Wazuh manager installation
This document will go through the installation of the Wazuh manager.
Note
You need root user privileges to run all the commands described below.
Prerequisites
Before installing the Wazuh manager, some extra packages must be installed:
Install all the required utilities:
# yum install curl
Install all the required utilities:
# apt-get install curl apt-transport-https lsb-release gnupg
Installation
The Wazuh server collects and analyzes data from deployed Wazuh agents. It runs the Wazuh manager and the Splunk forwarder. The first step in setting up Wazuh is adding the Wazuh repository to the server. All the Wazuh packages can be found here.
Add the Wazuh repository
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Install the Wazuh manager package:
# yum -y install wazuh-manager-4.5.4-1
# apt-get -y install wazuh-manager=4.5.4-1
Choose the corresponding tab to configure the installation as a single-node or multi-node cluster:
Enable and start the Wazuh manager service:
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
One Wazuh server has to be chosen as a master, the rest will be workers. So, the section Wazuh server master node
will be added in the configuration file of the server chosen for the master role. For all the other servers, the section Wazuh server worker node
should be applied.
Wazuh server master node
Configure the cluster master node by specifying the following settings in the
/var/ossec/etc/ossec.conf
file.<cluster> <name>wazuh</name> <node_name>master-node</node_name> <node_type>master</node_type> <key>wazuh-master-key</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
Parameters to be configured:
Name of the cluster.
Name of the current node.
It specifies the role of the node. It has to be set to
master
.The key that will be used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. The following command can be used to generate a random key:
openssl rand -hex 16
.Destination port for cluster communication.
Network IP address to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).
The address of the
master node
. It must be specified in all nodes, including the master itself. The address can be either an IP or a DNS.It indicates whether to show or hide the cluster information in the generated alerts.
It indicates whether the node is enabled or disabled in the cluster. This option must be set to
no
.Once the
/var/ossec/etc/ossec.conf
configuration file has been modified, enable and start the Wazuh manager service:# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
Wazuh server worker nodes
Configure the cluster node by editing the following settings in the
/var/ossec/etc/ossec.conf
file.<cluster> <name>wazuh</name> <node_name>worker-node</node_name> <node_type>worker</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
Parameters to be configured:
It indicates the name of the cluster.
It indicates the name of the current node. Each node of the cluster must have a unique name.
It specifies the role of the node. It has to be set as
worker
.The key created previously for the
master
node. It has to be the same for all the nodes.It has to contain the address of the
master node
and can be either an IP or a DNS.It indicates whether the node is enabled or disabled in the cluster. It has to be set to
no
.Once the
/var/ossec/etc/ossec.conf
configuration file is edited, enable and start the Wazuh manager service:# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
Run the following command to check the health of the Wazuh cluster:
# /var/ossec/bin/cluster_control --health