Installing Wazuh server from sources

The Wazuh server collects and analyzes data from deployed agents. It runs the Wazuh manager, the Wazuh API and Filebeat. Alternatively, the Wazuh manager package compatible versions can be checked or downloaded directly here.

Installing Wazuh manager

Note

CMake 3.12.4 is the minimal library version required to build the Wazuh server solution.

# yum update
# yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel
# yum update
# yum install devtoolset-7
# scl enable devtoolset-7 bash

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
# cd cmake-3.18.3 && ./bootstrap --no-system-curl
# make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# yum install make cmake gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel cmake
# rpm -i $(rpm --eval https://packages.wazuh.com/utils/libstdc%2B%2B/libstdc%2B%2B-static-8.4.1-1.el8.'%{_arch}'.rpm)

Optional CMake 3.18 installation from sources

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
# cd cmake-3.18.3 && ./bootstrap --no-system-curl
# make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# export PATH=/usr/local/bin:$PATH
# apt-get install python gcc g++ make libc6-dev curl policycoreutils automake autoconf libtool

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
# cd cmake-3.18.3 && ./bootstrap --no-system-curl
# make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# zypper install make cmake gcc gcc-c++ policycoreutils-python automake autoconf libtool

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
# cd cmake-3.18.3 && ./bootstrap --no-system-curl
# make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

Optional. Install the following dependencies only when compiling the CPython from sources. Since v4.2.0, make deps TARGET=server will download a portable version of CPython ready to be installed. Nevertheless, you can download the CPython sources adding the PYTHON_SOURCE flag when running make deps.

To install the required dependencies to build the python interpreter, follow these steps:

# yum install epel-release yum-utils -y
# yum-builddep python34 -y
# echo "deb-src http://deb.debian.org/debian $(lsb_release -cs) main" >> /etc/apt/sources.list
# apt-get update
# apt-get build-dep python3.5 -y
# zypper install epel-release yum-utils -y
# zypper-builddep python34 -y

Note

The Python version from the previous command may change depending on the OS used to build the binaries. More information in Install dependencies.

  1. Download and extract the latest version:

    # curl -Ls https://github.com/wazuh/wazuh/archive/v4.2.4.tar.gz | tar zx
    
  2. Run the install.sh script. This will display a wizard to guide you through the installation process using the Wazuh sources:

    Warning

    If you want to enable the database output, check out this section before running the installation script.

    # cd wazuh-*
    # ./install.sh
    

    If you have previously compiled for another platform, you must clean the build using the Makefile in src:

    # cd wazuh-*
    # make -C src clean
    # make -C src clean-deps
    
  3. When the script asks what kind of installation you want, type manager to install the Wazuh manager:

    1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager
    

    Note

    During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to manager, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt.

    Warning

    Be extremely careful not to select a critical installation directory if you choose a different path than the default. If the directory already exist the installer will ask if delete the directory or if installing Wazuh inside.

  4. The installer asks if you want to start Wazuh at the end of the installation. If you choosed not to, you can start it later with:

# systemctl start wazuh-manager
# service wazuh-manager start

Installing Filebeat

Filebeat is a data shipping tool that is installed on the Wazuh server to securely forward alerts and archived events to Elasticsearch.Once the Wazuh manager is installed, you may install Filebeat as well as the other Elastic Stack components from sources or using packages.

Uninstall

To uninstall Wazuh manager, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-manager stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

For SysV Init:

# [ -f /etc/rc.local ] && sed -i'' '/wazuh-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

For Systemd:

# find /etc/systemd/system -name "wazuh*" | xargs rm -f
# systemctl daemon-reload

Remove users:

# userdel ossec 2> /dev/null
# userdel ossecm 2> /dev/null
# userdel ossecr 2> /dev/null
# groupdel ossec 2> /dev/null