Open in app

Sign in

Write

Sign in

Deploy Wazuh

RoomIT
3 min readSep 9, 2024

--

Wazuh is an open-source security platform that provides comprehensive security monitoring, threat detection, incident response, and compliance management capabilities. It integrates various components to offer a unified solution for Security Information and Event Management (SIEM) and Host-based Intrusion Detection System (HIDS).

Flow

|   Client   | Server                                    |
 wazuh-agent -> wazuh-manager -> elasticsearch <-> kibana
                      |               |               |
                   filebeat           |               | 
                      |-------------- |-wazuh-indexer-|

Wazuh Manager: Responsible for data analysis, log stream processing, threat detection, and security policy enforcement.
Wazuh Agent: Installed on endpoints to collect log data and system metrics, then sends them to the Wazuh Manager.
Wazuh Indexer (OpenSearch): Stores data generated by the Wazuh Manager, enabling querying and analysis.

Wazuh Manager

Install :

apt install -y curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg - no-default-keyring - keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg - import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt install -y wazuh-manager
systemctl daemon-reload
systemctl enable - now wazuh-manager
systemctl status wazuh-manager

Opensearch/Elasticsearch

Install :

apt install -y elasticsearch-oss opendistroforelasticsearch
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml

Generate Certificates:

rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
bash ~/wazuh-cert-tool.sh
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

Disable Log4j :

mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

Change Config Elasticsearch, edit in /etc/elasticsearch/elasticsearch.yml, change line :

opendistro_security.ssl.transport.pemcert_filepath: certs/elasticsearch.pem
opendistro_security.ssl.transport.pemkey_filepath: certs/elasticsearch-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
opendistro_security.ssl.http.pemcert_filepath: certs/elasticsearch.pem
opendistro_security.ssl.http.pemkey_filepath: certs/elasticsearch-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem

Start Service Elasticsearch :

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

Filebeat

Install filebeat :

apt install -y filebeat

Config Filebeat :

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Module filebeat :

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy certificates :

mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/

Start Service filebeat :

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Test Validation Config filebeat:

filebeat test output


elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Agent

Add agent inclient

curl -so wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb && sudo WAZUH_MANAGER='192.168.66.254' WAZUH_AGENT_GROUP='mainnet' dpkg -i ./wazuh-agent-4.2.6.deb

For ansible

- name: Download Wazuh Agent
  shell: |
    curl -so /tmp/wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb
  register: download_result
  ignore_errors: yes  # Optional, in case you want to ignore errors in downloading
  become: true
  become_method: sudo
  tags:
    - wazuh

- name: Install Wazuh Agent
  shell: |
    WAZUH_MANAGER='{{ wazuh_manager_ip }}' WAZUH_AGENT_GROUP='{{ stage }}' dpkg -i /tmp/wazuh-agent-4.2.6.deb
  register: install_result
  ignore_errors: yes  # Optional, to ignore installation errors
  become: true
  become_method: sudo
  tags:
    - wazuh

- name: Reload systemd manager configuration
  command: systemctl daemon-reload
  become: true
  become_method: sudo
  tags:
    - wazuh

- name: Enable Wazuh Agent service
  systemd:
    name: wazuh-agent
    enabled: yes
  become: true
  become_method: sudo
  tags:
    - wazuh

- name: Start Wazuh Agent service
  systemd:
    name: wazuh-agent
    state: restarted
  become: true
  become_method: sudo
  tags:
    - wazuh
    - wazuh.restart

Enable and check service

systemctl start wazuh-agent
systemctl status wazuh-agent
systemctl enable wazuh-agent
Wazuh
Security

--

--

RoomIT
RoomIT

Written by RoomIT

42 Followers
82 Following

Our Notes For Blockchain | DevOps | Security | Sysadmin

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams