then, install NodeJS:

# apt-get install nodejs
  1. Install the Wazuh API. It will update NodeJS if it is required:

# apt-get install wazuh-api
  1. Once the process is complete, you can check the service status with:

  • For Systemd:

    # systemctl status wazuh-api
    
  • For SysV Init:

    # service wazuh-api status
    

Note

Now that the Wazuh API is installed, check out the section Securing the Wazuh API to set up some additional settings.

  1. (Optional) Disable the Wazuh updates:

It is recommended that the Wazuh repository be disabled in order to prevent accidental upgrades. To do this, use the following command:

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update

Alternately, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

# echo "wazuh-manager hold" | sudo dpkg --set-selections
# echo "wazuh-api hold" | sudo dpkg --set-selections

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch. To install it:

  1. Add the Elastic repository and its GPG key:

# apt-get install curl apt-transport-https
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
  1. Install Filebeat:

# apt-get install filebeat=7.9.2
  1. Download the Filebeat config file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:

# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/filebeat/7.x/filebeat.yml
  1. Download the alerts template for Elasticsearch:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/elasticsearch/7.x/wazuh-template.json
  1. Download the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  1. Edit the file /etc/filebeat/filebeat.yml and replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:

output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
  1. Enable and start the Filebeat service:

  • For Systemd:

    # systemctl daemon-reload
    # systemctl enable filebeat.service
    # systemctl start filebeat.service
    
  • For SysV Init:

    # update-rc.d filebeat defaults 95 10
    # service filebeat start
    

Next steps

Once you have installed the manager, API and Filebeat, you are ready to install Elastic Stack.

Uninstall

To uninstall the Wazuh manager and Wazuh API:

# apt-get remove wazuh-manager wazuh-api

There are files marked as configuration files. Due to this designation, the package manager doesn't remove those files from the filesystem. The complete files removal action can be done using the following command:

# apt-get remove --purge wazuh-manager wazuh-api

To uninstall filebeat:

# apt-get remove filebeat

The Filebeat complete files removal action can be done using the following command:

# apt-get remove --purge filebeat