This document will go through the installation of the Wazuh server components and Filebeat in a Wazuh single-node cluster.
Root user privileges are required to run all the commands described below.
The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the Wazuh manager, the Wazuh API, and Filebeat. The first step to set up Wazuh is adding the Wazuh’s repository to the server, alternatively, all the available packages can be found here.
Install the Wazuh manager package:
Enable and start the Wazuh manager service:
Run the following command to check if the Wazuh manager is active:
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.
Install the Filebeat package:
Download the pre-configured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
Edit the file
wazuh-node-namewith your Wazuh node name, the same used in
instances.ymlto create the certificates, and move the certificates to their corresponding location. This guide assumes that a copy of
certs.tar, created during the Elasticsearch installation, has been placed in the root home folder (
# mkdir /etc/filebeat/certs # mv ~/certs.tar /etc/filebeat/certs/ # cd /etc/filebeat/certs/ # tar -xf certs.tar $node_name.pem $node_name-key.pem root-ca.pem # mv /etc/filebeat/certs/$node_name.pem /etc/filebeat/certs/filebeat.pem # mv /etc/filebeat/certs/$node_name-key.pem /etc/filebeat/certs/filebeat-key.pem
Enable and start the Filebeat service:
To ensure that Filebeat has been successfully installed, run the following command:
# filebeat test output
An example response should look as follows:
elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2
To uninstall Wazuh and Filebeat, visit the uninstalling section.
The next step consists of installing Kibana.