Step-by-step installation

This document guides through an installation of the Wazuh server and Elastic stack components in an all-in-one configuration. This guide provides instructions to configure the official repositories to do the installations, alternatively, all the available packages can be found here.


Root user privileges are required to execute all the commands described below.


Some extra packages are needed for the installation, such us curl or unzip, that will be used in further steps:

Install all the necessary packages:

# yum install zip unzip curl

Installing Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine.

Adding the Elastic Stack repository

  1. Import the GPG key:

    # rpm --import
  2. Add the repository:

    # cat > /etc/yum.repos.d/elastic.repo << EOF
    name=Elasticsearch repository for 7.x packages

Elasticsearch installation and configuration

  1. Install the Elasticsearch package:

    # yum install elasticsearch-7.9.3
  2. Download the configuration file /etc/elasticsearch/elasticsearch.yml as follows:

    # curl -so /etc/elasticsearch/elasticsearch.yml

Certificates creation and deployment

  1. Download the configuration file for creating the certificates:

    # curl -so /usr/share/elasticsearch/instances.yml

    In the following steps, a file that contains a folder named after the instance defined here will be created. This folder will contain the certificates and the keys necessary to communicate with the Elasticsearch node using SSL.

  2. The certificates can be created using the elasticsearch-certutil tool:

    # /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/
  3. Extract the generated /usr/share/elasticsearch/ file from the previous step.

    # unzip ~/ -d ~/certs
  4. The next step is to create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key there:

    # mkdir /etc/elasticsearch/certs/ca -p
    # cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
    # chown -R elasticsearch: /etc/elasticsearch/certs
    # chmod -R 500 /etc/elasticsearch/certs
    # chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
    # rm -rf ~/certs/ ~/
  5. Enable and start the Elasticsearch service:

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch
  6. Generate credentials for all the Elastic Stack pre-built roles and users:

    # /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

    The command above will prompt an output like this. Save the password of the elastic user for further steps:

    Changed password for user apm_system
    PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF
    Changed password for user kibana_system
    PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn
    Changed password for user kibana
    PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn
    Changed password for user logstash_system
    PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA
    Changed password for user beats_system
    PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob
    Changed password for user remote_monitoring_user
    PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS
    Changed password for user elastic
    PASSWORD elastic = AN4UeQGA7HGl5iHpMla7

To check that the installation was made successfully, run the following command replacing <elastic_password> by the password generated on the previous step for elastic user:

# curl -XGET https://localhost:9200 -uelastic:<elastic_password> -k

This command should have an output like this:

# {
  "name" : "elasticsearch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "J4wjlf1USzKDMRmxnliFPw",
  "version" : {
    "number" : "7.8.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
    "build_date" : "2020-06-14T19:35:50.234439Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  "tagline" : "You Know, for Search"

Installing Wazuh server

The Wazuh server collects and analyzes data from deployed agents. It runs the Wazuh manager, the Wazuh API and Filebeat. The first step to set up Wazuh is to add the Wazuh repository to the server. Alternatively, the Wazuh manager package can be downloaded directly and compatible versions can be checked here.

Adding the Wazuh repository

  1. Import the GPG key:

    # rpm --import
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    name=EL-$releasever - Wazuh

Installing the Wazuh manager

  1. Install the Wazuh manager package:

    # yum install wazuh-manager-4.0.4-1
  2. Enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

Filebeat installation and configuration

  1. Install the Filebeat package:

    # yum install filebeat-7.9.3
  2. Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:

    # curl -so /etc/filebeat/filebeat.yml
  3. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
  4. Download the Wazuh module for Filebeat:

    # curl -s | tar -xvz -C /usr/share/filebeat/module
  5. Edit the file /etc/filebeat/filebeat.yml:

    output.elasticsearch.password: <elasticsearch_password>

    Replace elasticsearch_password with the previously generated password for elastic user.

  6. Copy the certificates into /etc/filebeat/certs/

    # cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
    # cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
    # cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key
  7. Enable and start the Filebeat service:

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat

To ensure that Filebeat has been successfully installed, run the following command:

# filebeat test output

An example response should look as follows:

  parse url... OK
    parse host... OK
    dns lookup... OK
    dial up... OK
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.8.0

Kibana installation and configuration

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

  1. Install the Kibana package:

    # yum install kibana-7.9.3
  2. Copy the Elasticsearch certificates into the Kibana configuration folder:

    # mkdir /etc/kibana/certs/ca -p
    # cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
    # cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key
    # cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt
    # chown -R kibana:kibana /etc/kibana/
    # chmod -R 500 /etc/kibana/certs
    # chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
  3. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml

    Edit the /etc/kibana/kibana.yml file:

    elasticsearch.password: <elasticsearch_password>

    Values to be replaced:

    • <elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for the elastic user.

  4. Update the optimize and plugins directories permissions:

    # chown -R kibana:kibana /usr/share/kibana/optimize
    # chown -R kibana:kibana /usr/share/kibana/plugins
  5. Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:

    # cd /usr/share/kibana
    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install
  6. Link Kibana's socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
  8. Access the web interface using the password generated during the Elasticsearch installation process:

URL: https://<wazuh_server_ip>
user: elastic
password: <PASSWORD_elastic>

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the ca.crt file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

Disabling repositories

This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.

With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.

We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

To uninstall all the components of the all in one installation, visit the uninstalling section.

Next steps

Once the Wazuh environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found here.