Wazuh Puppet module
This module has been authored by Nicolas Zin and updated by Jonathan Gazeley and Michael Porter. Wazuh has forked it with the purpose of maintaining it. Thank you to the authors for their contribution.
Install Wazuh module
Download and install the Wazuh module from Puppet Forge:
# puppet module install wazuh-wazuh --version 4.8.1Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └─┬ wazuh-wazuh (v4.8.1) ├── puppet-nodejs (v7.0.1) ├── puppet-selinux (v3.4.1) ├── puppetlabs-apt (v7.7.1) ├─┬ puppetlabs-concat (v6.4.0) │ └── puppetlabs-translate (v2.2.0) ├── puppetlabs-firewall (v2.8.1) ├─┬ puppetlabs-powershell (v4.1.0) │ └── puppetlabs-pwshlib (v0.10.1) └── puppetlabs-stdlib (v6.6.0)
This module installs and configures Wazuh agent and manager.
Install a stack via Puppet
Single Node
You can use the manifest shown below to deploy a single-node stack. This stack consists of:
Wazuh dashboard
Wazuh indexer
Wazuh manager
Filebeat
To configure the manager before deployment, check the configuration variables for the Wazuh manager class section in Reference Wazuh puppet.
Create the stack.pp file at /etc/puppetlabs/code/environments/production/manifests/ with the contents below. Here, puppet-aio-node refers to the hostname or IP address of the puppet agent.
$discovery_type = 'single-node'
stage { 'certificates': }
stage { 'repo': }
stage { 'indexerdeploy': }
stage { 'securityadmin': }
stage { 'dashboard': }
stage { 'manager': }
Stage[certificates] -> Stage[repo] -> Stage[indexerdeploy] -> Stage[securityadmin] -> Stage[manager] -> Stage[dashboard]
Exec {
timeout => 0,
}
node "puppet-server" {
class { 'wazuh::certificates':
indexer_certs => [['node-1','127.0.0.1']],
manager_certs => [['master','127.0.0.1']],
dashboard_certs => ['127.0.0.1'],
stage => certificates,
}
}
node "puppet-aio-node" {
class { 'wazuh::repo':
stage => repo,
}
class { 'wazuh::indexer':
stage => indexerdeploy,
}
class { 'wazuh::securityadmin':
stage => securityadmin
}
class { 'wazuh::manager':
stage => manager,
}
class { 'wazuh::filebeat_oss':
stage => manager,
}
class { 'wazuh::dashboard':
stage => dashboard,
}
}
Multi Node
Using the multi-node manifest below, you can deploy a distributed stack consisting of the following nodes on three different servers or Virtual Machines (VM).
3 indexer nodes
Manager master node
Manager worker node
Dashboard node
You must include the IP addresses of the servers where you are installing each application.
$node1host = 'x.x.x.x'
$node2host = 'x.x.x.x'
$node3host = 'x.x.x.x'
$masterhost = 'x.x.x.x'
$workerhost = 'x.x.x.x'
$dashboardhost = 'x.x.x.x'
$indexer_node1_name = 'node1'
$indexer_node2_name = 'node2'
$indexer_node3_name = 'node3'
$master_name = 'master'
$worker_name = 'worker'
$cluster_size = '3'
$indexer_discovery_hosts = [$node1host, $node2host, $node3host]
$indexer_cluster_initial_master_nodes = [$node1host, $node2host, $node3host]
$indexer_cluster_CN = [$indexer_node1_name, $indexer_node2_name, $indexer_node3_name]
# Define stage for order execution
stage { 'certificates': }
stage { 'repo': }
stage { 'indexerdeploy': }
stage { 'securityadmin': }
stage { 'dashboard': }
stage { 'manager': }
Stage[certificates] -> Stage[repo] -> Stage[indexerdeploy] -> Stage[securityadmin] -> Stage[manager] -> Stage[dashboard]
Exec {
timeout => 0,
}
node "puppet-server" {
class { 'wazuh::certificates':
indexer_certs => [["$indexer_node1_name","$node1host" ],["$indexer_node2_name","$node2host" ],["$indexer_node3_name","$node3host" ]],
manager_master_certs => [["$master_name","$masterhost"]],
manager_worker_certs => [["$worker_name","$workerhost"]],
dashboard_certs => ["$dashboardhost"],
stage => certificates
}
class { 'wazuh::repo':
stage => repo
}
}
node "puppet-wazuh-indexer-node1" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::indexer':
indexer_node_name => "$indexer_node1_name",
indexer_network_host => "$node1host",
indexer_node_max_local_storage_nodes => "$cluster_size",
indexer_discovery_hosts => $indexer_discovery_hosts,
indexer_cluster_initial_master_nodes => $indexer_cluster_initial_master_nodes,
indexer_cluster_CN => $indexer_cluster_CN,
stage => indexerdeploy
}
class { 'wazuh::securityadmin':
indexer_network_host => "$node1host",
stage => securityadmin
}
}
node "puppet-wazuh-indexer-node2" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::indexer':
indexer_node_name => "$indexer_node2_name",
indexer_network_host => "$node2host",
indexer_node_max_local_storage_nodes => "$cluster_size",
indexer_discovery_hosts => $indexer_discovery_hosts,
indexer_cluster_initial_master_nodes => $indexer_cluster_initial_master_nodes,
indexer_cluster_CN => $indexer_cluster_CN,
stage => indexerdeploy
}
}
node "puppet-wazuh-indexer-node3" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::indexer':
