Step-by-step installation

This document guides through the installation of the Wazuh and Open Distro for Elasticsearch components in an all-in-one deployment. This type of deployment is appropriate for testing and small working environments.

This guide provides instructions for configuring the official repositories to perform installations. As an alternative, the installation can also be done using packages. Check out the list of available packages in our packages list.

Note

To execute the commands described below, root privileges are required.

Prerequisites

Open Distro for Elasticsearch requires the Java Development Kit as well as the installation of other packages such as wget, curl, unzip, and libcap that will be used in further steps:

Install all the necessary packages for the installation:

# export JAVA_HOME=/usr/ && yum install curl unzip wget libcap && yum install java-11-openjdk-devel

In case JDK 11 is not available for the operating system being used, install the package adoptopenjdk-11-hotspot using Adopt Open JDK.

Install all the necessary packages for the installation:

# apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Add the repository for Java Development Kit (JDK):

  • For Debian:

    # echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/backports.list
    
  • For Ubuntu and other Debian based OS:

    # add-apt-repository ppa:openjdk-r/ppa
    

Update repository data:

# apt update

Install all the required utilities:

# export JAVA_HOME=/usr/ && apt install openjdk-11-jdk

In case JDK 11 is not available for the operating system being used, install the package adoptopenjdk-11-hotspot using Adopt Open JDK.

Install all the necessary packages for the installation:

# export JAVA_HOME=/usr/ && zypper install curl unzip wget libcap && zypper install java-11-openjdk-devel

In case JDK 11 is not available for the operating system being used, install the package adoptopenjdk-11-hotspot using Adopt Open JDK.

Installing Wazuh

The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API and Filebeat.

The first step to set up Wazuh is to add the Wazuh repository to the server.

Adding the Wazuh repository

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    
  2. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Installing the Wazuh manager

  1. Install the Wazuh manager package:

    # yum install wazuh-manager
    
    # apt-get install wazuh-manager
    
    # zypper install wazuh-manager
    
  2. Enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to the OS used:

    1. RPM based OS:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian based OS:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    

Installing Elasticsearch

Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.

Install Open Distro for Elasticsearch:

# yum install opendistroforelasticsearch

Install Elasticsearch OSS and Open Distro for Elasticsearch:

# apt install elasticsearch-oss opendistroforelasticsearch

Install Open Distro for Elasticsearch:

# zypper install opendistroforelasticsearch

Configuring Elasticsearch

Download the configuration file /etc/elasticsearch/elasticsearch.yml as follows:

# curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Certificates creation

  1. Remove the demo certificates:

    # rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
    
  2. Generate and deploy the certificates:

    • Move to the installation location and create the certificates directory:

      # mkdir /etc/elasticsearch/certs
      # cd /etc/elasticsearch/certs
      
    • Download the Search Guard offline TLS tool to create the certificates:

      # curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip
      
    • Extract the downloaded file. It is assumed that it has been downloaded in ~/ (home directory):

      # unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard
      
    • Download the search-guard.yml configuration file. This file is pre-configured to generate all the necessary certificates:

      # curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/searchguard/search-guard-aio.yml
      
    • Run the Search Guard’s script to create the certificates:

      #  ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/
      
    • Once the certificates have been created, remove the unnecessary files:

      # rm /etc/elasticsearch/certs/client-certificates.readme /etc/elasticsearch/certs/elasticsearch_elasticsearch_config_snippet.yml ~/search-guard-tlstool-1.8.zip ~/searchguard -rf
      
  3. Enable and start the Elasticsearch service:

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch
    

    Choose one option according to the OS used:

    1. RPM based OS:

    # chkconfig --add elasticsearch
    # service elasticsearch start
    
    1. Debian based OS:

    # update-rc.d elasticsearch defaults 95 10
    # service elasticsearch start
    
  4. Run the Elasticsearch’s securityadmin script to load the new certificates information and start the cluster:

# /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key

Run the following command to ensure that the installation has been successful:

# curl -XGET https://localhost:9200 -u admin:admin -k

An example response should look as follows:

 {
   "name" : "node-1",
   "cluster_name" : "elasticsearch",
   "cluster_uuid" : "J4EAfzd7R4KZv-31jBAuNA",
   "version" : {
     "number" : "7.10.0",
     "build_flavor" : "oss",
     "build_type" : "rpm",
     "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
     "build_date" : "2020-11-09T21:30:33.964949Z",
     "build_snapshot" : false,
     "lucene_version" : "8.7.0",
     "minimum_wire_compatibility_version" : "6.8.0",
     "minimum_index_compatibility_version" : "6.0.0-beta1"
   },
   "tagline" : "You Know, for Search"
 }

Note

The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer. Please be sure to restart the Elasticsearch service afterwards.

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

  1. Install the Filebeat package:

    # yum install filebeat
    
    # apt-get install filebeat
    
    # zypper install filebeat
    
  2. Download the pre-configured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:

    # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml
    
  3. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
    
  4. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
    
  5. Copy the Elasticsearch certificates into /etc/filebeat/certs:

    # mkdir /etc/filebeat/certs
    # cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/
    # mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/
    
  6. Enable and start the Filebeat service:

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
    

    Choose one option according to the OS used:

    1. RPM based OS:

    # chkconfig --add filebeat
    # service filebeat start
    
    1. Debian based OS:

    # update-rc.d filebeat defaults 95 10
    # service filebeat start
    

To ensure that Filebeat has been successfully installed, run the following command:

# filebeat test output

An example response should look as follows:

 elasticsearch: https://127.0.0.1:9200...
   parse url... OK
   connection...
     parse host... OK
     dns lookup... OK
     addresses: 127.0.0.1
     dial up... OK
   TLS...
     security: server's certificate chain verification is enabled
     handshake... OK
     TLS version: TLSv1.3
     dial up... OK
   talk to server... OK
   version: 7.10.0

Installing Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

  1. Install the Kibana package:

    # yum install opendistroforelasticsearch-kibana
    
    # apt-get install opendistroforelasticsearch-kibana
    
    # zypper install opendistroforelasticsearch-kibana
    
  2. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.yml
    

    In the /etc/kibana/kibana.yml file, the setting server.host has the value 0.0.0.0. It means that Kibana can be accessed from the outside and will accept all the available IPs of the host. This value can be changed for a specific IP if needed.

  3. Create the /usr/share/kibana/data directory:

    # mkdir /usr/share/kibana/data
    # chown -R kibana:kibana /usr/share/kibana/data
    
  4. Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:

    # cd /usr/share/kibana
    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.1_7.10.0-1.zip
    
  5. Copy the Elasticsearch certificates into /etc/kibana/certs:

    # mkdir /etc/kibana/certs
    # cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/
    # mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key
    # mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem
    
  6. Link Kibana’s socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
    

    Choose one option according to the OS used:

    1. RPM based OS:

    # chkconfig --add kibana
    # service kibana start
    
    1. Debian based OS:

    # update-rc.d kibana defaults 95 10
    # service kibana start
    
  8. Access the web interface:

URL: https://<wazuh_server_ip>
user: admin
password: admin

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

It is highly recommended to change Elasticsearch’s default passwords for the users found at the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml file. More information about this process can be found at our user manual. It is also recommended to customize the file /etc/elasticsearch/jvm.options to improve the performance of Elasticsearch. Learn more about this process in the Elasticsearch tuning section.

Once Kibana is running it is necessary to assign each user its corresponding role. To learn more visit the setting up the Wazuh Kibana plugin section.

To uninstall all the components of the all in one installation, visit the uninstalling section.

Next steps

Once the Wazuh environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found at our installation guide.