Install Wazuh server Components

The Wazuh server in your lab will be running the Wazuh manager, Wazuh API, and Filebeat applications.

Log in and sudo to root

This is how it should look like, after loging in and gaining sudo privileges with sudo su:

[centos@wazuh-manager ~]$ sudo su -
[root@wazuh-manager ~]#

Add the Wazuh yum repository

The first step to setting up the manager is to add the Wazuh repository:

# cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF

Install and set up Wazuh server

Install the Wazuh manager software and confirm it is running:

# yum -y install wazuh-manager
# systemctl status wazuh-manager

Configure Wazuh manager to listen for agent connections on tcp instead of udp:

# grep "<protocol>" -B3 -A2 /var/ossec/etc/ossec.conf
# sed -i 's/<protocol>udp/<protocol>tcp/' /var/ossec/etc/ossec.conf
# grep "<protocol>" -B3 -A2 /var/ossec/etc/ossec.conf

Configure Wazuh manager to allow self registration of new agents with authentication:

# grep "<use_password>" -B7 -A8 /var/ossec/etc/ossec.conf
# sed -i 's/<use_password>no/<use_password>yes/' /var/ossec/etc/ossec.conf
# grep "<use_password>" -B7 -A8 /var/ossec/etc/ossec.conf
# echo "please123" > /var/ossec/etc/authd.pass # this is the password agents will use for self-registration

Restart Wazuh manager and confirm the agent listener and the self-registration listener are in place:

[root@wazuh-manager ~]# systemctl restart wazuh-manager
[root@wazuh-manager ~]# netstat -natp | egrep "(:1514|:1515)"
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      14311/ossec-remoted
tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      14263/ossec-authd

Install Wazuh API

The Wazuh API provides an interface to manage and monitor the configuration and deployment status of agents. It is mostly used by the Wazuh Kibana plugin, but it is a general-purpose RESTful API that can be used from the command line via curl or via custom scripts for interacting with various aspects of Wazuh manager.

  1. Install wazuh-api package and its dependency nodejs.
# curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
# yum -y install nodejs
# yum -y install wazuh-api
# systemctl status wazuh-api
  1. Use the API configurator script to enable SSL and set credentials for API access
# /var/ossec/api/scripts/configure_api.sh

Press <Enter> during configuration to take defaults, except for these cases:

  • For the three “Enter pass phrase for…” prompts: specify “keypass” each time.
  • For “API user”, enter “wazuhapiuser”.
  • For “New password”, enter “wazuhlab” and then enter it again.

Install Filebeat

Filebeat is the tool on the Wazuh server that will securely forward the alerts and archived events to the Elasticsearch service.

  1. Install the GPG keys from Elastic, and the Elastic repository:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
  1. Install Filebeat:
# yum install filebeat-7.9.2
  1. Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.13.2/extensions/filebeat/7.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml
  1. Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.13.2/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json
  1. Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  1. Edit and set the specific IP address of your Elasticsearch instance into the Filebeat config:
# sed -i 's/YOUR_ELASTIC_SERVER_IP/172.30.0.20/' /etc/filebeat/filebeat.yml
  1. Enable and start the Filebeat service:
# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service
  1. Now disable the Wazuh and Elastic repositories in order to prevent unintended upgrades that may cause a version conflict with the current installation.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo