Offline installation

You can install Wazuh even when there is no connection to the Internet. Installing the solution offline involves downloading the Wazuh components to later install them on a system with no internet connection. Although in this section the Wazuh server and Elastic Stack are installed and configured on the same host in an all-in-one deployment, each component can also be installed on a separate host as a distributed deployment, depending on your environment needs. For more information, check the Requirements section.

Note

Root privileges are required to execute all the commands.

Prerequisites

  • curl, tar, and setcap need to be installed in the target system where the offline installation will be carried out. gnupg might need to be installed as well for some Debian-based systems.

  • In some systems, the command cp is an alias for cp -i — you can check this by running alias cp. If this is your case, use unalias cp to avoid being asked for confirmation to overwrite files.

Download the packages and configuration files

  1. Replace <deb|rpm> in the following command with your choice of package format and run it from a Linux system with internet connection. This action executes a script that downloads all required files for the offline installation on x86_64 architectures. You can add the --list-only option to only get a list of files to be downloaded.

    # curl -sO https://packages.wazuh.com/resources/4.2/open-distro/tools/wazuh-offline-download.sh && bash ./wazuh-offline-download.sh -p <deb|rpm>
    
  2. Copy or move the ./wazuh-offline/ folder contents to a folder accessible to the host from where the offline installation will be carried out.

Install Wazuh components from local files

Note

In the host where the installation is taking place, make sure to change the working directory to the folder where the downloaded installation files were placed.

Installing the Wazuh manager

  1. Run the following commands to import the Wazuh key and install the Wazuh manager.

    # rpm --import ./wazuh_files/GPG-KEY-WAZUH
    # rpm -ivh ./wazuh-packages/wazuh-manager*.rpm
    
    # apt-key add ./wazuh_files/GPG-KEY-WAZUH
    # dpkg -i ./wazuh-packages/wazuh-manager*.deb
    
  2. Enable and start the Wazuh manager service.

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to the operating system used:

    1. RPM-based operating system:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian-based operating system:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to verify the Wazuh manager status is active.

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    

Installing Elasticsearch

  1. Run the following command to install Open Distro for Elasticsearch.

    # rpm -ivh ./opendistro-packages/*.rpm > opendistro_output.txt
    
    # dpkg -i ./opendistro-packages/*.deb > opendistro_output.txt
    
  2. Move a copy of the configuration files to the appropriate location.

    cp ./opendistro_files/elasticsearch/elasticsearch.yml /etc/elasticsearch/ &&\
    cp ./opendistro_files/elasticsearch/roles.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ &&\
    cp ./opendistro_files/elasticsearch/roles_mapping.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ &&\
    cp ./opendistro_files/elasticsearch/internal_users.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ &&\
    cp ./opendistro_files/elasticsearch/wazuh-cert-tool.sh ~ &&\
    cp ./opendistro_files/elasticsearch/instances.yml ~
    
  3. Remove the demo certificates.

    # rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
    
  4. Run wazuh-cert-tool.sh to create the new certificates.

    # bash ~/wazuh-cert-tool.sh
    
  5. Move the certificates to the appropriate location.

    # mkdir /etc/elasticsearch/certs/
    # mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
    # mv ~/certs/admin* /etc/elasticsearch/certs/
    # cp ~/certs/root-ca* /etc/elasticsearch/certs/
    
  6. Recommended action - Remove Open Distro for Elasticsearch performance analyzer plugin

    The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command.

    # /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer
    
  7. Enable and start the Elasticsearch service.

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch
    

    Choose one option according to the operating system used.

    1. RPM-based operating system:

    # chkconfig --add elasticsearch
    # service elasticsearch start
    
    1. Debian-based operating system:

    # update-rc.d elasticsearch defaults 95 10
    # service elasticsearch start
    
  8. Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster.

    # export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
    
  9. Run the following command to check that the installation is successful.

    # curl -XGET https://localhost:9200 -u admin:admin -k
    

    Expand the output to see an example response.

    {
      "name" : "node-1",
      "cluster_name" : "elasticsearch",
      "cluster_uuid" : "RpYwqJ5CRdS1ZFI5QQERRA",
      "version" : {
        "number" : "7.10.2",
        "build_flavor" : "oss",
        "build_type" : "rpm",
        "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
        "build_date" : "2021-01-13T00:42:12.435326Z",
        "build_snapshot" : false,
        "lucene_version" : "8.7.0",
        "minimum_wire_compatibility_version" : "6.8.0",
        "minimum_index_compatibility_version" : "6.0.0-beta1"
      },
      "tagline" : "You Know, for Search"
    }
    

Installing Filebeat

  1. Run the following command to install Filebeat.

    # rpm -ivh ./wazuh-packages/filebeat*.rpm
    
    # dpkg -i ./wazuh-packages/filebeat*.deb
    
  2. Move a copy of the configuration files to the appropriate location.

    cp ./wazuh_files/filebeat/filebeat.yml /etc/filebeat/ &&\
    cp ./wazuh_files/filebeat/wazuh-template.json /etc/filebeat/ &&\
    chmod go+r /etc/filebeat/wazuh-template.json
    
  3. Edit /etc/filebeat/wazuh-template.json and change to "1" the value for "index.number_of_shards" as this is a single-node installation.

