Install Wazuh server with DEB packages
For Debian/Ubuntu platforms, installing the Wazuh server components entails the installation of the relevant packages after adding the repositories.
Note
Many of the commands described below need to be executed with root user privileges.
Adding the Wazuh repository
The first step to setting up Wazuh is to add the Wazuh repository to your server. If you want to download the wazuh-manager package directly, or check the compatible versions, click here.
To perform this procedure, the
curl
,apt-transport-https
andlsb-release
packages must be installed on your system. If they are not already present, install them using the commands below:
# apt-get update # apt-get install curl apt-transport-https lsb-releaseIf the
/usr/bin/python
file doesn't exist (like in Ubuntu 16.04 LTS or later), create a symlink to Python (2.7 or newer) with the following command:# if [ ! -f /usr/bin/python ]; then ln -s /usr/bin/python3 /usr/bin/python; fi
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Installing the Wazuh Manager
On your terminal, install the Wazuh manager:
# apt-get install wazuh-manager=3.8.2-1
Once the process is completed, you can check the service status with:
For Systemd:
# systemctl status wazuh-manager
For SysV Init:
# service wazuh-manager status
Installing the Wazuh API
NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend that you add the official NodeJS repository like this:
# curl -sL https://deb.nodesource.com/setup_8.x | bash -Note
If you are using Ubuntu 12.04 (Precise) or Debian 7 (Wheezy) you must install NodeJS 6 using the command below:
# curl -sL https://deb.nodesource.com/setup_6.x | bash -
and then, install NodeJS:
# apt-get install nodejs
Python >= 2.7 is required in order to run the API. It is installed by default or included in the official repositories in most Linux distributions.
To determine if the python version on your system is lower than 2.7, you can run the following:
# python --version It is possible to set a custom Python path for the API in ``/var/ossec/api/configuration/config.js``, in case the stock version of Python in your distro is too old:config.python = [ // Default installation { bin: "python", lib: "" }, // Package 'python27' for CentOS 6 { bin: "/opt/rh/python27/root/usr/bin/python", lib: "/opt/rh/python27/root/usr/lib64" } ];
Install the Wazuh API. It will update NodeJS if it is required:
# apt-get install wazuh-api=3.8.2-1
Once the process is complete, you can check the service status with:
For Systemd:
# systemctl status wazuh-api
For SysV Init:
# service wazuh-api status
Note
Now that the Wazuh API is installed, check out the section Securing the Wazuh API to set up some additional settings.
(Optional) Disable the Wazuh updates:
It is recommended that the Wazuh repository be disabled in order to prevent accidental upgrades. To do this, use the following command:
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get updateAlternately, you can set the package state to
hold
, which will stop updates (although you can still upgrade it manually usingapt-get install
).# echo "wazuh-manager hold" | sudo dpkg --set-selections # echo "wazuh-api hold" | sudo dpkg --set-selections
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to the Logstash service on the Elastic Stack server(s).
Warning
In a single-host architecture (where Wazuh server and Elastic Stack are installed in the same system), the installation of Filebeat is not needed since Logstash will be able to read the event/alert data directly from the local filesystem without the assistance of a forwarder.
The DEB package is suitable for Debian, Ubuntu, and other Debian-based systems.
Install the GPG keys from Elastic and then the Elastic repository:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list # apt-get update
Install Filebeat:
# apt-get install filebeat=6.7.1
Download the Filebeat config file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Logstash:
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml
Edit the file
/etc/filebeat/filebeat.yml
and replaceELASTIC_SERVER_IP
with the IP address or the hostname of the Elastic Stack server. For example:
output: logstash: hosts: ["ELASTIC_SERVER_IP:5000"]
Enable and start the Filebeat service:
For Systemd:
# systemctl daemon-reload # systemctl enable filebeat.service # systemctl start filebeat.service
For SysV Init:
# update-rc.d filebeat defaults 95 10 # service filebeat start
(Optional) Disable the Elasticsearch updates:
It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. To do this, use the following command:
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get updateAlternately, you can set the package state to
hold
, which will stop updates (although you can still upgrade it manually usingapt-get install
).# echo "filebeat hold" | sudo dpkg --set-selections
Next steps
Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install Elastic Stack.