Wazuh single-node cluster
This document will go through the installation of the Wazuh server components and Filebeat in a Wazuh single-node cluster.
Note
Root user privileges are required to run all the commands described below.
Installing the Wazuh server
The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API, and Filebeat. The first step to set up Wazuh is adding the Wazuh's repository to the server, alternatively, all the available packages can be found here.
Adding the Wazuh repository
Install the necessary packages for the installation:
# yum install curl
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the necessary packages for the installation:
# apt install curl apt-transport-https lsb-release gnupg
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Install the necessary packages for the installation:
# zypper install curl
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Installing the Wazuh manager
Install the Wazuh manager package:
# yum install wazuh-manager-4.2.7-1
# apt-get install wazuh-manager=4.2.7-1
# zypper install wazuh-manager-4.2.7-1
Enable and start the Wazuh manager service:
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to the operating system used:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.
Filebeat installation and configuration
Install the Filebeat package:
# yum install filebeat
# apt-get install filebeat
# zypper install filebeat
Download the pre-configured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
Edit the file
/etc/filebeat/filebeat.yml
:output.elasticsearch: hosts: ["<elasticsearch_ip>:9200"]
Replace
elasticsearch_ip
with the IP address or the hostname of the Elasticsearch server.output.elasticsearch: hosts: ["<elasticsearch_ip_node_1>:9200", "<elasticsearch_ip_node_2>:9200", "<elasticsearch_ip_node_3>:9200"]
Replace
elasticsearch_ip_node_x
with the IP address or the hostname of the Elasticsearch server to connect to.Replace
wazuh-node-name
with your Wazuh node name, the same used ininstances.yml
to create the certificates, and move the certificates to their corresponding location. This guide assumes that a copy ofcerts.tar
, created during the Elasticsearch installation, has been placed in the root home folder (~/
).# node_name=wazuh-node-name
# mkdir /etc/filebeat/certs # mv ~/certs.tar /etc/filebeat/certs/ # cd /etc/filebeat/certs/ # tar -xf certs.tar $node_name.pem $node_name-key.pem root-ca.pem # mv /etc/filebeat/certs/$node_name.pem /etc/filebeat/certs/filebeat.pem # mv /etc/filebeat/certs/$node_name-key.pem /etc/filebeat/certs/filebeat-key.pem
Enable and start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat # systemctl start filebeat
Choose one option according to the operating system used.
RPM-based operating system:
# chkconfig --add filebeat # service filebeat start
Debian-based operating system:
# update-rc.d filebeat defaults 95 10 # service filebeat start
To ensure that Filebeat has been successfully installed, run the following command:
# filebeat test output
An example response should look as follows:
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
To uninstall Wazuh and Filebeat, visit the uninstalling section.
Next steps
The next step consists of installing Kibana.