    {
      ...
      "settings": {
        ...
        "index.number_of_shards": "1",
        ...
      },
      ...
    }
    
  4. Install the Wazuh module for Filebeat.

    # tar -xzf ./wazuh_files/filebeat/wazuh-filebeat-module.tar.gz -C /usr/share/filebeat/module
    
  5. Copy the Elasticsearch certificates into /etc/filebeat/certs.

    # mkdir /etc/filebeat/certs
    # cp ~/certs/root-ca.pem /etc/filebeat/certs/
    # mv ~/certs/filebeat* /etc/filebeat/certs/
    
  6. Enable and start the Filebeat service.

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
    

    Choose one option according to the operating system used.

    1. RPM-based operating system:

    # chkconfig --add filebeat
    # service filebeat start
    
    1. Debian-based operating system:

    # update-rc.d filebeat defaults 95 10
    # service filebeat start
    
  7. Run the following command to make sure Filebeat is successfully installed.

    # filebeat test output
    

    Expand the output to see an example response.

    elasticsearch: https://127.0.0.1:9200...
      parse url... OK
      connection...
        parse host... OK
        dns lookup... OK
        addresses: 127.0.0.1
        dial up... OK
      TLS...
        security: server's certificate chain verification is enabled
        handshake... OK
        TLS version: TLSv1.3
        dial up... OK
      talk to server... OK
      version: 7.10.2
    

    To check only one shard has been configured, you can run the following command.

    # curl -k -u admin:admin "https://localhost:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards"
    

    Expand the output to see an example response.

    {
      "wazuh" : {
        "settings" : {
          "index" : {
            "number_of_shards" : "1"
          }
        }
      }
    }
    

Installing Kibana

  1. Run the following command to install Kibana.

    # rpm -ivh ./opendistro-kibana-packages/opendistroforelasticsearch-kibana*.rpm
    
    # dpkg -i ./opendistro-kibana-packages/opendistroforelasticsearch-kibana*.deb
    
  2. Move a copy of the configuration files to the appropriate location.

    # cp ./opendistro_files/kibana/kibana.yml /etc/kibana/
    

    Note

    server.host: 0.0.0.0 in /etc/kibana/kibana.yml means that Kibana can be accessed from the outside and accepts all the available IPs of the host. This value can be changed for a specific IP if needed.

  3. Create the /usr/share/kibana/data directory.

    # mkdir /usr/share/kibana/data
    # chown -R kibana:kibana /usr/share/kibana/data
    
  4. Replace </path/to/installation/folder/> with your installation folder path and run the following command to install the Wazuh Kibana plugin.

    # /usr/share/kibana/bin/kibana-plugin install --allow-root file://</path/to/installation/folder/>wazuh_files/kibana/wazuh_kibana.zip
    
  5. Copy the Elasticsearch certificates into /etc/kibana/certs.

    # mkdir /etc/kibana/certs
    # cp ~/certs/root-ca.pem /etc/kibana/certs/
    # mv ~/certs/kibana* /etc/kibana/certs/
    # chown kibana:kibana /etc/kibana/certs/*
    
  6. Link Kibana socket to privileged port 443.

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    
  7. Enable and start the Kibana service.

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
    

    Choose one option according to the operating system used:

    1. RPM-based operating system:

    # chkconfig --add kibana
    # service kibana start
    
    1. Debian-based operating system:

    # update-rc.d kibana defaults 95 10
    # service kibana start
    
  8. Access the web interface.

    • URL: https://<wazuh_server_ip>

    • Username: admin

    • Password: admin

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

Note

  • It is highly recommended to change the default passwords of Elasticsearch for the users’ passwords. To perform this action, see the Change users’ password section.

  • It is also recommended to customize the file /etc/elasticsearch/jvm.options to improve the performance of Elasticsearch. Learn more about this process in the Memory locking section.

To uninstall all the components of the all-in-one installation, see the Uninstalling Wazuh section.

Next steps

Once the Wazuh environment is ready, Wazuh agents can be installed on every endpoint to be monitored. To install the Wazuh agents and start monitoring the endpoints, see the Wazuh agent installation section. If you need to install them offline, you can check the appropriate agent package to download for your monitored system in the Wazuh agent packages list section.