Installing the Wazuh server step by step

Install and configure the Wazuh server as a single-node or multi-node cluster following step-by-step instructions. The Wazuh server is a central component that includes the Wazuh manager and Filebeat. The Wazuh manager collects and analyzes data from the deployed Wazuh agents. It triggers alerts when threats or anomalies are detected. Filebeat securely forwards alerts and archived events to the Wazuh indexer.

The installation process is divided into two stages.

  1. Wazuh server node installation

  2. Cluster configuration for multi-node deployment

Note

You need root user privileges to run all the commands described below.

1. Wazuh server node installation

Adding the Wazuh repository

Note

If you are installing the Wazuh server on the same host as the Wazuh indexer, you may skip these steps as you may have added the Wazuh repository already.

  1. Import the GPG key.

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository.

    # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
    

Installing the Wazuh manager

  1. Install the Wazuh manager package.

    # yum -y install wazuh-manager
    
  2. Enable and start the Wazuh manager service.

    # systemctl daemon-reload
    # systemctl enable wazuh-manager
    # systemctl start wazuh-manager
    
  3. Run the following command to verify the Wazuh manager status.

    # systemctl status wazuh-manager
    

Installing Filebeat

  1. Install the Filebeat package.

    # yum -y install filebeat
    

Configuring Filebeat

  1. Download the preconfigured Filebeat configuration file.

    # curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml
    
  2. Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:

    1. hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer address accordingly.

      If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]

       # Wazuh - Filebeat configuration file
       output.elasticsearch:
       hosts: ["10.0.0.1:9200"]
       protocol: https
       username: ${username}
       password: ${password}
      
  3. Create a Filebeat keystore to securely store authentication credentials.

    # filebeat keystore create
    
  4. Add the default username and password admin:admin to the secrets keystore.

    # echo admin | filebeat keystore add username --stdin --force
    # echo admin | filebeat keystore add password --stdin --force
    
  5. Download the alerts template for the Wazuh indexer.

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.3/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
    
  6. Install the Wazuh module for Filebeat.

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module
    

Deploying certificates

Note

Make sure that a copy of the wazuh-certificates.tar file, created during the initial configuration step, is placed in your working directory.

  1. Replace <server-node-name> with your Wazuh server node certificate name, the same one used in config.yml when creating the certificates. Then, move the certificates to their corresponding location.

    # NODE_NAME=<server-node-name>
    
    # mkdir /etc/filebeat/certs
    # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
    # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
    # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
    # chmod 500 /etc/filebeat/certs
    # chmod 400 /etc/filebeat/certs/*
    # chown -R root:root /etc/filebeat/certs
    

Starting the Filebeat service

  1. Enable and start the Filebeat service.

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
    
  2. Run the following command to verify that Filebeat is successfully installed.

    # filebeat test output
    

    Expand the output to see an example response.

    elasticsearch: https://127.0.0.1:9200...
      parse url... OK
      connection...
        parse host... OK
        dns lookup... OK
        addresses: 127.0.0.1
        dial up... OK
      TLS...
        security: server's certificate chain verification is enabled
        handshake... OK
        TLS version: TLSv1.3
        dial up... OK
      talk to server... OK
      version: 7.10.2
    

Your Wazuh server node is now successfully installed. Repeat this stage of the installation process for every Wazuh server node in your Wazuh cluster, then proceed with configuring the Wazuh cluster. If you want a Wazuh server single-node cluster, everything is set and you can proceed directly with Installing the Wazuh dashboard step by step.

2. Cluster configuration for multi-node deployment

After completing the installation of the Wazuh server on every node, you need to configure one server node only as the master and the rest as workers.

Configuring the Wazuh server master node

  1. Edit the following settings in the /var/ossec/etc/ossec.conf configuration file.

    <cluster>
      <name>wazuh</name>
      <node_name>master-node</node_name>
      <node_type>master</node_type>
      <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
      <port>1516</port>
      <bind_addr>0.0.0.0</bind_addr>
      <nodes>
        <node>wazuh-master-address</node>
      </nodes>
      <hidden>no</hidden>
      <disabled>no</disabled>
    </cluster>
    

    Parameters to be configured:

    name

    It indicates the name of the cluster.

    node_name

    It indicates the name of the current node.

    node_type

    It specifies the role of the node. It has to be set to master.

    key

    Key that is used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. The following command can be used to generate a random key: openssl rand -hex 16.

    port

    It indicates the destination port for cluster communication.

    bind_addr

    It is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).

    nodes

    It is the address of the master node and can be either an IP or a DNS. This parameter must be specified in all nodes, including the master itself.

    hidden

    It shows or hides the cluster information in the generated alerts.

    disabled

    It indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

  2. Restart the Wazuh manager.

    # systemctl restart wazuh-manager
    

Configuring the Wazuh server worker nodes

  1. Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file.

    <cluster>
        <name>wazuh</name>
        <node_name>worker-node</node_name>
        <node_type>worker</node_type>
        <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
        <port>1516</port>
        <bind_addr>0.0.0.0</bind_addr>
        <nodes>
            <node>wazuh-master-address</node>
        </nodes>
        <hidden>no</hidden>
        <disabled>no</disabled>
    </cluster>
    

    Parameters to be configured:

    name

    It indicates the name of the cluster.

    node_name

    It indicates the name of the current node. Each node of the cluster must have a unique name.

    node_type

    It specifies the role of the node. It has to be set as worker.

    key

    The key created previously for the master node. It has to be the same for all the nodes.

    nodes

    It has to contain the address of the master node and can be either an IP or a DNS.

    disabled

    It indicates whether the node is enabled or disabled in the cluster. It has to be set to no.

  2. Restart the Wazuh manager.

    # systemctl restart wazuh-manager
    

Repeat these configuration steps for every Wazuh server worker node in your cluster.

Testing Wazuh server cluster

To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:

# /var/ossec/bin/cluster_control -l

An example output of the command looks as follows:

  NAME         TYPE    VERSION  ADDRESS
  master-node  master  4.7.3   10.0.0.3
  worker-node1 worker  4.7.3   10.0.0.4
  worker-node2 worker  4.7.3   10.0.0.5

Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.

Next steps

The Wazuh server installation is now complete, and you can proceed with Installing the Wazuh dashboard step by step.

If you want to uninstall the Wazuh server, see Uninstall the Wazuh server.