Installing the Wazuh server step by step
Install and configure the Wazuh server as a single-node or multi-node cluster following step-by-step instructions. The Wazuh server is a central component that includes the Wazuh manager and Filebeat. The Wazuh manager collects and analyzes data from the deployed Wazuh agents. It triggers alerts when threats or anomalies are detected. Filebeat securely forwards alerts and archived events to the Wazuh indexer.
The installation process is divided into two stages.
Wazuh server node installation
Cluster configuration for multi-node deployment
Note
You need root user privileges to run all the commands described below.
1. Wazuh server node installation
Adding the Wazuh repository
Note
If you are installing the Wazuh server on the same host as the Wazuh indexer, you may skip these steps as you may have added the Wazuh repository already.
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUHAdd the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
Install the following packages if missing.
# apt-get install gnupg apt-transport-httpsInstall the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpgAdd the repository.
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.listUpdate the packages information.
# apt-get update
Installing the Wazuh manager
Install the Wazuh manager package.
# yum -y install wazuh-manager-4.7.5-1# apt-get -y install wazuh-manager=4.7.5-1Enable and start the Wazuh manager service.
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-managerChoose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager startRun the following command to verify the Wazuh manager status.
# systemctl status wazuh-manager# service wazuh-manager status
Installing Filebeat
Install the Filebeat package.
# yum -y install filebeat# apt-get -y install filebeat
Configuring Filebeat
Download the preconfigured Filebeat configuration file.
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.ymlEdit the
/etc/filebeat/filebeat.yml
configuration file and replace the following value:
hosts
: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhosthosts: ["127.0.0.1:9200"]
. Replace it with your Wazuh indexer address accordingly.If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example,
hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]
# Wazuh - Filebeat configuration file output.elasticsearch: hosts: ["10.0.0.1:9200"] protocol: https username: ${username} password: ${password}Create a Filebeat keystore to securely store authentication credentials.
# filebeat keystore createAdd the default username and password
admin
:admin
to the secrets keystore.# echo admin | filebeat keystore add username --stdin --force # echo admin | filebeat keystore add password --stdin --forceDownload the alerts template for the Wazuh indexer.
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.jsonInstall the Wazuh module for Filebeat.
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module
Deploying certificates
Note
Make sure that a copy of the
wazuh-certificates.tar
file, created during the initial configuration step, is placed in your working directory.
Replace
<SERVER_NODE_NAME>
with your Wazuh server node certificate name, the same one used inconfig.yml
when creating the certificates. Then, move the certificates to their corresponding location.# NODE_NAME=<SERVER_NODE_NAME># mkdir /etc/filebeat/certs # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem # chmod 500 /etc/filebeat/certs # chmod 400 /etc/filebeat/certs/* # chown -R root:root /etc/filebeat/certs
Starting the Filebeat service
Enable and start the Filebeat service.
# systemctl daemon-reload # systemctl enable filebeat # systemctl start filebeatChoose one option according to the operating system used.
RPM-based operating system:
# chkconfig --add filebeat # service filebeat start
Debian-based operating system:
# update-rc.d filebeat defaults 95 10 # service filebeat startRun the following command to verify that Filebeat is successfully installed.
# filebeat test outputExpand the output to see an example response.
elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2
Your Wazuh server node is now successfully installed. Repeat this stage of the installation process for every Wazuh server node in your Wazuh cluster, then proceed with configuring the Wazuh cluster. If you want a Wazuh server single-node cluster, everything is set and you can proceed directly with Installing the Wazuh dashboard step by step.
2. Cluster configuration for multi-node deployment
After completing the installation of the Wazuh server on every node, you need to configure one server node only as the master and the rest as workers.
Configuring the Wazuh server master node
Edit the following settings in the
/var/ossec/etc/ossec.conf
configuration file.<cluster> <name>wazuh</name> <node_name>master-node</node_name> <node_type>master</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>Parameters to be configured:
It indicates the name of the cluster.
It indicates the name of the current node.
It specifies the role of the node. It has to be set to
master
.Key that is used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. The following command can be used to generate a random key:
openssl rand -hex 16
.It indicates the destination port for cluster communication.
It is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).
It is the address of the
master node
and can be either an IP or a DNS. This parameter must be specified in all nodes, including the master itself.It shows or hides the cluster information in the generated alerts.
It indicates whether the node is enabled or disabled in the cluster. This option must be set to
no
.Restart the Wazuh manager.
# systemctl restart wazuh-manager# service wazuh-manager restart
Configuring the Wazuh server worker nodes
Configure the cluster node by editing the following settings in the
/var/ossec/etc/ossec.conf
file.<cluster> <name>wazuh</name> <node_name>worker-node</node_name> <node_type>worker</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>Parameters to be configured:
It indicates the name of the cluster.
It indicates the name of the current node. Each node of the cluster must have a unique name.
It specifies the role of the node. It has to be set as
worker
.The key created previously for the
master
node. It has to be the same for all the nodes.It has to contain the address of the
master node
and can be either an IP or a DNS.It indicates whether the node is enabled or disabled in the cluster. It has to be set to
no
.Restart the Wazuh manager.
# systemctl restart wazuh-manager# service wazuh-manager restartRepeat these configuration steps for every Wazuh server worker node in your cluster.
Testing Wazuh server cluster
To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:
# /var/ossec/bin/cluster_control -l
An example output of the command looks as follows:
NAME TYPE VERSION ADDRESS master-node master 4.7.5 10.0.0.3 worker-node1 worker 4.7.5 10.0.0.4 worker-node2 worker 4.7.5 10.0.0.5
Note that 10.0.0.3
, 10.0.0.4
, 10.0.0.5
are example IPs.
Next steps
The Wazuh server installation is now complete, and you can proceed with Installing the Wazuh dashboard step by step.
If you want to uninstall the Wazuh server, see Uninstall the Wazuh server.