Step-by-step installation

Install Wazuh and Open Distro for Elasticsearch components in an all-in-one deployment. This type of deployment is appropriate for testing and small working environments.

Follow the instructions to configure the official repositories to perform installations. As an alternative, the installation can also be done using packages. Check out the list of available packages in the Packages list section.

Note

Root privileges are required to execute all the commands.

Prerequisites

Java Development Kit is installed as it is required by Open Distro for Elasticsearch. To perform the following tasks, install wget, curl, unzip, and libcap packages:

Run the following command to install all the necessary packages for the installation:

# export JAVA_HOME=/usr/ && yum install curl unzip wget libcap && yum install java-11-openjdk-devel

In case JDK 11 is not available for the operating system being used, install the package adoptopenjdk-11-hotspot using Adopt Open JDK.

Run the following command to install all the necessary packages for the installation:

# apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Add the repository for Java Development Kit (JDK):

  • For Debian:

    # echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/backports.list
    
  • For Ubuntu and other Debian based operating systems:

    # add-apt-repository ppa:openjdk-r/ppa
    

Update repository data:

# apt update

Install all the required utilities:

# export JAVA_HOME=/usr/ && apt install openjdk-11-jdk

In case JDK 11 is not available for the operating system being used, install the package adoptopenjdk-11-hotspot using Adopt Open JDK.

Run the following command to install all the necessary packages for the installation:

# export JAVA_HOME=/usr/ && zypper install curl unzip wget libcap && zypper install java-11-openjdk-devel

In case JDK 11 is not available for the operating system being used, install the package adoptopenjdk-11-hotspot using Adopt Open JDK.

Installing Wazuh

The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API and Filebeat.

To start setting up Wazuh, add the Wazuh repository to the server.

Adding the Wazuh repository

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    
  2. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Installing the Wazuh manager

  1. Install the Wazuh manager package:

    # yum install wazuh-manager
    
    # apt-get install wazuh-manager
    
    # zypper install wazuh-manager
    
  2. Enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to the operating system used:

    1. RPM based operating system:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian based operating system:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    

Installing Elasticsearch

Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.

Install Open Distro for Elasticsearch:

# yum install opendistroforelasticsearch

Install Elasticsearch OSS and Open Distro for Elasticsearch:

# apt install elasticsearch-oss opendistroforelasticsearch

Install Open Distro for Elasticsearch:

# zypper install opendistroforelasticsearch

Configuring Elasticsearch

Run the following command to download the configuration file /etc/elasticsearch/elasticsearch.yml:

# curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Elasticsearch users and roles

You need to add users and roles in order to use the Wazuh Kibana properly.

Run the following commands to add the Wazuh users and additional roles in Kibana:

# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles_mapping.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/internal_users.yml

Wazuh users added in Kibana by running the commands above:

wazuh_user

It is created for users who need read-only access to the Wazuh Kibana plugin.

wazuh_admin

It is recommended user for users who need administrative privileges.

Wazuh additional roles added in Kibana to give the appropriate permissions to users:

wazuh_ui_user

It provides wazuh_user permissions to read the Wazuh indices.

wazuh_ui_admin

It allows wazuh_admin to perform reading, writing, management, and indexing tasks on the Wazuh indices.

These users and roles are designed to operate along with the Wazuh Kibana plugin and they are protected so they cannot be modified from the Kibana’s interface. To modify them or add new users or roles, the securityadmin script has to be run.

Certificates creation

  1. Remove the demo certificates:

    # rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
    
  2. Generate and deploy the certificates:

    • Move to the installation location and create the certificates directory:

      # mkdir /etc/elasticsearch/certs
      # cd /etc/elasticsearch/certs
      
    • Download the Search Guard offline TLS tool to create the certificates:

      # curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip
      
    • Extract the downloaded file. It is assumed that it has been downloaded in ~/ (home directory):

      # unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard
      
    • Download the search-guard.yml configuration file. This file is pre-configured to generate all the necessary certificates:

      # curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/searchguard/search-guard-aio.yml
      
    • Run the Search Guard script to create the certificates:

      #  ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/
      
    • Once the certificates have been created, remove the unnecessary files:

      # rm /etc/elasticsearch/certs/client-certificates.readme /etc/elasticsearch/certs/elasticsearch_elasticsearch_config_snippet.yml ~/search-guard-tlstool-1.8.zip ~/searchguard -rf
      
