Step-by-step installation
Install Wazuh and Open Distro for Elasticsearch components in an all-in-one deployment. Follow the instructions to configure the official repositories to perform installations.
As an alternative to this installation method, you can install Wazuh using packages. To perform this action, see the Packages list section.
Note
Root privileges are required to execute all the commands.
Installing Wazuh
The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API and Filebeat.
To start setting up Wazuh, add the Wazuh repository to the server.
Adding the Wazuh repository
Install the necessary packages for the installation:
# yum install curl unzip wget libcap
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the necessary packages for the installation:
# apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Install the certificates deployment dependencies:
# zypper install zip unzip tar libcap-progs
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Installing the Wazuh manager
Install the Wazuh manager package:
# yum install wazuh-manager-4.1.5-1
# apt-get install wazuh-manager=4.1.5-1
# zypper install wazuh-manager-4.1.5-1
Enable and start the Wazuh manager service:
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to the operating system used:
RPM based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
Installing Elasticsearch
Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.
Install Open Distro for Elasticsearch:
# yum install opendistroforelasticsearch
Install Elasticsearch OSS and Open Distro for Elasticsearch:
# apt install elasticsearch-oss opendistroforelasticsearch
Install Open Distro for Elasticsearch:
# zypper install opendistroforelasticsearch
Configuring Elasticsearch
Run the following command to download the configuration file /etc/elasticsearch/elasticsearch.yml
:
# curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
Elasticsearch users and roles
You need to add users and roles in order to use the Wazuh Kibana properly.
Run the following commands to add the Wazuh users and additional roles in Kibana:
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/roles.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/roles_mapping.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/internal_users.yml
Wazuh users added in Kibana by running the commands above:
wazuh_user |
It is created for users who need read-only access to the Wazuh Kibana plugin. |
wazuh_admin |
It is recommended for users who need administrative privileges. |
Wazuh additional roles added in Kibana to give the appropriate permissions to users:
wazuh_ui_user |
It provides |
wazuh_ui_admin |
It allows |
These users and roles are designed to operate along with the Wazuh Kibana plugin, but they are protected and cannot be modified from the Kibana interface. To modify them or add new users or roles, the securityadmin
script has to be run.
Certificates creation
Remove the demo certificates:
# rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
Generate and deploy the certificates:
Download the
wazuh-cert-tool.sh
:# curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.1/open-distro/tools/certificate-utility/wazuh-cert-tool.sh # curl -so ~/instances.yml https://packages.wazuh.com/resources/4.1/open-distro/tools/certificate-utility/instances_aio.yml
Run the
wazuh-cert-tool.sh
to create the certificates:# bash ~/wazuh-cert-tool.sh
Move the Elasticsearch certificates to their corresponding location:
# mkdir /etc/elasticsearch/certs/ # mv ~/certs/elasticsearch* /etc/elasticsearch/certs/ # mv ~/certs/admin* /etc/elasticsearch/certs/ # cp ~/certs/root-ca* /etc/elasticsearch/certs/
Enable and start the Elasticsearch service:
# systemctl daemon-reload # systemctl enable elasticsearch # systemctl start elasticsearch
Choose one option according to the operating system used:
RPM based operating system:
# chkconfig --add elasticsearch # service elasticsearch start
Debian based operating system:
# update-rc.d elasticsearch defaults 95 10 # service elasticsearch start
Run the Elasticsearch
securityadmin
script to load the new certificates information and start the cluster:
# export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
Run the following command to ensure that the installation is successful:
# curl -XGET https://localhost:9200 -u admin:admin -k
An example response should look as follows:
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "tWYgqpgdRz6fGN8gH11flw",
"version" : {
"number" : "7.10.2",
"build_flavor" : "oss",
"build_type" : "rpm",
"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
"build_date" : "2021-01-13T00:42:12.435326Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Note
The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer
. Please be sure to restart the Elasticsearch service afterwards.
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.
Install the Filebeat package:
# yum install filebeat
# apt-get install filebeat
# zypper install filebeat
Download the preconfigured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.1/open-distro/filebeat/7.x/filebeat_all_in_one.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
Copy the Elasticsearch certificates into
/etc/filebeat/certs
:# mkdir /etc/filebeat/certs # cp ~/certs/root-ca.pem /etc/filebeat/certs/ # mv ~/certs/filebeat* /etc/filebeat/certs/
Enable and start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat # systemctl start filebeat
Choose one option according to the operating system used:
RPM based operating system:
# chkconfig --add filebeat # service filebeat start
Debian based operating system:
# update-rc.d filebeat defaults 95 10 # service filebeat start
To ensure that Filebeat is successfully installed, run the following command:
# filebeat test output
An example response should look as follows:
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Installing Kibana
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Install the Kibana package:
# yum install opendistroforelasticsearch-kibana
# apt-get install opendistroforelasticsearch-kibana
# zypper install opendistroforelasticsearch-kibana
Download the Kibana configuration file:
# curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.1/open-distro/kibana/7.x/kibana_all_in_one.yml
In the
/etc/kibana/kibana.yml
file, the settingserver.host
has the value0.0.0.0
. It means that Kibana can be accessed from the outside and accepts all the available IPs of the host. This value can be changed for a specific IP if needed.Create the
/usr/share/kibana/data
directory:# mkdir /usr/share/kibana/data # chown -R kibana:kibana /usr/share/kibana/data
Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
# cd /usr/share/kibana # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.2-1.zip
Copy the Elasticsearch certificates into
/etc/kibana/certs
:# mkdir /etc/kibana/certs # cp ~/certs/root-ca.pem /etc/kibana/certs/ # mv ~/certs/kibana* /etc/kibana/certs/ # chown kibana:kibana /etc/kibana/certs/*
Link Kibana socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana # systemctl start kibana
Choose one option according to the operating system used:
RPM based operating system:
# chkconfig --add kibana # service kibana start
Debian based operating system:
# update-rc.d kibana defaults 95 10 # service kibana start
Access the web interface:
URL: https://<wazuh_server_ip> user: admin password: admin
Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem
file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
Note
It is highly recommended to change the default passwords of Elasticsearch for the users' passwords. To perform this action, see the Elasticsearch tuning section.
It is also recommended to customize the file /etc/elasticsearch/jvm.options
to improve the performance of Elasticsearch. Learn more about this process in the user manual.
To uninstall all the components of the all-in-one installation, see the uninstalling section.
Next steps
Once the Wazuh environment is ready, a Wazuh agent can be installed on every endpoint to be monitored. To install the Wazuh agents and start monitoring the endpoints, see the Wazuh agent section.