Step-by-Step Guide to Installing Wazuh and Wazuh Agent for Enhanced Security Monitoring
Introduction:
Keeping your systems secure is more important than ever. Wazuh is a powerful, free tool that helps monitor and protect your systems from threats. In this guide, we’ll show you how to install Wazuh and its agent step by step. Whether you’re managing IT systems or just interested in cybersecurity, this guide will help you get started with Wazuh and improve your system’s security. Let’s get started!
Step 1: Update System Packages
Open your terminal and run the following command to update your system packages:
sudo apt updateSwitch to the root user:
sudo suStep 2: Quick Install Wazuh
Download and execute the Wazuh installation assistant script:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -aStep 3: Access the Wazuh Dashboard
Once the installation is complete, copy the provided credentials from the terminal. Enter the server IP into your web browser to access the Wazuh dashboard:
https://your_server_ipLog in using the provided credentials.
Manual Installation (For Detailed Understanding)
Step 1: Create a Working Directory
Create a folder for all setup files:
mkdir wazuh-installer
cd wazuh-installerStep 2: Certificate Creation
Download the certificate creation script and configuration file:
curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.7/config.ymlEdit config.yml and replace the node names and IP addresses.
Run the certificate creation script:
bash ./wazuh-certs-tool.sh -ACompress the generated certificates:
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificatesStep 3: Install Wazuh Indexer
Install Dependencies
Install necessary packages:
apt-get install debconf adduser procps
apt-get install gnupg apt-transport-httpsAdd Wazuh Repository and Install Indexer
Add the GPG key and repository:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.listUpdate package information and install the Wazuh indexer:
apt-get update
apt-get -y install wazuh-indexerConfigure Indexer
Edit /etc/wazuh-indexer/opensearch.yml to set network.host, node.name, and cluster.initial_master_nodes.
Deploy certificates:
NODE_NAME=node-1
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certsStart the Wazuh indexer service:
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexerVerify the service status:
systemctl status wazuh-indexerInitialize Cluster
Run the indexer security initialization script:
/usr/share/wazuh-indexer/bin/indexer-security-init.shVerify installation:
curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200
curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?vStep 4: Install Wazuh Server
Install Wazuh Manager
Install the Wazuh manager package:
apt-get -y install wazuh-managerStart the Wazuh manager service:
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-managerVerify the manager status:
systemctl status wazuh-managerInstall and Configure Filebeat
Install Filebeat:
apt-get -y install filebeatDownload the preconfigured Filebeat configuration file
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.ymlEdit the Filebeat configuration to set your Wazuh indexer address.
Create a Filebeat keystore and add credentials:
filebeat keystore create
echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --forceDownload the alerts template for the Wazuh indexer:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.jsonInstall the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/moduleDeploy certificates for Filebeat:
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certsStart the Filebeat service:
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeatVerify Filebeat installation:
filebeat test outputStep 5: Install Wazuh Dashboard
Install Dependencies
Install necessary packages:
apt-get install debhelper tar curl libcap2-binInstall and Configure Wazuh Dashboard
Install the Wazuh dashboard package:
apt-get -y install wazuh-dashboardEdit /etc/wazuh-dashboard/opensearch_dashboards.yml to set server.host and opensearch.hosts.
Deploy certificates:
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certsStart the Wazuh dashboard service:
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboardAccess the Wazuh dashboard:
https://<wazuh-dashboard-ip>Log in with:
- Username: admin
- Password: admin
Step 6: Install Wazuh Agent
On each client machine, run the following commands to install and configure the Wazuh agent:
curl -sO https://packages.wazuh.com/4.7/wazuh-agent-4.7.2.deb
sudo dpkg -i wazuh-agent-4.7.2.debConfigure the agent by editing /var/ossec/etc/ossec.conf and specifying the Wazuh manager’s IP address. Start the agent service
Verify the agent installation:
sudo systemctl status wazuh-agentConclusion
You have successfully installed Wazuh and its agent on your system. Your system is now equipped with powerful monitoring and security capabilities. For more information and advanced configurations, refer to the official Wazuh documentation.
