Wazuh server unattended installation

This section will explain how to install the Wazuh manager and Filebeat using an automated script. This script will perform a health check to verify that the system has enough resources to achieve an optimal performance. For more information, please visit the requirements section.

Installing the Wazuh server

Note

Root user privileges are required to run all the commands described below. To download the script the package curl will be used.

Download the installation script:

# curl -so ~/wazuh-server-installation.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/unattended-installation/distributed/wazuh-server-installation.sh

Replace the following variables and run the installation script:

  • <node_name>: Name of the Wazuh server instance (this name must be the same used in config.yml for the certificate creation, e.g. filebeat).

  • <elastic_user_password>: The password of the user elastic generated during the Elasticsearch installation.

# bash ~/wazuh-server-installation.sh -n <node_name> -p <elastic_password>

The installation script allows the following options:

Options

Purpose

-n / --node-name

Name of the Wazuh server instance

-p / --elastic-password

Elastic user password

-d / --debug

Shows the complete installation output

-i / --ignore-healthcheck

Ignores the health-check

-h / --help

Shows help

In case of installing a multi-node Wazuh cluster, repeat this process in every host.

Configure the installation

After the installation of all the components of the node, some steps must be done manually. Choose the cluster mode between single-node or multi-node:

Single-node

Multi-node

Once the script finishes the installation, all the components will be ready to use.

The Wazuh manager is installed and configured as a single-node cluster by default. The following sections will describe how to build a Wazuh multi-node cluster by configuring each Wazuh manager as a master or worker node.

One server has to be chosen as a master, the rest will be workers. The Master node configuration must be applied only to the server chosen for this role. For all the other servers, the configuration Worker node must be applied.

Master node:

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

    <cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>wazuh-master-address</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

    The parameters:

    name

    Name of the cluster.

    node_name

    Name of the current node.

    node_type

    Specifies the role of the node. Has to be set to master.

    key

    Key that will be used to encrypt communication between cluster nodes. The key must be 32 characters long and same for all of the nodes in the cluster. The following command can be used to generate a random key: openssl rand -hex 16.

    port

    Destination port for cluster communication.

    bind_addr

    Network IP to which the node will be bound to listen for incoming requests (0.0.0.0 for any IP).

    nodes

    The address of the master node. It must be specified in all nodes (including the master itself). The address can be either an IP or a DNS.

    hidden

    Shows or hides the cluster information in the generated alerts.

    disabled

    Indicates whether the node will be enabled or disabled in the cluster. This option must be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file is edited, the Wazuh manager needs to be restarted:

Systemd

SysV Init

# systemctl restart wazuh-manager

# service wazuh-manager restart

Worker node:

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

    <cluster>
    <name>wazuh</name>
    <node_name>worker-node</node_name>
    <node_type>worker</node_type>
    <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>wazuh-master-address</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>

    As shown in the example above, the following parameters have to be edited:

    name

    Name of the cluster.

    node_name

    Each node of the cluster must have a unique name.

    node_type

    Has to be set as worker.

    key

    The key created previously for the master node. It has to be the same for all the nodes.

    nodes

    Has to contain the address of the master (it can be either an IP or a DNS).

    disabled

    Has to be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file is edited, the Wazuh manager needs to be restarted:

    Systemd

    SysV Init

    # systemctl restart wazuh-manager

    # service wazuh-manager restart

  3. To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:

    # /var/ossec/bin/cluster_control -l

    An example output of the command looks as follows:

      NAME         TYPE    VERSION  ADDRESS
  master-node  master  4.0.0    10.0.0.3
  worker-node1 worker  4.0.0    10.0.0.4
  worker-node2 worker  4.0.0    10.0.0.5

    Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.

To uninstall Wazuh and Filebeat, visit the uninstalling section.