Wazuh server unattended installation

This section will explain how to install the Wazuh manager and Filebeat using an automated script. This script will perform a health check to verify that the system has enough resources to achieve an optimal performance. For more information, please visit the requirements section.

Installing the Wazuh server

Note

Root user privileges are required to run all the commands described below. To download the script the package curl will be used.

Download the installation script:

# curl -so ~/wazuh-server-installation.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/unattended-installation/distributed/wazuh-server-installation.sh

Replace the following variables and run the installation script:

<node_name>: Name of the Wazuh server instance (this name must be the same used in config.yml for the certificate creation, e.g. filebeat).
<elastic_user_password>: The password of the user elastic generated during the Elasticsearch installation.

# bash ~/wazuh-server-installation.sh -n <node_name> -p <elastic_password>

The installation script allows the following options:

Options	Purpose
-n / --node-name	Name of the Wazuh server instance
-p / --elastic-password	Elastic user password
-d / --debug	Shows the complete installation output
-i / --ignore-healthcheck	Ignores the health-check
-h / --help	Shows help

In case of installing a multi-node Wazuh cluster, repeat this process in every host.

Configure the installation

After the installation of all the components of the node, some steps must be done manually. Choose the cluster mode between single-node or multi-node:

Once the script finishes the installation, all the components will be ready to use.

The Wazuh manager is installed and configured as a single-node cluster by default. The following sections will describe how to build a Wazuh multi-node cluster by configuring each Wazuh manager as a master or worker node.

One server has to be chosen as a master, the rest will be workers. The Master node configuration must be applied only to the server chosen for this role. For all the other servers, the configuration Worker node must be applied.

Master node:

Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

<cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>wazuh-master-address</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

The parameters:

name	Name of the cluster.
node_name	Name of the current node.
node_type	Specifies the role of the node. Has to be set to `master`.
key	Key that will be used to encrypt communication between cluster nodes. The key must be 32 characters long and same for all of the nodes in the cluster. The following command can be used to generate a random key: `openssl rand -hex 16`.
port	Destination port for cluster communication.
bind_addr	Network IP to which the node will be bound to listen for incoming requests (0.0.0.0 for any IP).
nodes	The address of the `master node`. It must be specified in all nodes (including the master itself). The address can be either an IP or a DNS.
hidden	Shows or hides the cluster information in the generated alerts.
disabled	Indicates whether the node will be enabled or disabled in the cluster. This option must be set to `no`.

Once the /var/ossec/etc/ossec.conf configuration file is edited, the Wazuh manager needs to be restarted:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Worker node:

Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

<cluster>
    <name>wazuh</name>
    <node_name>worker-node</node_name>
    <node_type>worker</node_type>
    <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>wazuh-master-address</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>

As shown in the example above, the following parameters have to be edited:

name	Name of the cluster.
node_name	Each node of the cluster must have a unique name.
node_type	Has to be set as `worker`.
key	The key created previously for the `master` node. It has to be the same for all the nodes.
nodes	Has to contain the address of the master (it can be either an IP or a DNS).
disabled	Has to be set to `no`.

Once the /var/ossec/etc/ossec.conf configuration file is edited, the Wazuh manager needs to be restarted:
# systemctl restart wazuh-manager
# service wazuh-manager restart
To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:
# /var/ossec/bin/cluster_control -l
An example output of the command looks as follows:
NAME TYPE VERSION ADDRESS master-node master 4.0.0 10.0.0.3 worker-node1 worker 4.0.0 10.0.0.4 worker-node2 worker 4.0.0 10.0.0.5
Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.

To uninstall Wazuh and Filebeat, visit the uninstalling section.