Install Wazuh server from sources

This guide describes how to install the manager and API from source code. In addition, for distributed architectures, you will find some guidance on how to install Filebeat.

Note

Many of the commands described below need to be executed with root user privileges.

Installing Wazuh manager

  1. Install the development tools and compilers. In Linux, this can easily be done using your distribution's package manager:

  1. For RPM-based distributions:

# yum install make gcc policycoreutils-python automake autoconf libtool
  1. For Debian-based distributions:

# apt-get install python gcc make libc6-dev curl policycoreutils-python-utils automake autoconf libtool
  1. Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v3.5.0.tar.gz | tar zx
  1. Run the install.sh script. This will display a wizard to guide you through the installation process using the Wazuh sources:

# cd wazuh-*
# ./install.sh

Note

Since Wazuh 3.5 it is necessary to have internet connection when following this step.

  1. When the script asks what kind of installation you want, type manager to install the Wazuh Manager:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager
  1. The installer asks if you want to start Wazuh at the end of the installation. If you chosen not to, you can start it later with:

# /var/ossec/bin/ossec-control start

If you want to confirm that it started:

$ /var/ossec/bin/ossec-control status

Installing Wazuh API

  1. NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend you add the official repository as this has more recent versions.

  1. For RPM-based distributions:

# curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
# yum -y install nodejs
  1. For Debian-based distributions:

# curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
# apt-get install -y nodejs

Note

If you are using Ubuntu 12.04 (Precise) or Debian 7 (Wheezy) you must install NodeJS 6 using the command below: # curl -sL https://deb.nodesource.com/setup_6.x | bash -

For more information, see the Official guide to install NodeJS.

  1. Download and execute the installation script:

# curl -s -o install_api.sh https://raw.githubusercontent.com/wazuh/wazuh-api/v3.5.0/install_api.sh && bash ./install_api.sh download
  1. Python >= 2.7 is required in order to run the API. It is installed by default or included in the official repositories of most Linux distributions.

It is possible to set a custom Python path for the API in /var/ossec/api/configuration/config.js, in case the stock version of Python in your distro is too old:

config.python = [
    // Default installation
    {
        bin: "python",
        lib: ""
    },
    // Package 'python27' for CentOS 6
    {
        bin: "/opt/rh/python27/root/usr/bin/python",
        lib: "/opt/rh/python27/root/usr/lib64"
    }
];

CentOS 6 and Red Hat 6 come with Python 2.6, however, you can install Python 2.7 in parallel and still maintain the older version(s):

  1. For CentOS 6:

# yum install -y centos-release-scl
# yum install -y python27
  1. For RHEL 6:

# yum install python27

You may need to first enable a repository in order to get python27, with a command like this:

#   yum-config-manager --enable rhui-REGION-rhel-server-rhscl
#   yum-config-manager --enable rhel-server-rhscl-6-rpms

Note

You can also run an unattended installation for the Wazuh manager and API.

Installing Filebeat

While Filebeat can be installed from source (see this doc), the process is more complex than you may like and it is beyond the scope of Wazuh documentation. We recommend installing Filebeat via repository package, otherwise, you can install it from a binary tarball that should work for any Linux distro. See more here.

Warning

In a single-host architecture (where Wazuh server and Elastic Stack are installed in the same system), the installation of Filebeat is not needed since Logstash will be able to read the event/alert data directly from the local filesystem without the assistance of a forwarder.

Next steps

Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install Elastic Stack.