Step-by-step installation

This document guides through an installation of the Wazuh server and Elastic stack components in an all-in-one configuration. This guide provides instructions to configure the official repositories to do the installations, alternatively, all the available packages can be found here.

Note

Root user privileges are required to execute all the commands described below.

Prerequisites

Some extra packages are needed for the installation, such us curl or unzip, that will be used in further steps:

Install all the necessary packages:

# yum install zip unzip curl

Install all the necessary packages:

# apt-get install apt-transport-https zip unzip lsb-release curl gnupg

Install all the necessary packages:

# zypper install zip unzip tar curl

Installing Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine.

Adding the Elastic Stack repository

  1. Import the GPG key:

    # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    
  1. Install the GPG key:

    # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    
  2. Add the repository:

    # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/elastic.repo <<\EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    

Elasticsearch installation and configuration

  1. Install the Elasticsearch package:

    # yum install elasticsearch-7.12.1
    
    # apt-get install elasticsearch=7.12.1
    
    # zypper install elasticsearch-7.12.1
    
  2. Download the configuration file /etc/elasticsearch/elasticsearch.yml as follows:

    # curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/elastic-stack/elasticsearch/7.x/elasticsearch_all_in_one.yml
    

Certificates creation and deployment

  1. Download the configuration file for creating the certificates:

    # curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/resources/4.2/elastic-stack/instances_aio.yml
    

    In the following steps, a file that contains a folder named after the instance defined here will be created. This folder will contain the certificates and the keys necessary to communicate with the Elasticsearch node using SSL.

  2. The certificates can be created using the elasticsearch-certutil tool:

    # /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
    
  3. Extract the generated /usr/share/elasticsearch/certs.zip file from the previous step.

    # unzip ~/certs.zip -d ~/certs
    
  4. The next step is to create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key there:

    # mkdir /etc/elasticsearch/certs/ca -p
    # cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
    # chown -R elasticsearch: /etc/elasticsearch/certs
    # chmod -R 500 /etc/elasticsearch/certs
    # chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
    # rm -rf ~/certs/ ~/certs.zip
    
  5. Enable and start the Elasticsearch service:

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch
    

    Choose one option according to the OS used:

    1. Debian based OS

    # update-rc.d elasticsearch defaults 95 10
    # service elasticsearch start
    
    1. RPM based OS

    # chkconfig --add elasticsearch
    # service elasticsearch start
    
  6. Generate credentials for all the Elastic Stack pre-built roles and users:

    # /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
    

    The command above will prompt an output like this. Save the password of the elastic user for further steps:

    Changed password for user apm_system
    PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF
    
    Changed password for user kibana_system
    PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn
    
    Changed password for user kibana
    PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn
    
    Changed password for user logstash_system
    PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA
    
    Changed password for user beats_system
    PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob
    
    Changed password for user remote_monitoring_user
    PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS
    
    Changed password for user elastic
    PASSWORD elastic = AN4UeQGA7HGl5iHpMla7
    

To check that the installation was made successfully, run the following command replacing <elastic_password> by the password generated on the previous step for elastic user:

# curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k

This command should have an output like this:

{
  "name" : "elasticsearch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "4AgWSXskREu4aSlW9W-WjA",
  "version" : {
    "number" : "7.12.1",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "3186837139b9c6b6d23c3200870651f10d3343b7",
    "build_date" : "2021-04-20T20:56:39.040728659Z",
    "build_snapshot" : false,
    "lucene_version" : "8.8.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Installing Wazuh server

The Wazuh server collects and analyzes data from deployed agents. It runs the Wazuh manager, the Wazuh API and Filebeat. The first step to set up Wazuh is to add the Wazuh repository to the server. Alternatively, the Wazuh manager package can be downloaded directly and compatible versions can be checked here.

Adding the Wazuh repository

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-\$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    
  2. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Installing the Wazuh manager

  1. Install the Wazuh manager package:

    # yum install wazuh-manager
    
    # apt-get install wazuh-manager
    
    # zypper install wazuh-manager
    
  2. Enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to the operating system used:

    1. RPM based operating system:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian based operating system:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

Filebeat installation and configuration

  1. Install the Filebeat package:

    # yum install filebeat-7.12.1
    
    # apt-get install filebeat=7.12.1
    
    # zypper install filebeat-7.12.1
    
  2. Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:

    # curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/elastic-stack/filebeat/7.x/filebeat_all_in_one.yml
    
  3. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
    
  4. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
    
  5. Edit the file /etc/filebeat/filebeat.yml:

    output.elasticsearch.password: <elasticsearch_password>
    

    Replace elasticsearch_password with the previously generated password for elastic user.

  6. Copy the certificates into /etc/filebeat/certs/

    # cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
    # cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
    # cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key
    
  7. Enable and start the Filebeat service:

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
    

    Choose one option according to the OS used:

    1. Debian based OS

    # update-rc.d filebeat defaults 95 10
    # service filebeat start
    
    1. RPM based OS

    # chkconfig --add filebeat
    # service filebeat start
    

To ensure that Filebeat has been successfully installed, run the following command:

# filebeat test output

An example response should look as follows:

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.12.1

Kibana installation and configuration

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

  1. Install the Kibana package:

    # yum install kibana-7.12.1
    
    # apt-get install kibana=7.12.1
    
    # zypper install kibana-7.12.1
    
  2. Copy the Elasticsearch certificates into the Kibana configuration folder:

    # mkdir /etc/kibana/certs/ca -p
    # cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
    # cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key
    # cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt
    # chown -R kibana:kibana /etc/kibana/
    # chmod -R 500 /etc/kibana/certs
    # chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
    
  3. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/elastic-stack/kibana/7.x/kibana_all_in_one.yml
    

    Edit the /etc/kibana/kibana.yml file:

    elasticsearch.password: <elasticsearch_password>
    

    Values to be replaced:

    • <elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for the elastic user.

  4. Create the /usr/share/kibana/data directory:

    # mkdir /usr/share/kibana/data
    # chown -R kibana:kibana /usr/share/kibana
    
  5. Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:

    # cd /usr/share/kibana
    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.4_7.12.1-1.zip
    
  6. Link Kibana’s socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
    

    Choose one option according to the OS used:

    1. Debian based OS

    # update-rc.d kibana defaults 95 10
    # service kibana start
    
    1. RPM based OS

    # chkconfig --add kibana
    # service kibana start
    
  8. Access the web interface using the password generated during the Elasticsearch installation process:

URL: https://<wazuh_server_ip>
user: elastic
password: <PASSWORD_elastic>

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the ca.crt file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

Disabling repositories

This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.

With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.

We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo

To uninstall all the components of the all in one installation, visit the uninstalling section.

Next steps

Once the Wazuh environment is ready, a Wazuh agent can be installed on every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found here.