  3. Enable and start the Elasticsearch service:

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch
    

    Choose one option according to the operating system used:

    1. RPM based operating system:

    # chkconfig --add elasticsearch
    # service elasticsearch start
    
    1. Debian based operating system:

    # update-rc.d elasticsearch defaults 95 10
    # service elasticsearch start
    
  4. Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:

# /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key

Run the following command to ensure that the installation is successful:

# curl -XGET https://localhost:9200 -u admin:admin -k

An example response should look as follows:

 {
   "name" : "node-1",
   "cluster_name" : "elasticsearch",
   "cluster_uuid" : "J4EAfzd7R4KZv-31jBAuNA",
   "version" : {
     "number" : "7.10.0",
     "build_flavor" : "oss",
     "build_type" : "rpm",
     "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
     "build_date" : "2020-11-09T21:30:33.964949Z",
     "build_snapshot" : false,
     "lucene_version" : "8.7.0",
     "minimum_wire_compatibility_version" : "6.8.0",
     "minimum_index_compatibility_version" : "6.0.0-beta1"
   },
   "tagline" : "You Know, for Search"
 }

Note

The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer. Make sure to restart the Elasticsearch service afterward.

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

  1. Install the Filebeat package:

    # yum install filebeat
    
    # apt-get install filebeat
    
    # zypper install filebeat
    
  2. Download the preconfigured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:

    # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml
    
  3. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
    
  4. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
    
  5. Copy the Elasticsearch certificates into /etc/filebeat/certs:

    # mkdir /etc/filebeat/certs
    # cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/
    # mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/
    
  6. Enable and start the Filebeat service:

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
    

    Choose one option according to the operating system used:

    1. RPM based operating system:

    # chkconfig --add filebeat
    # service filebeat start
    
    1. Debian based operating system:

    # update-rc.d filebeat defaults 95 10
    # service filebeat start
    

To ensure that Filebeat is successfully installed, run the following command:

# filebeat test output

An example response should look as follows:

 elasticsearch: https://127.0.0.1:9200...
   parse url... OK
   connection...
     parse host... OK
     dns lookup... OK
     addresses: 127.0.0.1
     dial up... OK
   TLS...
     security: server's certificate chain verification is enabled
     handshake... OK
     TLS version: TLSv1.3
     dial up... OK
   talk to server... OK
   version: 7.10.0

Installing Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

  1. Install the Kibana package:

    # yum install opendistroforelasticsearch-kibana
    
    # apt-get install opendistroforelasticsearch-kibana
    
    # zypper install opendistroforelasticsearch-kibana
    
  2. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.yml
    

    In the /etc/kibana/kibana.yml file, the setting server.host has the value 0.0.0.0. It means that Kibana can be accessed from the outside and accepts all the available IPs of the host. This value can be changed for a specific IP if needed.

  3. Create the /usr/share/kibana/data directory:

    # mkdir /usr/share/kibana/data
    # chown -R kibana:kibana /usr/share/kibana/data
    
  4. Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:

    # cd /usr/share/kibana
    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.0-1.zip
    
  5. Copy the Elasticsearch certificates into /etc/kibana/certs:

    # mkdir /etc/kibana/certs
    # cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/
    # mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key
    # mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem
    
  6. Link Kibana’s socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
    

    Choose one option according to the operating system used:

    1. RPM based operating system:

    # chkconfig --add kibana
    # service kibana start
    
    1. Debian based operating system:

    # update-rc.d kibana defaults 95 10
    # service kibana start
    
  8. Access the web interface:

URL: https://<wazuh_server_ip>
user: admin
password: admin

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

It is highly recommended to change Elasticsearch default passwords for the users’ found at the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml file. More information about this process can be found in the user manual. It is also recommended to customize the file /etc/elasticsearch/jvm.options to improve the performance of Elasticsearch. Learn more about this process in the Elasticsearch tuning section.

Once Kibana is running, it is necessary to assign each user its corresponding role. To learn more, see the setting up the Wazuh Kibana plugin section.

To uninstall all the components of the all-in-one installation, see the uninstalling section.

Next steps

Once the Wazuh environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. To install the Wazuh agents and start monitoring the endpoints, see the Wazuh agent section.