Amazon Machine Images (AMI)
Wazuh provides a pre-built Amazon Machine Image (AMI). An AMI is a ready-to-use template for creating virtual computing environments in Amazon Elastic Compute Cloud (Amazon EC2). The latest Wazuh AMI includes Amazon Linux 2023 and the Wazuh central components.
Wazuh manager 4.13.1
Filebeat-OSS 7.10.2
Wazuh indexer 4.13.1
Wazuh dashboard 4.13.1
Packages list
Distribution |
Architecture |
VM Format |
Latest version |
Product page |
---|---|---|---|---|
Amazon Linux 2023 |
64-bit |
AWS AMI |
4.13.1 |
Deployment alternatives
You can deploy a Wazuh instance in two ways. Launch the Wazuh All-In-One Deployment AMI directly from the AWS Marketplace or configure and deploy an instance using the AWS Management Console.
Note
Our Wazuh Consulting Service is also available in the AWS Marketplace. Check the Professional Service packages that Wazuh has to offer.
Launch an instance from the AWS Marketplace
Go to Wazuh All-In-One Deployment in the AWS Marketplace, then click View purchase options.
Review the information and the terms for the software. Click Subscribe to confirm subscribing to our product. You will receive an email notification that your offer has been accepted.
Click Launch your software to continue your setup.
Select the service Amazon EC2, Launch from EC2 console, and a Region.
Click Launch from EC2 to take you to the AWS Management Console.
Review your configuration, ensuring all settings are correct, before launching the software. Adapt the default configuration to your needs.
When selecting the EC2 Instance Type, we recommend
c5a.xlarge
because it offers an ideal balance of high compute performance and cost-efficiency.To guarantee the correct operation, the Security Group must have the appropriate settings for your Wazuh instance. You can create a new security group by choosing Create security group. This new group will have the appropriate settings by default.
Click Launch to generate the instance.
Once your instance is successfully launched and a few minutes have elapsed, you can access the Wazuh dashboard.
Deploy an instance using the AWS Management Console
Select EC2 from your AWS Management Console dashboard.
Click Launch instance.
Click on Browse more AMIs.
Search Wazuh All-In-One Deployment by Wazuh Inc under the AWS Marketplace AMIs tab, and click Select. This brings up a description of the Wazuh All-In-One Deployment with the option to either Subscribe on instance launch or Subscribe now.
Select the instance type that best fits your needs. We recommend
c5a.xlarge
.You can use either of these three configuration alternatives available regarding the key pair settings:
Choose an existing key pair
Create a new key pair
Proceed without a key pair (Not recommended)
You need to choose an existing key pair or create a new one to access the instance with SSH.
When selecting the Security Group, ensure it has the appropriate settings for your Wazuh instance to guarantee correct operation. You can create a new security group by choosing Create security group. This new group will have the appropriate settings by default. Check that the ports and protocols are the ports and protocols for Wazuh. Check the security measures for your instance. This will establish the Security Group (SG).
Under the Size (GiB) column, set your instance's storage capacity, then click Next: Add Tags. We recommend 100 GiB gp3 or more.
Review the instance configuration and click Launch instance.
After a few minutes, the instance will be ready. You can access the Wazuh dashboard.
Configuration files
All components included in this AMI are configured to work out-of-the-box without the need to modify any settings. However, all components can be fully customized. These are the configuration file locations:
Wazuh manager:
/var/ossec/etc/ossec.conf
Wazuh indexer:
/etc/wazuh-indexer/opensearch.yml
Filebeat-OSS:
/etc/filebeat/filebeat.yml
Wazuh dashboard:
/etc/wazuh-dashboard/opensearch_dashboards.yml
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
To learn more about configuring Wazuh, see the User manual.
Access the Wazuh dashboard
When the instance is launched, the user passwords are automatically changed to the instance ID with the first letter capitalized. For example: I-07f25f6afe4789342
. This ensures that only the creator has access to the interface. This process can take an average of five minutes, depending on the type of instance. During this time, SSH access and Wazuh dashboard access are disabled.
Once the instance runs and the process to initialize passwords is complete, you can access the Wazuh dashboard with your credentials.
URL:
https://<YOUR_INSTANCE_IP>
Username:
admin
Password:
<YOUR_INSTANCE_ID>
Note
The password is the instance ID with the first letter capitalized. For example, if the instance ID is: i-07f25f6afe4789342
, the default password will be I-07f25f6afe4789342
.
Warning
The passwords for the Wazuh server API users wazuh
and wazuh-wui
are the same as those for the admin
user. We highly recommend changing the default passwords on the first SSH access. To perform this action, refer to the Password management section.
Security considerations about SSH
The
root
user cannot be identified by SSH, and the instance can only be accessed through the user:wazuh-user
.The instance can only be accessed through a key pair, which is provided to the user with the key pair.
You must download the key generated or stored in AWS to access the instance with a key pair. Then, run the following command to connect with the instance.
# ssh -i "<KEY_PAIR_NAME>" wazuh-user@<YOUR_INSTANCE_IP>
Access during the initial password change is disabled to prevent potential problems. This process might take a few minutes to complete. Any access attempt before completion shows:
wazuh-user@<INSTANCE_IP>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
.
Next steps
The Wazuh AMI is now ready and you can proceed with deploying the Wazuh agents on the systems to be monitored.
Upgrading the AMI
Follow the instructions on how to upgrade the Wazuh central components.