Offline installation

You can install Wazuh even when there is no connection to the Internet. Installing the solution offline involves downloading the Wazuh components to later install them on a system with no internet connection. Although in this section the Wazuh server and Elastic Stack are installed and configured on the same host in an all-in-one deployment, each component can also be installed on a separate host as a distributed deployment, depending on your environment needs. For more information, check the Requirements section.

Note

Root privileges are required to execute all the commands.

Prerequisites

curl, tar, and setcap need to be installed in the target system where the offline installation will be carried out. gnupg might need to be installed as well for some Debian-based systems.
In some systems, the command cp is an alias for cp -i — you can check this by running alias cp. If this is your case, use unalias cp to avoid being asked for confirmation to overwrite files.

Download the packages and configuration files

Replace <deb|rpm> in the following command with your choice of package format and run it from a Linux system with internet connection. This action executes a script that downloads all required files for the offline installation on x86_64 architectures. You can add the --list-only option to only get a list of files to be downloaded.
# curl -sO https://packages.wazuh.com/resources/4.2/open-distro/tools/wazuh-offline-download.sh && bash ./wazuh-offline-download.sh -p <deb|rpm>
Copy or move the ./wazuh-offline/ folder contents to a folder accessible to the host from where the offline installation will be carried out.

Install Wazuh components from local files

Note

In the host where the installation is taking place, make sure to change the working directory to the folder where the downloaded installation files were placed.

Installing the Wazuh manager

Run the following commands to import the Wazuh key and install the Wazuh manager.

# rpm --import ./wazuh_files/GPG-KEY-WAZUH
# rpm -ivh ./wazuh-packages/wazuh-manager*.rpm

# apt-key add ./wazuh_files/GPG-KEY-WAZUH
# dpkg -i ./wazuh-packages/wazuh-manager*.deb

Enable and start the Wazuh manager service.

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager
Choose one option according to the operating system used:

RPM-based operating system:
# chkconfig --add wazuh-manager
# service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10
# service wazuh-manager start

Run the following command to verify the Wazuh manager status is active.
# systemctl status wazuh-manager
# service wazuh-manager status

Installing Elasticsearch

Run the following command to install Open Distro for Elasticsearch.

# rpm -ivh ./opendistro-packages/*.rpm > opendistro_output.txt

# dpkg -i ./opendistro-packages/*.deb > opendistro_output.txt

Move a copy of the configuration files to the appropriate location.

cp ./opendistro_files/elasticsearch/elasticsearch.yml /etc/elasticsearch/ &&\
cp ./opendistro_files/elasticsearch/roles.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ &&\
cp ./opendistro_files/elasticsearch/roles_mapping.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ &&\
cp ./opendistro_files/elasticsearch/internal_users.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ &&\
cp ./opendistro_files/elasticsearch/wazuh-cert-tool.sh ~ &&\
cp ./opendistro_files/elasticsearch/instances.yml ~

Remove the demo certificates.

# rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

Run wazuh-cert-tool.sh to create the new certificates.
# bash ~/wazuh-cert-tool.sh

Move the certificates to the appropriate location.

# mkdir /etc/elasticsearch/certs/
# mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
# mv ~/certs/admin* /etc/elasticsearch/certs/
# cp ~/certs/root-ca* /etc/elasticsearch/certs/

Recommended action - Remove Open Distro for Elasticsearch performance analyzer plugin
The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command.
# /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer

Enable and start the Elasticsearch service.

Warning

Add the following configuration to mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability - CVE-2021-44228 - ESA-2021-31.

# mkdir -p /etc/elasticsearch/jvm.options.d
# echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
# chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
# chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

# systemctl daemon-reload
# systemctl enable elasticsearch
# systemctl start elasticsearch

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add elasticsearch
# service elasticsearch start

Debian-based operating system:

# update-rc.d elasticsearch defaults 95 10
# service elasticsearch start

Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster.

# export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

Run the following command to check that the installation is successful.

# curl -XGET https://localhost:9200 -u admin:admin -k

Expand the output to see an example response.

{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "RpYwqJ5CRdS1ZFI5QQERRA",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Installing Filebeat

Run the following command to install Filebeat.

