Install Wazuh server Components
The Wazuh server in your lab will be running the Wazuh manager, Wazuh API, and Filebeat applications.
Log in and sudo to root
This is how it should look like, after loging in and gaining sudo privileges with sudo su
:
[centos@wazuh-manager ~]$ sudo su - [root@wazuh-manager ~]#
Add the Wazuh yum repository
The first step to setting up the manager is to add the Wazuh repository:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
Install and set up Wazuh server
Install the Wazuh manager software and confirm it is running:
# yum -y install wazuh-manager # systemctl status wazuh-manager
Configure Wazuh manager to listen for agent connections on tcp instead of udp:
# grep "<protocol>" -B3 -A2 /var/ossec/etc/ossec.conf # sed -i 's/<protocol>udp/<protocol>tcp/' /var/ossec/etc/ossec.conf # grep "<protocol>" -B3 -A2 /var/ossec/etc/ossec.conf
Configure Wazuh manager to allow self registration of new agents with authentication:
# grep "<use_password>" -B7 -A8 /var/ossec/etc/ossec.conf # sed -i 's/<use_password>no/<use_password>yes/' /var/ossec/etc/ossec.conf # grep "<use_password>" -B7 -A8 /var/ossec/etc/ossec.conf # echo "please123" > /var/ossec/etc/authd.pass # this is the password agents will use for self-registration
Restart Wazuh manager and confirm the agent listener and the self-registration listener are in place:
[root@wazuh-manager ~]# systemctl restart wazuh-manager [root@wazuh-manager ~]# netstat -natp | egrep "(:1514|:1515)"tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 14311/ossec-remoted tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 14263/ossec-authd
Install Wazuh API
The Wazuh API provides an interface to manage and monitor the configuration and deployment status of agents. It is mostly used by the Wazuh Kibana plugin, but it is a general-purpose RESTful API that can be used from the command line via curl or via custom scripts for interacting with various aspects of Wazuh manager.
Install wazuh-api package and its dependency nodejs.
# curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - # yum -y install nodejs # yum -y install wazuh-api # systemctl status wazuh-api
Use the API configurator script to enable SSL and set credentials for API access
# /var/ossec/api/scripts/configure_api.sh
Press <Enter> during configuration to take defaults, except for these cases:
For the three "Enter pass phrase for..." prompts: specify "keypass" each time.
For "API user", enter "wazuhapiuser".
For "New password", enter "wazuhlab" and then enter it again.
Install Filebeat
Filebeat is the tool on the Wazuh server that will securely forward the alerts and archived events to the Elasticsearch service.
Install the GPG keys from Elastic, and the Elastic repository:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install Filebeat:
# yum install filebeat-7.9.2
Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/filebeat/7.x/filebeat.yml # chmod go+r /etc/filebeat/filebeat.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
Edit and set the specific IP address of your Elasticsearch instance into the Filebeat config:
# sed -i 's/YOUR_ELASTIC_SERVER_IP/172.30.0.20/' /etc/filebeat/filebeat.yml
Enable and start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat.service # systemctl start filebeat.service
Now disable the Wazuh and Elastic repositories in order to prevent unintended upgrades that may cause a version conflict with the current installation.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo