Wazuh Puppet module

This module has been authored by Nicolas Zin and updated by Jonathan Gazeley and Michael Porter. Wazuh has forked it with the purpose of maintaining it. Thank you to the authors for their contribution.

Install Wazuh module

Download and install the Wazuh module from Puppet Forge:

# puppet module install wazuh-wazuh --version 4.7.4
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ wazuh-wazuh (v4.7.4)
  ├── puppet-nodejs (v7.0.1)
  ├── puppet-selinux (v3.4.1)
  ├── puppetlabs-apt (v7.7.1)
  ├─┬ puppetlabs-concat (v6.4.0)
  │ └── puppetlabs-translate (v2.2.0)
  ├── puppetlabs-firewall (v2.8.1)
  ├─┬ puppetlabs-powershell (v4.1.0)
  │ └── puppetlabs-pwshlib (v0.10.1)
  └── puppetlabs-stdlib (v6.6.0)

This module installs and configures Wazuh agent and manager.

Install a stack via Puppet

A stack of Wazuh manager, Wazuh dashboard, Wazuh indexer and Filebeat can be deployed using this manifest. See the Wazuh manager section for variables that can be used to configure the manager before deployment.

Create a stack.pp file at /etc/puppetlabs/code/environments/production/manifests/ and put the contents below. puppet-agent-node refers to the hostname or IP of the puppet agent:

node "puppet-agent-node" {
 class { 'wazuh::manager':
 }
 class { 'wazuh::indexer':
 }
 class { 'wazuh::filebeat_oss':
 }
 class { 'wazuh::dashboard':
 }
}

Place the file at /etc/puppetlabs/code/environments/production/manifests/ in your Puppet master and it will be executed in the specified node after the runinterval time set in puppet.conf. However, if you want to run the manifest immediately on a specific node, run the following command on the node:

# puppet agent -t

Change Password for Wazuh users

Follow the instructions in the Password Management section to change your Wazuh user passwords. Once you change them, set the new passwords within the classes used for deploying the Wazuh Stack.

Indexer users

  • admin user:

    node "puppet-agent.com" {
      class { 'wazuh::dashboard':
        dashboard_password => '<NEW_PASSWORD>'
      }
    }
    
  • kibanaserver user:

    node "puppet-agent.com" {
      class { 'wazuh::filebeat_oss':
        filebeat_oss_elastic_password  => '<NEW_PASSWORD>'
      }
    }
    

Wazuh API users

  • wazuh-wui user:

    node "puppet-agent.com" {
      class { 'wazuh::dashboard':
        dashboard_wazuh_api_credentials => '<NEW_PASSWORD>'
      }
    }
    

Install Wazuh agent via Puppet

The agent is configured by installing the wazuh::agent class.

Here is an example of a manifest wazuh-agent.pp (please replace <MANAGER_IP_ADDRESS> with your manager IP address).

node "puppet-agent.com" {
  class { "wazuh::agent":
    wazuh_register_endpoint => "<MANAGER_IP_ADDRESS>",
    wazuh_reporting_endpoint => "<MANAGER_IP_ADDRESS>"
  }
}

Place the file at /etc/puppetlabs/code/environments/production/manifests/ in your Puppet master and it will be executed in the specified node after the runinterval time set in puppet.conf. However, if you want to run it first, try the following command in the Puppet agent.

# puppet agent -t

Reference Wazuh puppet

Sections

Variables

Functions

Wazuh manager class

Alerts

Authd

Cluster

Global

Localfile

Rootcheck

Syscheck

Syslog output

Vulnerability Detector

Wazuh API

Wodle OpenSCAP

Wodle CIS-CAT

Wodle osquery

Wodle Syscollector

Misc

email_alert

command

activeresponse

Wazuh agent class

Active response

Agent enrollment

Client settings

Localfile

Rootcheck

SCA

Syscheck

Wodle OpenSCAP

Wodle CIS-CAT

Wodle osquery

Wodle Syscollector

Misc