Getting started with Wazuh: Installation and Configuration Guide
Introduction
Wazuh is a popular open-source security platform that provides an extensive range of threat detection, visibility, and response capabilities. It is designed to help organizations to monitor and manage their security posture more effectively by collecting, analyzing, and correlating security-related data from various sources across their network infrastructure. The platform leverages a combination of host-based intrusion detection (HIDS), log analysis, and security event correlation to detect, identify, and respond to potential security incidents.
At its core, Wazuh consists of three primary components: the Wazuh server, agents, and the Wazuh app. The Wazuh server is responsible for collecting and analyzing security data from various sources, while the agents are installed on the monitored endpoints to collect security-relevant data such as system events, network traffic, and file integrity. The Wazuh app provides a web-based user interface that allows security analysts to view and analyze security events, configure rules, and manage the Wazuh infrastructure. With its robust feature set and flexible architecture, Wazuh has become a popular choice for security professionals who seek to improve their organization’s security posture while minimizing the risk of security breaches.
Preparing for the Installation
Operating System
Wazuh can be installed on various operating systems, including CentOS, Debian, Ubuntu, Windows, and macOS.
Hardware Specifications
Hardware requirements highly depend on the number of protected endpoints and cloud workloads.
Software Dependencies
Wazuh requires several software components, including Elastic Stack, Filebeat, and Wazuh Manager. Elastic Stack is a set of open-source tools for data processing and analysis, including Elasticsearch, Logstash, and Kibana. Filebeat is a lightweight agent that collects log data from different sources and forwards it to Elasticsearch. Wazuh Manager is the central component of the Wazuh architecture, which receives data from the Wazuh Agents and processes it to generate alerts and notifications.
Step-by-Step Installation
Install Wazuh
apt install -y curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
Install Wazuh Manager
apt install -y wazuh-manager
systemctl daemon-reload
systemctl enable --now wazuh-manager
systemctl status wazuh-manager
Install Elasticsearch
Install Elasticsearch
apt install -y elasticsearch-oss opendistroforelasticsearch
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
Create certificate
rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
bash ~/wazuh-cert-tool.sh
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/
mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
Install Filebeat
Install Filebeat
apt install -y filebeat
Config Filebeat
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Install Module Filebeat
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
Copy certs
mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/
Restart Daemon
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
Configure Filebeat
filebeat test output
Install Kibana
Install package
apt install -y opendistroforelasticsearch-kibana
Download kibana config
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
Prepare directory
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
Kibana plugin
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.10.2-1.zip
Elasticsearch certificates
mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*
Configure netcap
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Configure systemd
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
Add Wazuh Agent (Linux)
Get setup agent commnad
Open Wazuh Manager https://<ip_wazuh_manager>
Set Wazuh Manager Address
curl -so wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb && sudo WAZUH_MANAGER='172.100.1.11' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.2.6.deb
Setup Agent
Setup Repo
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
Install and register agent
curl -so wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb && sudo WAZUH_MANAGER='172.100.1.11' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.2.6.deb
Enable and start agent service
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Verification
Conclusion
In summary, Wazuh is a comprehensive security platform that provides organizations with the necessary tools to detect and respond to security threats in real-time.
Documentation By Aji Arya