Step-by-step installation
This document guides through an installation of the Wazuh server and Elastic stack components in an all-in-one configuration. This guide provides instructions to configure the official repositories to do the installations, alternatively, all the available packages can be found here.
Note
Root user privileges are required to execute all the commands described below.
Prerequisites
Some extra packages are needed for the installation, such us curl or unzip, that will be used in further steps:
Install all the necessary packages:
# yum install zip unzip curl
Install all the necessary packages:
# apt-get install apt-transport-https zip unzip lsb-release curl gnupg
Install all the necessary packages:
# zypper install zip unzip tar curl
Installing Elasticsearch
Elasticsearch is a highly scalable full-text search and analytics engine.
Adding the Elastic Stack repository
Import the GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install the GPG key:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
Add the repository:
# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/zypp/repos.d/elastic.repo <<\EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Elasticsearch installation and configuration
Install the Elasticsearch package:
# yum install elasticsearch-7.11.2
# apt-get install elasticsearch=7.11.2
# zypper install elasticsearch-7.11.2
Download the configuration file
/etc/elasticsearch/elasticsearch.ymlas follows:# curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.1/elastic-stack/elasticsearch/7.x/elasticsearch_all_in_one.yml
Certificates creation and deployment
Download the configuration file for creating the certificates:
# curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/resources/4.1/elastic-stack/instances_aio.yml
In the following steps, a file that contains a folder named after the instance defined here will be created. This folder will contain the certificates and the keys necessary to communicate with the Elasticsearch node using SSL.
The certificates can be created using the elasticsearch-certutil tool:
# /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
Extract the generated
/usr/share/elasticsearch/certs.zipfile from the previous step.# unzip ~/certs.zip -d ~/certs
The next step is to create the directory
/etc/elasticsearch/certs, and then copy the CA file, the certificate and the key there:# mkdir /etc/elasticsearch/certs/ca -p # cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/ # chown -R elasticsearch: /etc/elasticsearch/certs # chmod -R 500 /etc/elasticsearch/certs # chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.* # rm -rf ~/certs/ ~/certs.zip
Enable and start the Elasticsearch service:
# systemctl daemon-reload # systemctl enable elasticsearch # systemctl start elasticsearch
Choose one option according to the OS used:
Debian based OS
# update-rc.d elasticsearch defaults 95 10 # service elasticsearch start
RPM based OS
# chkconfig --add elasticsearch # service elasticsearch start
Generate credentials for all the Elastic Stack pre-built roles and users:
# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
The command above will prompt an output like this. Save the password of the
elasticuser for further steps:Changed password for user apm_system PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF Changed password for user kibana_system PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn Changed password for user kibana PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn Changed password for user logstash_system PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA Changed password for user beats_system PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS Changed password for user elastic PASSWORD elastic = AN4UeQGA7HGl5iHpMla7
To check that the installation was made successfully, run the following command replacing <elastic_password> by the password generated on the previous step for elastic user:
# curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
This command should have an output like this:
{
"name" : "elasticsearch",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "TLGcuHLRTL6PAyIRlxjtLg",
"version" : {
"number" : "7.11.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "3e5a16cfec50876d20ea77b075070932c6464c7d",
"build_date" : "2021-03-06T05:54:38.141101Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Installing Wazuh server
The Wazuh server collects and analyzes data from deployed agents. It runs the Wazuh manager, the Wazuh API and Filebeat. The first step to set up Wazuh is to add the Wazuh repository to the server. Alternatively, the Wazuh manager package can be downloaded directly and compatible versions can be checked here.
Adding the Wazuh repository
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Installing the Wazuh manager
Install the Wazuh manager package:
# yum install wazuh-manager-4.1.5-1
# apt-get install wazuh-manager=4.1.5-1
# zypper install wazuh-manager-4.1.5-1
Enable and start the Wazuh manager service:
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to the operating system used:
RPM based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.
Filebeat installation and configuration
Install the Filebeat package:
# yum install filebeat-7.11.2
# apt-get install filebeat=7.11.2
# zypper install filebeat-7.11.2
Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.1/elastic-stack/filebeat/7.x/filebeat_all_in_one.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
Edit the file
/etc/filebeat/filebeat.yml:output.elasticsearch.password: <elasticsearch_password>
Replace
elasticsearch_passwordwith the previously generated password forelasticuser.Copy the certificates into
/etc/filebeat/certs/# cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/ # cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt # cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key
Enable and start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat # systemctl start filebeat
Choose one option according to the OS used:
Debian based OS
# update-rc.d filebeat defaults 95 10 # service filebeat start
RPM based OS
# chkconfig --add filebeat # service filebeat start
To ensure that Filebeat has been successfully installed, run the following command:
# filebeat test output
An example response should look as follows:
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.11.2
Kibana installation and configuration
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Install the Kibana package:
# yum install kibana-7.11.2
# apt-get install kibana=7.11.2
# zypper install kibana-7.11.2
Copy the Elasticsearch certificates into the Kibana configuration folder:
# mkdir /etc/kibana/certs/ca -p # cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/ # cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key # cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt # chown -R kibana:kibana /etc/kibana/ # chmod -R 500 /etc/kibana/certs # chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
Download the Kibana configuration file:
# curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.1/elastic-stack/kibana/7.x/kibana_all_in_one.yml
Edit the
/etc/kibana/kibana.ymlfile:elasticsearch.password: <elasticsearch_password>
Values to be replaced:
<elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for theelasticuser.
Create the
/usr/share/kibana/datadirectory:# mkdir /usr/share/kibana/data # chown -R kibana:kibana /usr/share/kibana
Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
# cd /usr/share/kibana # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip
Link Kibana's socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana # systemctl start kibana
Choose one option according to the OS used:
Debian based OS
# update-rc.d kibana defaults 95 10 # service kibana start
RPM based OS
# chkconfig --add kibana # service kibana start
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<wazuh_server_ip> user: elastic password: <PASSWORD_elastic>Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the
ca.crtfile previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
Disabling repositories
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo
To uninstall all the components of the all in one installation, visit the uninstalling section.
Next steps
Once the Wazuh environment is ready, a Wazuh agent can be installed on every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found here.