# rpm -ivh ./wazuh-packages/filebeat*.rpm

# dpkg -i ./wazuh-packages/filebeat*.deb

Move a copy of the configuration files to the appropriate location.

cp ./wazuh_files/filebeat/filebeat.yml /etc/filebeat/ &&\
cp ./wazuh_files/filebeat/wazuh-template.json /etc/filebeat/ &&\
chmod go+r /etc/filebeat/wazuh-template.json

Edit /etc/filebeat/wazuh-template.json and change to "1" the value for "index.number_of_shards" as this is a single-node installation.
{ ... "settings": { ... "index.number_of_shards": "1", ... }, ... }

Install the Wazuh module for Filebeat.

# tar -xzf ./wazuh_files/filebeat/wazuh-filebeat-module.tar.gz -C /usr/share/filebeat/module

Copy the Elasticsearch certificates into /etc/filebeat/certs.

# mkdir /etc/filebeat/certs
# cp ~/certs/root-ca.pem /etc/filebeat/certs/
# mv ~/certs/filebeat* /etc/filebeat/certs/

Enable and start the Filebeat service.

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat
Choose one option according to the operating system used.

RPM-based operating system:
# chkconfig --add filebeat
# service filebeat start
Debian-based operating system:
# update-rc.d filebeat defaults 95 10
# service filebeat start

Run the following command to make sure Filebeat is successfully installed.

# filebeat test output

Expand the output to see an example response.

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

To check only one shard has been configured, you can run the following command.

# curl -k -u admin:admin "https://localhost:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards"

Expand the output to see an example response.

{
  "wazuh" : {
    "settings" : {
      "index" : {
        "number_of_shards" : "1"
      }
    }
  }
}

Installing Kibana

Run the following command to install Kibana.

# rpm -ivh ./opendistro-kibana-packages/opendistroforelasticsearch-kibana*.rpm

# dpkg -i ./opendistro-kibana-packages/opendistroforelasticsearch-kibana*.deb

Move a copy of the configuration files to the appropriate location.
# cp ./opendistro_files/kibana/kibana.yml /etc/kibana/
Note

server.host: 0.0.0.0 in /etc/kibana/kibana.yml means that Kibana can be accessed from the outside and accepts all the available IP addresses of the host. This value can be changed for a specific IP address if needed.

Create the /usr/share/kibana/data directory.

# mkdir /usr/share/kibana/data
# chown -R kibana:kibana /usr/share/kibana/data

Replace </path/to/installation/folder/> with your installation folder path and run the following command to install the Wazuh Kibana plugin.

# /usr/share/kibana/bin/kibana-plugin install --allow-root file://</path/to/installation/folder/>wazuh_files/kibana/wazuh_kibana.zip

Copy the Elasticsearch certificates into /etc/kibana/certs.

# mkdir /etc/kibana/certs
# cp ~/certs/root-ca.pem /etc/kibana/certs/
# mv ~/certs/kibana* /etc/kibana/certs/
# chown kibana:kibana /etc/kibana/certs/*

Link Kibana socket to privileged port 443.

# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Enable and start the Kibana service.

# systemctl daemon-reload
# systemctl enable kibana
# systemctl start kibana
Choose one option according to the operating system used:

RPM-based operating system:
# chkconfig --add kibana
# service kibana start
Debian-based operating system:
# update-rc.d kibana defaults 95 10
# service kibana start

Access the web interface.
- URL: https://<wazuh_server_ip>
- Username: admin
- Password: admin

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

Note

It is highly recommended to change the default passwords of Elasticsearch for the users' passwords. To perform this action, see the Change users' password section.
It is also recommended to customize the file /etc/elasticsearch/jvm.options to improve the performance of Elasticsearch. Learn more about this process in the Memory locking section.

To uninstall all the components of the all-in-one installation, see the Uninstalling Wazuh section.

Next steps

Once the Wazuh environment is ready, Wazuh agents can be installed on every endpoint to be monitored. To install the Wazuh agents and start monitoring the endpoints, see the Wazuh agent installation section. If you need to install them offline, you can check the appropriate agent package to download for your monitored system in the Wazuh agent packages list section.