This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

Fedora from packages

For Fedora 22 or greater, installing the Wazuh server components entails the installation of the relevant packages after adding the repositories.

Note

All the commands described below need to be executed with root user privileges.

Adding the Wazuh repository

The first step to setting up Wazuh is to add the Wazuh repository to your server. If you want to download the wazuh-manager package directly, or check the compatible versions, click here.

To set up the repository, run this command:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF

Note

From Fedora v22 to v25, it’s required to install dkms package (dnf install dkms).

Installing the Wazuh manager

The next step is to install the Wazuh manager on your system:

# dnf install wazuh-manager

Once the process is complete, you can check the service status with:

  • For Systemd:

    # systemctl status wazuh-manager
    
  • For SysV Init:

    # service wazuh-manager status
    

Installing the Wazuh API

Note

If you have Fedora v24 or lower, you need to add the official NodeJS repository previously:

# curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
  1. Install NodeJS:
# dnf install nodejs
  1. Install the Wazuh API:
# dnf install wazuh-api
  1. Once the process is complete, you can check the service status with:
  • For Systemd:

    # systemctl status wazuh-api
    
  • For SysV Init:

    # service wazuh-api status
    

Note

Now that the Wazuh API is installed, check out the section Securing the Wazuh API to set up some additional settings.

  1. (Optional) Disable the Wazuh repository:

It is recommended that the Wazuh repository be disabled in order to prevent accidental upgrades. To do this, use the following command:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch. To install it:

  1. Add the Elastic repository and its GPG key:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
  1. Install Filebeat:
# dnf install filebeat-7.3.0
  1. Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/filebeat/7.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml
  1. Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json
  1. Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  1. Edit the file /etc/filebeat/filebeat.yml and replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:
output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
  1. Enable and start the Filebeat service:
  • For Systemd:

    # systemctl daemon-reload
    # systemctl enable filebeat.service
    # systemctl start filebeat.service
    
  • For SysV Init:

    # chkconfig --add filebeat
    # service filebeat start
    
  1. (Optional) Disable the Elastic repository:

It is recommended that the Elastic repository be disabled in order to prevent accidental upgrades. To do this, use the following command:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

Next steps

Once you have installed the manager, API and Filebeat, you are ready to install Elastic Stack.

Uninstall

To uninstall the Wazuh manager and Wazuh API:

# dnf remove wazuh-manager wazuh-api

There are files marked as configuration files. Due to this designation, the package manager doesn’t remove those files from the filesystem. The complete files removal action is a user responsibility. It can be done by removing the folder /var/ossec.

To uninstall filebeat:

# dnf remove filebeat