indexer_node_name => "$indexer_node3_name",
indexer_network_host => "$node3host",
indexer_node_max_local_storage_nodes => "$cluster_size",
indexer_discovery_hosts => $indexer_discovery_hosts,
indexer_cluster_initial_master_nodes => $indexer_cluster_initial_master_nodes,
indexer_cluster_CN => $indexer_cluster_CN,
stage => indexerdeploy
}
}
node "puppet-wazuh-manager-master" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::manager':
ossec_cluster_name => 'wazuh-cluster',
ossec_cluster_node_name => 'wazuh-master',
ossec_cluster_node_type => 'master',
ossec_cluster_key => '01234567890123456789012345678912',
ossec_cluster_bind_addr => "$masterhost",
ossec_cluster_nodes => ["$masterhost"],
ossec_cluster_disabled => 'no',
stage => manager
}
class { 'wazuh::filebeat_oss':
filebeat_oss_indexer_ip => "$node1host",
wazuh_node_name => "$master_name",
stage => manager
}
}
node "puppet-wazuh-manager-worker" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::manager':
ossec_cluster_name => 'wazuh-cluster',
ossec_cluster_node_name => 'wazuh-worker',
ossec_cluster_node_type => 'worker',
ossec_cluster_key => '01234567890123456789012345678912',
ossec_cluster_bind_addr => "$masterhost",
ossec_cluster_nodes => ["$masterhost"],
ossec_cluster_disabled => 'no',
stage => manager
}
class { 'wazuh::filebeat_oss':
filebeat_oss_indexer_ip => "$node1host",
wazuh_node_name => "$worker_name",
stage => manager
}
}
node "puppet-wazuh-dashboard" {
class { 'wazuh::repo':
stage => repo,
}
class { 'wazuh::dashboard':
indexer_server_ip => "$node1host",
manager_api_host => "$masterhost",
stage => dashboard
}
}
The correspondence of the IP addresses with the puppet nodes described in the manifest is as follows:
puppet-wazuh-indexer-node1=node1host. Wazuh indexer node1.puppet-wazuh-indexer-node2=node2host. Wazuh indexer node2.puppet-wazuh-indexer-node3=node3host. Wazuh indexer node3.puppet-wazuh-manager-master=masterhost. Wazuh manager master.puppet-wazuh-manager-worker=workerhost. Wazuh manager worker.puppet-wazuh-dashboard=dashboardhost. Wazuh dashboard node.
The wazuh::certificates class needs to be applied on the Puppet server (puppet-server) where the Wazuh module is installed. This is necessary because the archives module is used to distribute files to all servers in the Wazuh stack deployment.
If you need more Wazuh indexer nodes, add new variables. For example indexer_node4_name and node4host. Add them to the following arrays:
indexer_discovery_hostsindexer_cluster_initial_master_nodesindexer_cluster_CNindexer_certs
In addition, you need to add a new node instance similar to puppet-wazuh-indexer-node2 or puppet-wazuh-indexer-node3. Unlike the instance for Wazuh indexer node1, these instances don't run securityadmin.
In case you need to add a Wazuh manager worker server, add a new variable such as worker2host. Add the variable to the manager_worker_certs array. For example, ['worker',"$worker2host"]. Then, replicate the node instance puppet-wazuh-manager-worker with the new server.
Place the file at /etc/puppetlabs/code/environments/production/manifests/ in your Puppet master. It executes on the specified node once the runinterval time, as set in puppet.conf, elapses. However, if you want to run the manifest immediately on a specific node, run the following command on the node:
# puppet agent -t
Change Password for Wazuh users
Follow the instructions in the Password Management section to change your Wazuh user passwords. Once you change them, set the new passwords within the classes used for deploying the Wazuh Stack.
Indexer users
adminuser:node "puppet-agent.com" { class { 'wazuh::dashboard': dashboard_password => '<NEW_PASSWORD>' } }
kibanaserveruser:node "puppet-agent.com" { class { 'wazuh::filebeat_oss': filebeat_oss_elastic_password => '<NEW_PASSWORD>' } }
Wazuh API users
wazuh-wuiuser:node "puppet-agent.com" { class { 'wazuh::dashboard': dashboard_wazuh_api_credentials => '<NEW_PASSWORD>' } }
Install Wazuh agent via Puppet
The agent is configured by installing the wazuh::agent class.
Here is an example of a manifest wazuh-agent.pp (please replace <MANAGER_IP_ADDRESS> with your manager IP address).
node "puppet-agent.com" { class { 'wazuh::repo': } class { "wazuh::agent": wazuh_register_endpoint => "<MANAGER_IP_ADDRESS>", wazuh_reporting_endpoint => "<MANAGER_IP_ADDRESS>" } }
Place the file at /etc/puppetlabs/code/environments/production/manifests/ in your Puppet master and it will be executed in the specified node after the runinterval time set in puppet.conf. However, if you want to run it first, try the following command in the Puppet agent.
# puppet agent -t
Reference Wazuh puppet
Sections |
Variables |
Functions |
|---|---|---|