Wazuh server unattended installation

You can install the Wazuh manager and Filebeat using an automated script. This script performs a health check to verify that the system has enough resources to achieve optimal performance. For more information on system resources, see the requirements section.

Installing the Wazuh server

Note

Root user privileges are required to run all the commands. To download the script, the package curl is used.

Download the installation script:

# curl -so ~/wazuh-server-installation.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/unattended-installation/distributed/wazuh-server-installation.sh

Run the following command to install the Wazuh manager. Replace <node_name> with the name of the Wazuh server. The name of the node must be the same used in config.yml for the certificate creation, e.g. filebeat.

In case of installing a multi-node Wazuh cluster, repeat the process on every host:

# bash ~/wazuh-server-installation.sh -n <node_name>

The installation script allows the following options to be applied:

Options

Purpose

-n / –node-name

It indicates the name of the Wazuh server instance.

-i / –ignore-healthcheck

It ignores the health check.

-d / –debug

It shows the complete installation output.

-h / –help

It shows help.

Configure the installation

After the installation of all the components of the node, you need to perform some steps to finish configuring the installation.

Choose the cluster mode between single-node or multi-node:

Once the script finishes the installation, all the components are ready to use.

The Wazuh manager is installed and configured as a single-node cluster by default. To build a Wazuh multi-node cluster, you need to configure each Wazuh manager as a master or worker node.

One server has to be chosen as a master, the rest are designated as workers. The Master node configuration must be applied only to the server chosen for this role. For all the other servers, the configuration Worker node needs to be applied.

Master node:

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

    <cluster>
      <name>wazuh</name>
      <node_name>master-node</node_name>
      <node_type>master</node_type>
      <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
      <port>1516</port>
      <bind_addr>0.0.0.0</bind_addr>
      <nodes>
        <node>wazuh-master-address</node>
      </nodes>
      <hidden>no</hidden>
      <disabled>no</disabled>
    </cluster>
    

    Parameters and descriptions:

    name

    Name of the cluster.

    node_name

    Name of the current node.

    node_type

    It specifies the role of the node. It has to be set to master.

    key

    Key that is used to encrypt communication between cluster nodes. The key must be 32 characters long and same for all of the nodes in the cluster. The following command can be used to generate a random key: openssl rand -hex 16.

    port

    Destination port for cluster communication.

    bind_addr

    Network IP to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).

    nodes

    The address of the master node. It must be specified in all nodes, including the master itself. The address can be either an IP or a DNS.

    hidden

    It shows or hides the cluster information in the generated alerts.

    disabled

    It indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file is edited, the Wazuh manager needs to be restarted:

    # systemctl restart wazuh-manager
    
    # service wazuh-manager restart
    

Worker node:

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file:

    <cluster>
        <name>wazuh</name>
        <node_name>worker-node</node_name>
        <node_type>worker</node_type>
        <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
        <port>1516</port>
        <bind_addr>0.0.0.0</bind_addr>
        <nodes>
            <node>wazuh-master-address</node>
        </nodes>
        <hidden>no</hidden>
        <disabled>no</disabled>
    </cluster>
    

    As shown in the example above, the following parameters have to be edited:

    name

    Name of the cluster.

    node_name

    Each node of the cluster must have a unique name.

    node_type

    It has to be set as worker.

    key

    The key created previously for the master node. It has to be the same for all the nodes.

    nodes

    It has to contain the address of the master (it can be either an IP or a DNS).

    disabled

    It has to be set to no.

  2. Once the /var/ossec/etc/ossec.conf configuration file is edited, the Wazuh manager needs to be restarted:

    # systemctl restart wazuh-manager
    
    # service wazuh-manager restart
    
  3. To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:

    # /var/ossec/bin/cluster_control -l
    

    An example output of the command looks as follows:

      NAME         TYPE    VERSION  ADDRESS
      master-node  master  4.0.0    10.0.0.3
      worker-node1 worker  4.0.0    10.0.0.4
      worker-node2 worker  4.0.0    10.0.0.5
    

    Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.

To uninstall Wazuh and Filebeat, see the uninstalling section.