Wazuh single-node cluster

This document will go through the installation of the Wazuh server components in a single-node cluster.

Note

You need root user privileges to run all the commands described below.

Prerequisites

Before installing the Wazuh servers and Filebeat, some extra packages must be installed:

Install all the necessary packages:

# yum install zip unzip curl

Install all the necessary packages:

# apt-get install lsb-release curl apt-transport-https zip unzip gnupg

Installing Wazuh server

The Wazuh server collects and analyzes data from deployed agents. It runs the Wazuh manager, the Wazuh API and Filebeat. The first step in setting up Wazuh is adding Wazuh repository to the server. Alternatively, the Wazuh manager package can be downloaded directly, and compatible versions can be checked here.

Adding the Wazuh repository

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

For this, the curl, apt-transport-https and lsb-release packages must be installed on the system. The zip package will be necessary for the certificates management. If they are not already present, they must be installed using the commands below:
# apt-get update # apt-get install curl apt-transport-https lsb-release unzip

Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the package information:
# apt-get update

Installing the Wazuh manager

Install the Wazuh manager package:

# yum install wazuh-manager-4.4.5-1

# apt-get install wazuh-manager=4.4.5-1

Enable and start the Wazuh manager service:

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager
Choose one option according to your operating system:

RPM-based operating system:
# chkconfig --add wazuh-manager
# service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10
# service wazuh-manager start

Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

Adding the Elastic Stack repository

Import the GPG key:

# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Add the repository:

# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Install the GPG key:

# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

Update the package information:
# apt-get update

Filebeat installation and configuration

Install the Filebeat package:

# yum install filebeat-7.17.9

# apt-get install filebeat=7.17.9

Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:

# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.4/tpl/elastic-basic/filebeat.yml

Download the alerts template for Elasticsearch:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.4/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

Edit the file /etc/filebeat/filebeat.yml:
output.elasticsearch.hosts: ["<elasticsearch_ip>:9200"] output.elasticsearch.password: <elasticsearch_password>

Replace <elasticsearch_ip> with the IP address or the hostname of the Elasticsearch server and <elasticsearch_password> with the previously generated password for elastic user.
output.elasticsearch.hosts: ["<elasticsearch_ip_node_1>:9200", "<elasticsearch_ip_node_2>:9200", "<elasticsearch_ip_node_3>:9200"] output.elasticsearch.password: <elasticsearch_password>

Replace elasticsearch_ip_node_x with the IP address or the hostname of the Elasticsearch server to connect to and elasticsearch_password with the previously generated password for elastic user.

Configure Filebeat certificate:

In section Installing Elasticsearch, the certs.zip file was created. The file must be copied into the Wazuh server host, for example, using scp. This guide assumes that the file is placed in ~/ (home user folder).
# mkdir /etc/filebeat/certs/ca -p
# zip -d ~/certs.zip "ca/ca.key"
# unzip ~/certs.zip -d ~/certs
# cp -R ~/certs/ca/ ~/certs/filebeat/* /etc/filebeat/certs/
# chmod -R 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/ca/ca.* /etc/filebeat/certs/filebeat.*
# rm -rf ~/certs/ ~/certs.zip

Enable and start the Filebeat service:

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the OS used:

Debian based OS

# update-rc.d filebeat defaults 95 10
# service filebeat start

RPM based OS

# chkconfig --add filebeat
# service filebeat start

To ensure that Filebeat has been successfully installed, run the following command:

# filebeat test output

Disabling repositories

This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.

With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.

We recommend disabling the repositories so that the individual packages will not be updated unintentionally, which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update

To uninstall Wazuh and Filebeat, visit the uninstalling section.

Next steps

The next step consists of installing Kibana.