Step-by-Step Guide to Installing Wazuh and Wazuh Agent for Enhanced Security Monitoring
Introduction:
Keeping your systems secure is more important than ever. Wazuh is a powerful, free tool that helps monitor and protect your systems from threats. In this guide, we’ll show you how to install Wazuh and its agent step by step. Whether you’re managing IT systems or just interested in cybersecurity, this guide will help you get started with Wazuh and improve your system’s security. Let’s get started!
Step 1: Update System Packages
Open your terminal and run the following command to update your system packages:
sudo apt update
Switch to the root user:
sudo su
Step 2: Quick Install Wazuh
Download and execute the Wazuh installation assistant script:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Step 3: Access the Wazuh Dashboard
Once the installation is complete, copy the provided credentials from the terminal. Enter the server IP into your web browser to access the Wazuh dashboard:
https://your_server_ip
Log in using the provided credentials.
Manual Installation (For Detailed Understanding)
Step 1: Create a Working Directory
Create a folder for all setup files:
mkdir wazuh-installer
cd wazuh-installer
Step 2: Certificate Creation
Download the certificate creation script and configuration file:
curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.7/config.yml
Edit config.yml
and replace the node names and IP addresses.
Run the certificate creation script:
bash ./wazuh-certs-tool.sh -A
Compress the generated certificates:
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates
Step 3: Install Wazuh Indexer
Install Dependencies
Install necessary packages:
apt-get install debconf adduser procps
apt-get install gnupg apt-transport-https
Add Wazuh Repository and Install Indexer
Add the GPG key and repository:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update package information and install the Wazuh indexer:
apt-get update
apt-get -y install wazuh-indexer
Configure Indexer
Edit /etc/wazuh-indexer/opensearch.yml
to set network.host
, node.name
, and cluster.initial_master_nodes
.
Deploy certificates:
NODE_NAME=node-1
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
Start the Wazuh indexer service:
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer
Verify the service status:
systemctl status wazuh-indexer
Initialize Cluster
Run the indexer security initialization script:
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
Verify installation:
curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200
curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v
Step 4: Install Wazuh Server
Install Wazuh Manager
Install the Wazuh manager package:
apt-get -y install wazuh-manager
Start the Wazuh manager service:
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
Verify the manager status:
systemctl status wazuh-manager
Install and Configure Filebeat
Install Filebeat:
apt-get -y install filebeat
Download the preconfigured Filebeat configuration file
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml
Edit the Filebeat configuration to set your Wazuh indexer address.
Create a Filebeat keystore and add credentials:
filebeat keystore create
echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force
Download the alerts template for the Wazuh indexer:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Install the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module
Deploy certificates for Filebeat:
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
Start the Filebeat service:
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
Verify Filebeat installation:
filebeat test output
Step 5: Install Wazuh Dashboard
Install Dependencies
Install necessary packages:
apt-get install debhelper tar curl libcap2-bin
Install and Configure Wazuh Dashboard
Install the Wazuh dashboard package:
apt-get -y install wazuh-dashboard
Edit /etc/wazuh-dashboard/opensearch_dashboards.yml
to set server.host
and opensearch.hosts
.
Deploy certificates:
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Start the Wazuh dashboard service:
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard
Access the Wazuh dashboard:
https://<wazuh-dashboard-ip>
Log in with:
- Username: admin
- Password: admin
Step 6: Install Wazuh Agent
On each client machine, run the following commands to install and configure the Wazuh agent:
curl -sO https://packages.wazuh.com/4.7/wazuh-agent-4.7.2.deb
sudo dpkg -i wazuh-agent-4.7.2.deb
Configure the agent by editing /var/ossec/etc/ossec.conf
and specifying the Wazuh manager’s IP address. Start the agent service
Verify the agent installation:
sudo systemctl status wazuh-agent
Conclusion
You have successfully installed Wazuh and its agent on your system. Your system is now equipped with powerful monitoring and security capabilities. For more information and advanced configurations, refer to the official Wazuh documentation.