Installing the Wazuh indexer step by step
Install and configure the Wazuh indexer as a single-node or multi-node cluster following step-by-step instructions. Wazuh indexer is a highly scalable full-text search engine and offers advanced security, alerting, index management, deep performance analysis, and several other features.
The installation process is divided into three stages.
Certificates creation
Nodes installation
Cluster initialization
Note
Root user privileges are required to run the commands described below.
1. Certificates creation
Generating the SSL certificates
Download the
wazuh-certs-tool.sh
script and theconfig.yml
configuration file. This is to create the certificates that will encrypt communications between the Wazuh central components.# curl -sO https://packages.wazuh.com/4.3/wazuh-certs-tool.sh # curl -sO https://packages.wazuh.com/4.3/config.ymlEdit
./config.yml
and replace the node names and IP values with the corresponding names and IP addresses. You need to do this for all the Wazuh server, the Wazuh indexer, and the Wazuh dashboard nodes. Add as many node fields as needed.nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: <indexer-node-ip> # - name: node-2 # ip: <indexer-node-ip> # - name: node-3 # ip: <indexer-node-ip> # Wazuh server nodes # Use node_type only with more than one Wazuh manager server: - name: wazuh-1 ip: <wazuh-manager-ip> # node_type: master # - name: wazuh-2 # ip: <wazuh-manager-ip> # node_type: worker # Wazuh dashboard node dashboard: - name: dashboard ip: <dashboard-node-ip>To learn more about how to create and configure the certificates, see the Certificates deployment section.
Run the
./wazuh-certs-tool.sh
to create the certificates. For a multi-node cluster, these certificates need to be later deployed to all Wazuh instances in your cluster.# bash ./wazuh-certs-tool.sh -A
Compress all the necessary files.
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . # rm -rf ./wazuh-certificatesCopy
wazuh-certificates.tar
to all the nodes, including Wazuh indexer, Wazuh server, and Wazuh dashboard nodes. This can be done by usingscp
.
2. Nodes installation
Installing package dependencies
Install the following packages if missing.
# yum install coreutils initscripts chkconfig
# apt install debconf adduser procps
Adding the Wazuh repository
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
Install the following package if missing.
# apt install gnupg
Install the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -Add the repository.
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.listUpdate the package information.
# apt-get update
Installing the Wazuh indexer
Install the Wazuh indexer package.
# yum -y install wazuh-indexer
# apt -y install wazuh-indexer
Configuring the Wazuh indexer
Edit
/etc/wazuh-indexer/opensearch.yml
and replace the following values:
network.host
: Sets the address of this node for both HTTP and transport traffic. The node will bind to this address and will also use it as its publish address. Accepts an IP address or a hostname.Use the same node address set in
config.yml
to create the SSL certificates.
node.name
: Name of the Wazuh indexer node as defined in theconfig.yml
file. For example,node-1
.
cluster.initial_master_nodes
: List of the names of the master-eligible nodes. These names are defined in theconfig.yml
file. Uncomment thenode-2
andnode-3
lines, change the names, or add more lines, according to yourconfig.yml
definitions.cluster.initial_master_nodes: - "node-1" - "node-2" - "node-3"
discovery.seed_hosts:
List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. You may leave this setting commented if your are the configuring the Wazuh indexer as a single-node. For multi-node configurations, uncomment this setting and set your master-eligible nodes addresses.discovery.seed_hosts: - "10.0.0.1" - "10.0.0.2" - "10.0.0.3"
plugins.security.nodes_dn
: List of the Distinguished Names of the certificates of all the Wazuh indexer cluster nodes. Uncomment the lines fornode-2
andnode-3
and change the common names (CN) and values according to your settings and yourconfig.yml
definitions.plugins.security.nodes_dn: - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" - "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" - "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
Deploying certificates
Note
Make sure that a copy of
wazuh-certificates.tar
, created in the previous stage of the installation process, is placed in your working directory.
Run the following commands replacing
<indexer-node-name>
with the name of the Wazuh indexer node you are configuring as defined inconfig.yml
. For examplenode-1
. This is to deploy the SSL certificates to encrypt communications between the Wazuh central components.# NODE_NAME=<indexer-node-name># mkdir /etc/wazuh-indexer/certs # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem # mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem # mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem # chmod 500 /etc/wazuh-indexer/certs # chmod 400 /etc/wazuh-indexer/certs/* # chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certsRecommended action - If no other Wazuh components are going to be installed on this node, remove
wazuh-certificates.tar
runningrm -f ./wazuh-certificates.tar
to increase security.
Starting the service
Enable and start the Wazuh indexer service.
# systemctl daemon-reload # systemctl enable wazuh-indexer # systemctl start wazuh-indexerChoose one option according to the operating system used.
RPM-based operating system:
# chkconfig --add wazuh-indexer # service wazuh-indexer start
Debian-based operating system:
# update-rc.d wazuh-indexer defaults 95 10 # service wazuh-indexer start
Repeat this stage of the installation process for every Wazuh indexer node in your multi-node cluster. Then proceed to the cluster initialization stage.
3. Cluster initialization
Run the Wazuh indexer
indexer-security-init.sh
script on any Wazuh indexer node to load the new certificates information and start the cluster.# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
Note
You only have to initialize the cluster once, there is no need to run this command on every node.
Testing the cluster installation
Replace
<WAZUH_INDEXER_IP>
and run the following commands to confirm that the installation is successful.# curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200
{ "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "cMeWTEWxQWeIPDaf1Wx4jw", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f", "build_date" : "2022-01-14T03:38:06.881862Z", "build_snapshot" : false, "lucene_version" : "8.10.1", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" }Replace
<WAZUH_INDEXER_IP>
and run the following command to check if the cluster is working correctly.# curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v
Next steps
The Wazuh indexer is now successfully installed on your single-node or multi-node cluster and you can proceed with installing the Wazuh server. To perform this action, see the Installing the Wazuh server step by step section.
If you want to uninstall the Wazuh indexer, see Uninstall the Wazuh indexer.