Wazuh multi-node cluster

This document will go through the installation of the Wazuh server components and Filebeat in a Wazuh multi-node cluster.

Note

Root user privileges are required to run all the commands described below.

Prerequisites

Before installing the Wazuh servers and Filebeat, some extra packages must be installed:

Install all the required utilities:

# yum install curl

Install all the required utilities:

# apt install curl apt-transport-https lsb-release gnupg2

Install all the required utilities:

# zypper install curl

Installing the Wazuh server

The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API, and Filebeat. The first step to set up Wazuh is adding the Wazuh’s repository to the servers, alternatively, the installation can be done using packages. A list with all the available packages can be found here.

Adding the Wazuh repository

This section describes how to add the Wazuh repository. It will be used for the Wazuh manager, the Wazuh API, and Filebeat installation. These steps must be followed in all the servers that will be part of the Wazuh multi-node cluster:

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    
  2. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Installing the Wazuh manager

Install the Wazuh manager package. This step must be applied in all servers that will act as Wazuh cluster nodes:

# yum install wazuh-manager
# apt-get install wazuh-manager
# zypper install wazuh-manager

Now, the Wazuh manager has been installed in all the Wazuh cluster nodes. The Wazuh manager is configured as a single-node cluster by default. The following sections will describe how to configure the Wazuh manager as a Wazuh master node or as a Wazuh worker node.

One server has to be chosen as a master, the rest will be workers. So, the section Wazuh server master node must be applied once, in the server chosen for this role. For all the other servers, the section Wazuh server worker node must be applied.

Wazuh server master node

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

    <cluster>
      <name>wazuh</name>
      <node_name>master-node</node_name>
      <node_type>master</node_type>
      <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
      <port>1516</port>
      <bind_addr>0.0.0.0</bind_addr>
      <nodes>
        <node>wazuh-master-address</node>
      </nodes>
      <hidden>no</hidden>
      <disabled>no</disabled>
    </cluster>
    

    The parameters:

    name

    Name of the cluster.

    node_name

    Name of the current node.

    node_type

    Specifies the role of the node. Has to be set to master.

    key

    Key that will be used to encrypt communication between cluster nodes. The key must be 32 characters long and same for all of the nodes in the cluster. The following command can be used to generate a random key: openssl rand -hex 16.

    port

    Destination port for cluster communication.

    bind_addr

    Network IP to which the node will be bound to listen for incoming requests (0.0.0.0 for any IP).

    nodes

    The address of the master node. It must be specified in all nodes (including the master itself). The address can be either an IP or a DNS.

    hidden

    Shows or hides the cluster information in the generated alerts.

    disabled

    Indicates whether the node will be enabled or disabled in the cluster. This option must be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file is edited, enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to the OS used:

    1. RPM based OS:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian based OS:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    

Wazuh server worker nodes

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

    <cluster>
        <name>wazuh</name>
        <node_name>worker-node</node_name>
        <node_type>worker</node_type>
        <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
        <port>1516</port>
        <bind_addr>0.0.0.0</bind_addr>
        <nodes>
            <node>wazuh-master-address</node>
        </nodes>
        <hidden>no</hidden>
        <disabled>no</disabled>
    </cluster>
    

    As shown in the example above, the following parameters have to be edited:

    name

    Name of the cluster.

    node_name

    Each node of the cluster must have a unique name.

    node_type

    Has to be set as worker.

    key

    The key created previously for the master node. It has to be the same for all the nodes.

    nodes

    Has to contain the address of the master (it can be either an IP or a DNS).

    disabled

    Has to be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file is edited, enable and start the Wazuh manager service:

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    

    Choose one option according to the OS used:

    1. RPM based OS:

    # chkconfig --add wazuh-manager
    # service wazuh-manager start
    
    1. Debian based OS:

    # update-rc.d wazuh-manager defaults 95 10
    # service wazuh-manager start
    
  3. Run the following command to check if the Wazuh manager is active:

    # systemctl status wazuh-manager
    
    # service wazuh-manager status
    
  4. To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:

    # /var/ossec/bin/cluster_control -l
    

    An example output of the command looks as follows:

      NAME         TYPE    VERSION  ADDRESS
      master-node  master  4.0.0    10.0.0.3
      worker-node1 worker  4.0.0    10.0.0.4
      worker-node2 worker  4.0.0    10.0.0.5
    

    Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch. It has to be installed in every Wazuh manager server.

Filebeat installation and configuration

  1. Install the Filebeat package:

    # yum install filebeat
    
    # apt-get install filebeat
    
    # zypper install filebeat
    
  2. Download the pre-configured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:

    # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_elastic_cluster.yml
    
  3. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
    
  4. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
    
  5. Edit the file /etc/filebeat/filebeat.yml:

    output.elasticsearch:
      hosts: ["<elasticsearch_ip>:9200"]
    

    Replace elasticsearch_ip with the IP address or the hostname of the Elasticsearch server.

    output.elasticsearch:
      hosts: ["<elasticsearch_ip_node_1>:9200", "<elasticsearch_ip_node_2>:9200", "<elasticsearch_ip_node_3>:9200"]
    

    Replace elasticsearch_ip_node_x with the IP address or the hostname of the Elasticsearch server to connect to.

  6. Configure Filebeat certificates:

    During the Elasticsearch installation, the certs.tar file was created.This guide assumes that a copy of this file has been placed in the root home folder (~/).

    The X must be replaced with the number used in the certificate name defined for this Wazuh server:

    # mkdir /etc/filebeat/certs
    # mv ~/certs.tar /etc/filebeat/certs/
    # cd /etc/filebeat/certs/
    # tar -xf certs.tar filebeat-X.pem filebeat-X.key root-ca.pem
    # mv /etc/filebeat/certs/filebeat-X.pem /etc/filebeat/certs/filebeat.pem
    # mv /etc/filebeat/certs/filebeat-X.key /etc/filebeat/certs/filebeat.key
    
  7. Enable and start the Filebeat service:

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
    

    Choose one option according to the OS used:

    1. RPM based OS:

    # chkconfig --add filebeat
    # service filebeat start
    
    1. Debian based OS:

    # update-rc.d filebeat defaults 95 10
    # service filebeat start
    

To ensure that Filebeat has been successfully installed, run the following command:

# filebeat test output

An example response should look as follows:

 elasticsearch: https://127.0.0.1:9200...
   parse url... OK
   connection...
     parse host... OK
     dns lookup... OK
     addresses: 127.0.0.1
     dial up... OK
   TLS...
     security: server's certificate chain verification is enabled
     handshake... OK
     TLS version: TLSv1.3
     dial up... OK
   talk to server... OK
   version: 7.10.0

To uninstall Wazuh and Filebeat, visit the uninstalling section.

Next steps

The next step consists of installing Kibana.