Wazuh server node(s) installation

Adding the Wazuh repository

Installing the Wazuh manager

1. Install the Wazuh manager package.

   YUMAPT

   # yum -y install wazuh-manager
   

2. Enable and start the Wazuh manager service.

   SystemDSysV init

   # systemctl daemon-reload
   # systemctl enable wazuh-manager
   # systemctl start wazuh-manager
   

3. Check the Wazuh manager status to ensure it is up and running.

   SystemDSysV init

   # systemctl status wazuh-manager
   

Install and configure Filebeat

1. Install the Filebeat package.

   YUMAPT

   # yum -y install filebeat
   

2. Download the preconfigured Filebeat configuration file:

   # curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.yml
   

3. Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:

   • hosts which represents the list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer IP address accordingly.

     If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]:

   # Wazuh - Filebeat configuration file
   output.elasticsearch:
     hosts: <WAZUH_INDEXER_IP_ADDRESS>:9200
     protocol: https
   

4. Create a Filebeat keystore to securely store authentication credentials:

   # filebeat keystore create
   

5. Add the admin user and password to the secrets keystore:

   # echo admin | filebeat keystore add username --stdin --force
   # echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force
   

   In case you are running an all-in-one deployment and using the default admin password, you could get it by running the following command:

   # sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
   

6. Download the alerts template for the Wazuh indexer:

   # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.1/extensions/elasticsearch/7.x/wazuh-template.json
   # chmod go+r /etc/filebeat/wazuh-template.json
   

7. Install the Wazuh module for Filebeat:

   # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
   

Deploying certificates

Run the following commands in the directory where the wazuh-certificates.tar file was copied to, replacing <NEW_WAZUH_SERVER_NODE_NAME> with the name of the Wazuh server node you are configuring as defined in /root/config.yml. This deploys the SSL certificates to encrypt communications between the Wazuh central components:

1. Create an environment variable to store the node name:

   NODE_NAME=<NEW_WAZUH_SERVER_NODE_NAME>
   

2. Deploy the certificates:

   # mkdir /etc/filebeat/certs
   # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
   # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
   # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
   # chmod 500 /etc/filebeat/certs
   # chmod 400 /etc/filebeat/certs/*
   # chown -R root:root /etc/filebeat/certs
   

Starting the service

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

Run the following command to verify that Filebeat is successfully installed:

# filebeat test output

An example output is shown below:

elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Configuring the Wazuh server worker nodes

1. Configure the Wazuh server worker node to enable cluster mode by editing the following settings in the /var/ossec/etc/ossec.conf file:

   <cluster>
       <name>wazuh</name>
       <node_name><NEW_WAZUH_SERVER_NODE_NAME></node_name>
       <node_type>worker</node_type>
       <key><ENCRYPTION_KEY></key>
       <port>1516</port>
       <bind_addr>0.0.0.0</bind_addr>
       <nodes>
           <node><MASTER_NODE_IP_ADDRESS></node>
       </nodes>
       <hidden>no</hidden>
       <disabled>no</disabled>
   </cluster>
   

   The configurable fields in the above section of the ossec.conf file are as follows:

   • <name> indicates the name of the cluster.

   • <node_name> indicates the name of the current node. Each node of the cluster must have a unique name. Replace <NEW_WAZUH_SERVER_NODE_NAME> with the name specified in the /root/config.yml file.

   • <node_type> specifies the role of the node. It has to be set as a worker.

   • <key> represents the key created previously for the master node. It has to be the same for all the nodes. In case you have an already distributed infrastructure, copy this key from the master node’s /var/ossec/etc/ossec.conf file.

   • <port> indicates the destination port for cluster communication. Leave the default as 1516.

   • <bind_addr> is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).

   • <nodes> contain the address of the master node which can be either an IP or a DNS hostname. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.

   • <hidden> shows or hides the cluster information in the generated alerts.

   • <disabled> indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

   You can learn more about the available configuration options in the cluster reference guide.

2. Restart the Wazuh manager service.

   SystemdSysV init

   # systemctl restart wazuh-manager