Wazuh single-node cluster

This document will go through the installation of the Wazuh server components and Filebeat in a Wazuh single-node cluster.

Note

Root user privileges are required to run all the commands described below.

Installing the Wazuh server

The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API, and Filebeat. The first step to set up Wazuh is adding the Wazuh's repository to the server, alternatively, all the available packages can be found here.

Adding the Wazuh repository

  1. Install the necessary packages for the installation:

    # yum install curl

  2. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

  3. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Installing the Wazuh manager

  1. Install the Wazuh manager package:

    # yum install wazuh-manager-4.1.5-1

  2. Enable and start the Wazuh manager service:

    # systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

Filebeat installation and configuration

  1. Install the Filebeat package:

    # yum install filebeat

  2. Download the pre-configured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:

    # curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.1/open-distro/filebeat/7.x/filebeat.yml

  3. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

  4. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

  5. Edit the file /etc/filebeat/filebeat.yml:

    output.elasticsearch:
  hosts: ["<elasticsearch_ip>:9200"]

    Replace elasticsearch_ip with the IP address or the hostname of the Elasticsearch server.

  6. Replace wazuh-node-name with your Wazuh node name, the same used in instances.yml to create the certificates, and move the certificates to their corresponding location. This guide assumes that a copy of certs.tar, created during the Elasticsearch installation, has been placed in the root home folder (~/).

    # node_name=wazuh-node-name

    # mkdir /etc/filebeat/certs
# mv ~/certs.tar /etc/filebeat/certs/
# cd /etc/filebeat/certs/
# tar -xf certs.tar $node_name.pem $node_name-key.pem root-ca.pem
# mv /etc/filebeat/certs/$node_name.pem /etc/filebeat/certs/filebeat.pem
# mv /etc/filebeat/certs/$node_name-key.pem /etc/filebeat/certs/filebeat-key.pem

  7. Enable and start the Filebeat service:

    # systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

To ensure that Filebeat has been successfully installed, run the following command:

# filebeat test output

An example response should look as follows:

 elasticsearch: https://127.0.0.1:9200...
   parse url... OK
   connection...
     parse host... OK
     dns lookup... OK
     addresses: 127.0.0.1
     dial up... OK
   TLS...
     security: server's certificate chain verification is enabled
     handshake... OK
     TLS version: TLSv1.3
     dial up... OK
   talk to server... OK
   version: 7.10.2

To uninstall Wazuh and Filebeat, visit the uninstalling section.

Next steps

The next step consists of installing Kibana.