Wazuh server unattended installation
This section will explain how to install the Wazuh manager and Filebeat using an automated script. This script will perform a health check to verify that the system has enough resources to achieve an optimal performance. For more information, please visit the requirements section.
Installing the Wazuh server
Note
Root user privileges are required to run all the commands described below. To download the script the package curl
will be used.
Download the installation script:
# curl -so ~/wazuh-server-installation.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/unattended-installation/distributed/wazuh-server-installation.sh
Replace the following variables and run the installation script:
<node_name>
: Name of the Wazuh server instance (this name must be the same used inconfig.yml
for the certificate creation, e.g.filebeat
).<elastic_user_password>
: The password of the userelastic
generated during the Elasticsearch installation.
# bash ~/wazuh-server-installation.sh -n <node_name> -p <elastic_password>
The installation script allows the following options:
Options |
Purpose |
---|---|
-n / --node-name |
Name of the Wazuh server instance |
-p / --elastic-password |
Elastic user password |
-d / --debug |
Shows the complete installation output |
-i / --ignore-healthcheck |
Ignores the health-check |
-h / --help |
Shows help |
In case of installing a multi-node Wazuh cluster, repeat this process in every host.
Configure the installation
After the installation of all the components of the node, some steps must be done manually. Choose the cluster mode between single-node or multi-node:
Once the script finishes the installation, all the components will be ready to use.
The Wazuh manager is installed and configured as a single-node cluster by default. The following sections will describe how to build a Wazuh multi-node cluster by configuring each Wazuh manager as a master or worker node.
One server has to be chosen as a master, the rest will be workers. The
Master node
configuration must be applied only to the server chosen for this role. For all the other servers, the configurationWorker node
must be applied.
Master node:
Configure the cluster node by editing the following settings in the
/var/ossec/etc/ossec.conf
file:<cluster> <name>wazuh</name> <node_name>master-node</node_name> <node_type>master</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
The parameters:
Name of the cluster.
Name of the current node.
Specifies the role of the node. Has to be set to
master
.Key that will be used to encrypt communication between cluster nodes. The key must be 32 characters long and same for all of the nodes in the cluster. The following command can be used to generate a random key:
openssl rand -hex 16
.Destination port for cluster communication.
Network IP to which the node will be bound to listen for incoming requests (0.0.0.0 for any IP).
The address of the
master node
. It must be specified in all nodes (including the master itself). The address can be either an IP or a DNS.Shows or hides the cluster information in the generated alerts.
Indicates whether the node will be enabled or disabled in the cluster. This option must be set to
no
.Once the
/var/ossec/etc/ossec.conf
configuration file is edited, the Wazuh manager needs to be restarted:
# systemctl restart wazuh-manager# service wazuh-manager restart
Worker node:
Configure the cluster node by editing the following settings in the
/var/ossec/etc/ossec.conf
file:<cluster> <name>wazuh</name> <node_name>worker-node</node_name> <node_type>worker</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
As shown in the example above, the following parameters have to be edited:
Name of the cluster.
Each node of the cluster must have a unique name.
Has to be set as
worker
.The key created previously for the
master
node. It has to be the same for all the nodes.Has to contain the address of the master (it can be either an IP or a DNS).
Has to be set to
no
.Once the
/var/ossec/etc/ossec.conf
configuration file is edited, the Wazuh manager needs to be restarted:# systemctl restart wazuh-manager
# service wazuh-manager restart
To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:
# /var/ossec/bin/cluster_control -l
An example output of the command looks as follows:
NAME TYPE VERSION ADDRESS master-node master 4.0.0 10.0.0.3 worker-node1 worker 4.0.0 10.0.0.4 worker-node2 worker 4.0.0 10.0.0.5
Note that
10.0.0.3
,10.0.0.4
,10.0.0.5
are example IPs.
To uninstall Wazuh and Filebeat, visit the uninstalling section.