Open in app

Sign in

Write

Sign in

Getting started with Wazuh: Installation and Configuration Guide

Btech Engineering
btech-engineering
Published in
4 min readApr 28, 2023
Wazuh

Introduction

Wazuh is a popular open-source security platform that provides an extensive range of threat detection, visibility, and response capabilities. It is designed to help organizations to monitor and manage their security posture more effectively by collecting, analyzing, and correlating security-related data from various sources across their network infrastructure. The platform leverages a combination of host-based intrusion detection (HIDS), log analysis, and security event correlation to detect, identify, and respond to potential security incidents.

At its core, Wazuh consists of three primary components: the Wazuh server, agents, and the Wazuh app. The Wazuh server is responsible for collecting and analyzing security data from various sources, while the agents are installed on the monitored endpoints to collect security-relevant data such as system events, network traffic, and file integrity. The Wazuh app provides a web-based user interface that allows security analysts to view and analyze security events, configure rules, and manage the Wazuh infrastructure. With its robust feature set and flexible architecture, Wazuh has become a popular choice for security professionals who seek to improve their organization’s security posture while minimizing the risk of security breaches.

Preparing for the Installation

Operating System

Wazuh can be installed on various operating systems, including CentOS, Debian, Ubuntu, Windows, and macOS.

Hardware Specifications

Hardware requirements highly depend on the number of protected endpoints and cloud workloads.

Documentation Wazuh

Software Dependencies

Wazuh requires several software components, including Elastic Stack, Filebeat, and Wazuh Manager. Elastic Stack is a set of open-source tools for data processing and analysis, including Elasticsearch, Logstash, and Kibana. Filebeat is a lightweight agent that collects log data from different sources and forwards it to Elasticsearch. Wazuh Manager is the central component of the Wazuh architecture, which receives data from the Wazuh Agents and processes it to generate alerts and notifications.

Step-by-Step Installation

Install Wazuh

apt install -y curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

Install Wazuh Manager

apt install -y wazuh-manager

systemctl daemon-reload
systemctl enable --now wazuh-manager
systemctl status wazuh-manager

Install Elasticsearch

Install Elasticsearch

apt install -y elasticsearch-oss opendistroforelasticsearch

curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml

Create certificate

rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml

bash ~/wazuh-cert-tool.sh

mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

Install Filebeat

Install Filebeat

apt install -y filebeat

Config Filebeat

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Install Module Filebeat

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy certs

mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/

Restart Daemon

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Configure Filebeat

filebeat test output

Install Kibana

Install package

apt install -y opendistroforelasticsearch-kibana

Download kibana config

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml

Prepare directory

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data

Kibana plugin

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.10.2-1.zip

Elasticsearch certificates

mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

Configure netcap

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Configure systemd

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

Add Wazuh Agent (Linux)

Get setup agent commnad

Open Wazuh Manager https://<ip_wazuh_manager>

Debian/Ubuntu

Set Wazuh Manager Address

curl -so wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb && sudo WAZUH_MANAGER='172.100.1.11' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.2.6.deb

Setup Agent

Setup Repo

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

Install and register agent

curl -so wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb && sudo WAZUH_MANAGER='172.100.1.11' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.2.6.deb

Enable and start agent service

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Verification

Conclusion

In summary, Wazuh is a comprehensive security platform that provides organizations with the necessary tools to detect and respond to security threats in real-time.

Documentation By Aji Arya

Our Tagline

#ContinuousLearning

Reference

Wazuh documentation

Engineering
Wazuh
Monitor
Security
Installation

--

--

Btech Engineering
btech-engineering

Written by Btech Engineering

174 Followers
Editor for

Our mission is continuous learning and remember together is better.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams