Wazuh server node(s) installation

Once the certificates have been created and copied to the new node(s), you can now proceed with installing and configuring the new Wazuh server as a worker node.

Adding the Wazuh repository

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages if missing:

# apt-get install gnupg apt-transport-https

Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information:
```
# apt-get update
```

Installing the Wazuh manager

Install the Wazuh manager package.

# yum -y install wazuh-manager

# apt-get -y install wazuh-manager

Enable and start the Wazuh manager service.

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

RPM-based operating system:

# chkconfig --add wazuh-manager
# service wazuh-manager start

Debian-based operating system:

# update-rc.d wazuh-manager defaults 95 10
# service wazuh-manager start

Check the Wazuh manager status to ensure it is up and running.
# systemctl status wazuh-manager
# service wazuh-manager status

Install and configure Filebeat

Install the Filebeat package.

# yum -y install filebeat

# apt-get -y install filebeat

Download the preconfigured Filebeat configuration file:

# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.14/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:
- hosts which represents the list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer IP address accordingly.
  
  If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]:
```
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: <WAZUH_INDEXER_IP_ADDRESS>:9200
  protocol: https
```
Create a Filebeat keystore to securely store authentication credentials:
```
# filebeat keystore create
```

Add the admin user and password to the secrets keystore:

# echo admin | filebeat keystore add username --stdin --force
# echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force

In case you are running an all-in-one deployment and using the default admin password, you could get it by running the following command:

# sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Download the alerts template for the Wazuh indexer:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.14.0/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

Deploying certificates

Run the following commands in the directory where the wazuh-certificates.tar file was copied to, replacing <NEW_WAZUH_SERVER_NODE_NAME> with the name of the Wazuh server node you are configuring as defined in /root/config.yml. This deploys the SSL certificates to encrypt communications between the Wazuh central components:

Create an environment variable to store the node name:
```
NODE_NAME=<NEW_WAZUH_SERVER_NODE_NAME>
```

Deploy the certificates:

# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

Starting the service

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

RPM based operating system:

# chkconfig --add filebeat
# service filebeat start

Debian-based operating system:

# update-rc.d filebeat defaults 95 10
# service filebeat start

Run the following command to verify that Filebeat is successfully installed:

# filebeat test output

An example output is shown below:

elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Configuring the Wazuh server worker nodes

Configure the Wazuh server worker node to enable cluster mode by editing the following settings in the /var/ossec/etc/ossec.conf file:
```
<cluster>
    <name>wazuh</name>
    <node_name><NEW_WAZUH_SERVER_NODE_NAME></node_name>
    <node_type>worker</node_type>
    <key><ENCRYPTION_KEY></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><MASTER_NODE_IP_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>
```
The configurable fields in the above section of the ossec.conf file are as follows:
- <name> indicates the name of the cluster.
- <node_name> indicates the name of the current node. Each node of the cluster must have a unique name. Replace <NEW_WAZUH_SERVER_NODE_NAME> with the name specified in the /root/config.yml file.
- <node_type> specifies the role of the node. It has to be set as a worker.
- <key> represents the key created previously for the master node. It has to be the same for all the nodes. In case you have an already distributed infrastructure, copy this key from the master node’s /var/ossec/etc/ossec.conf file.
- <port> indicates the destination port for cluster communication. Leave the default as 1516.
- <bind_addr> is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
- <nodes> contain the address of the master node which can be either an IP or a DNS hostname. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.
- <hidden> shows or hides the cluster information in the generated alerts.
- <disabled> indicates whether the node is enabled or disabled in the cluster. This option must be set to no.
You can learn more about the available configuration options in the cluster reference guide.

Restart the Wazuh manager service.

# systemctl restart wazuh-manager

# service wazuh-manager restart