This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

Install Elastic Stack with RPM packages

The RPM packages are suitable for installation on Red Hat, CentOS and other RPM-based systems.

Note

All the commands described below need to be executed with root user privileges.

Preparation

  1. Install the Elastic repository and its GPG key:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.

  1. Install the Elasticsearch package:
# yum install elasticsearch-7.3.0
  1. Optional. Elasticsearch will only listen on the loopback interface (localhost) by default. Configure Elasticsearch to listen on all interfaces by editing the file /etc/elasticsearch/elasticsearch.yml and uncommenting the setting network.host. Change the value to:

    network.host: 0.0.0.0
    
  2. If you are installing a distributed architecture, you will have to make an additional configuration change by editing the file /etc/elasticsearch/elasticsearch.yml. Add or edit (if commented) the following lines:

    node.name: node-1
    network.host: 0.0.0.0
    cluster.initial_master_nodes: ["node-1"]
    
  3. Enable and start the Elasticsearch service:

  1. For Systemd:
# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service
  1. For SysV Init:
# chkconfig --add elasticsearch
# service elasticsearch start
  1. Once Elasticsearch is up and running, it is recommended to load the Filebeat template. Run the following command where Filebeat was installed (current host, for single architecture or Wazuh manager host for distributed architecture):
# filebeat setup --index-management -E setup.template.json.enabled=false

Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.

  1. Install the Kibana package:
# yum install kibana-7.3.0
  1. Install the Wazuh app plugin for Kibana:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_7.3.0.zip
  1. Optional. Kibana will only listen on the loopback interface (localhost) by default. Configure Kibana to listen on all interfaces by editing the file /etc/kibana/kibana.yml and uncommenting the setting server.host. Change the value to:
server.host: "0.0.0.0"
  1. Enable and start the Kibana service:
  1. For Systemd:
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service
  1. For SysV Init:
# chkconfig --add kibana
# service kibana start
  1. (Optional) Disable the Elasticsearch repository:

It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. To do this, use the following command:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

Next steps

Once the Wazuh and Elastic Stack servers are installed and connected, you can install and connect Wazuh agents. Follow this guide and read the instructions for your specific environment.

You can also read the Kibana app user manual to learn more about its features and how to use it.