Wazuh manager installation

This document will go through the installation of the Wazuh manager.

Note

Root user privileges are required to run all the commands described below.

Prerequisites

Before installing the Wazuh manager, some extra packages must be installed:

Install all the required utilities:

# yum install curl

Install all the required utilities:

# apt install curl apt-transport-https lsb-release gnupg

Installation

The Wazuh server collects and analyzes data from deployed Wazuh agents. It runs the Wazuh manager and the Splunk forwarder. The first step to set up Wazuh is adding the Wazuh repository to the server. All the Wazuh packages can be found here.

  1. Add the Wazuh repository

    1. Import the GPG key:

      # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
      
    2. Add the repository:

      # cat > /etc/yum.repos.d/wazuh.repo << EOF
      [wazuh]
      gpgcheck=1
      gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
      enabled=1
      name=EL-\$releasever - Wazuh
      baseurl=https://packages.wazuh.com/4.x/yum/
      protect=1
      EOF
      
    1. Install the GPG key:

      # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
      
    2. Add the repository:

      # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
      
    3. Update the package information:

      # apt-get update
      
  2. Install the Wazuh manager package:

    # yum -y install wazuh-manager
    
    # apt -y install wazuh-manager
    

Choose the corresponding tab to configure the installation as a single-node or multi-node cluster:

  1. Enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to your operating system:

    1. RPM-based operating system:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian-based operating system:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  2. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    

One Wazuh server has to be chosen as a master, the rest will be workers. So, the section Wazuh server master node will be added in the configuration file of the server chosen for the master role. For all the other servers, the section Wazuh server worker node should be applied.

Wazuh server master node

  1. Configure the cluster master node by specifying the following settings in the /var/ossec/etc/ossec.conf file.

    <cluster>
      <name>wazuh</name>
      <node_name>master-node</node_name>
      <node_type>master</node_type>
      <key>wazuh-master-key</key>
      <port>1516</port>
      <bind_addr>0.0.0.0</bind_addr>
      <nodes>
        <node>wazuh-master-address</node>
      </nodes>
      <hidden>no</hidden>
      <disabled>no</disabled>
    </cluster>
    

    Parameters to be configured:

    name

    Name of the cluster.

    node_name

    Name of the current node.

    node_type

    It specifies the role of the node. It has to be set to master.

    key

    The key that will be used to encrypt communication between cluster nodes. The key must be 32 characters long and same for all of the nodes in the cluster. The following command can be used to generate a random key: openssl rand -hex 16.

    port

    Destination port for cluster communication.

    bind_addr

    Network IP address to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).

    nodes

    The address of the master node. It must be specified in all nodes, including the master itself. The address can be either an IP or a DNS.

    hidden

    It indicates whether to show or hide the cluster information in the generated alerts.

    disabled

    It indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file has been modified, enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to your operating system:

    1. RPM-based operating system:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian-based operating system:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    

Wazuh server worker nodes

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file.

    <cluster>
        <name>wazuh</name>
        <node_name>worker-node</node_name>
        <node_type>worker</node_type>
        <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
        <port>1516</port>
        <bind_addr>0.0.0.0</bind_addr>
        <nodes>
            <node>wazuh-master-address</node>
        </nodes>
        <hidden>no</hidden>
        <disabled>no</disabled>
    </cluster>
    

    Parameters to be configured:

    name

    It indicates the name of the cluster.

    node_name

    It indicates the name of the current node. Each node of the cluster must have a unique name.

    node_type

    It specifies the role of the node. It has to be set as worker.

    key

    The key created previously for the master node. It has to be the same for all the nodes.

    nodes

    It has to contain the address of the master node and can be either an IP or a DNS.

    disabled

    It indicates whether the node is enabled or disabled in the cluster. It has to be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file is edited, enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to your operating system:

    1. RPM-based operating system:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian-based operating system:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    
  4. Run the following command to check the health of the Wazuh cluster:

    # /var/ossec/bin/cluster_control --health