Source
Today I will show you guys how to install Wazuh Server on Ubuntu 20.4 and deploy Wazuh Agent to different OS
I use 2 source below as reference
Requirement
https://documentation.wazuh.com/current/installation-guide/requirements.html
OS : Ubuntu 20.08
Prerequisites
1. Escalate to root privileage
sudo su
2. Install the necessary packages for the installation
apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg
3. Install the GPG key
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
4. Add the repository
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
Install Wazuh Manager
1. Install the Wazuh manager package
apt-get install wazuh-manager
2. Enable and start the Wazuh manager service
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
3. Run the following command to check if the Wazuh manager is active
systemctl status wazuh-manager
Elasticsearch
1. Install Elasticsearch OSS and Open Distro for Elasticsearch:
apt install elasticsearch-oss opendistroforelasticsearch
2. Configuring Elasticsearch
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
3. Elasticsearch users and roles
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
Certificates creation
1. Remove the demo certificates
rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
2. Generate and deploy the certificates
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
bash ~/wazuh-cert-tool.sh
- Move the Elasticsearch certificates to their corresponding location:
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/
3. Enable and start the Elasticsearch service
mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
4. Install JAVA
sudo apt install default-jre
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
curl -XGET https://localhost:9200 -u admin:admin -k
Installing Filebeat
1. Install the Filebeat package
apt-get install filebeat
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
3. Download the alerts template for Elasticsearch
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
4. Download the Wazuh module for Filebeat
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
5. Copy the Elasticsearch certificates into /etc/filebeat/certs
mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/
6. Enable and start the Filebeat service
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
filebeat test output
Installing Kibana
1. Install the Kibana package:
apt-get install opendistroforelasticsearch-kibana
2. Download the Kibana configuration file:
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
3. Create the /usr/share/kibana/data directory:
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
4. Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip
5. Copy the Elasticsearch certificates into /etc/kibana/certs:
mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*
6. Link Kibana socket to privileged port 443:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
7. Enable and start the Kibana service:
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
8. Allow Kibana through the firewall
sudo ufw allow 443/tcp
Access the web interface:
URL: https://<wazuh_server_ip>
user: admin
password: admin
Deploy Wazuh Agent
Open Agent Tab and choose the OS of the agent machine
Source
Today I will show you guys how to install Wazuh Server on Ubuntu 20.4 and deploy Wazuh Agent to different OS
I use 2 source below as reference
Requirement
https://documentation.wazuh.com/current/installation-guide/requirements.html
OS : Ubuntu 20.08
Prerequisites
1. Escalate to root privileage
2. Install the necessary packages for the installation
3. Install the GPG key
4. Add the repository
5. Update the package information
Install Wazuh Manager
1. Install the Wazuh manager package
2. Enable and start the Wazuh manager service
3. Run the following command to check if the Wazuh manager is active
Elasticsearch
1. Install Elasticsearch OSS and Open Distro for Elasticsearch:
2. Configuring Elasticsearch
3. Elasticsearch users and roles
Certificates creation
1. Remove the demo certificates
2. Generate and deploy the certificates
3. Enable and start the Elasticsearch service
4. Install JAVA
5. Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster
Installing Filebeat
1. Install the Filebeat package
2. Download the preconfigured Filebeat configuration file used to forward the Wazuh alerts to Elasticsearch
3. Download the alerts template for Elasticsearch
4. Download the Wazuh module for Filebeat
5. Copy the Elasticsearch certificates into /etc/filebeat/certs
6. Enable and start the Filebeat service
Installing Kibana
1. Install the Kibana package:
2. Download the Kibana configuration file:
3. Create the /usr/share/kibana/data directory:
4. Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
5. Copy the Elasticsearch certificates into /etc/kibana/certs:
6. Link Kibana socket to privileged port 443:
7. Enable and start the Kibana service:
8. Allow Kibana through the firewall
Access the web interface:
URL: https://<wazuh_server_ip>
user: admin
password: admin
Deploy Wazuh Agent
Open Agent Tab and choose the OS of the agent machine
