Prerequisites
Before we begin, make sure you have the following:
- A server running Ubuntu 22.04.
- A non-root user with sudo privileges.
Install Wazuh Indexer
Update System
sudo apt-get update
sudo apt-get upgrade
Generating SSL Certificates
curl -O https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
curl -O https://packages.wazuh.com/4.7/config.yml
Edit config.yml
, you can use editor like nano
or vim
to do that. In this tutorial, we assume that that indexer, server, and dashboard are single node and installed in the same server. Replace the ip with your server ip address. Let’s say your server IP address is 100.200.200.200, then the final configuration should look similar to this:
nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: "127.0.0.1"
# Wazuh server nodes
# If there is more than one Wazuh server
# node, each one must have a node_type
server:
- name: wazuh-1
ip: "100.200.200.200"
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: "100.200.200.200"
Now let’s create the certificates:
bash ./wazuh-certs-tool.sh -A
17/04/2024 08:30:41 INFO: Admin certificates created. 17/04/2024 08:30:41 INFO: Wazuh indexer certificates created. 17/04/2024 08:30:41 INFO: Wazuh server certificates created. 17/04/2024 08:30:42 INFO: Wazuh dashboard certificates created.
A new directory wazuh-certificates
contains the certificates will be created.
Indexer Node Installation
sudo apt-get install debconf adduser procps gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && sudo chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: directory '/root/.gnupg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key)" imported gpg: Total number processed: 1 gpg: imported: 1
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
sudo apt-get -y install wazuh-indexer
Configuring the Wazuh Indexer
Edit /etc/wazuh-indexer/opensearch.yml
and replace the following values:
- network.host: Use the same node address set in
config.yml
. In this tutorial, the address is127.0.0.1
. - node.name: Use the same node name set in
config.yml
. - cluster.initial_master_nodes: In this tutorial, we only use single node, thus, use the same node name set in
config.yml
.
Deploying Indexer Certificates
Run the following command assign node name as variable. In this tutorial, we use node-1
as node name.
NODE_NAME=node-1
Then deploy the SSL certificates:
sudo mkdir /etc/wazuh-indexer/certs
sudo cp -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
sudo cp -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
sudo cp -n wazuh-certificates/admin.pem /etc/wazuh-indexer/certs/admin.pem
sudo cp -n wazuh-certificates/admin-key.pem /etc/wazuh-indexer/certs/admin-key.pem
sudo cp -n wazuh-certificates/root-ca.pem /etc/wazuh-indexer/certs/root-ca.pem
sudo chmod -R 400 /etc/wazuh-indexer/certs/
sudo chmod 500 /etc/wazuh-indexer/certs
sudo chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
Starting the Indexer Service
sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer
To check if Wazuh Indexer run successfully:
sudo systemctl status wazuh-indexer
In the status, it should shows as active (running).

Cluster Initialization
sudo /usr/share/wazuh-indexer/bin/indexer-security-init.sh
In this tutorial, the indexer IP is 127.0.0.1.
curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200
{ "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "zP2tu6oPREymrFacYQuKMg", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4", "build_date" : "2023-06-03T06:24:25.112415503Z", "build_snapshot" : false, "lucene_version" : "9.6.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" }
Install Wazuh Manager
sudo apt-get -y install wazuh-manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
sudo systemctl status wazuh-manager

Install Filebeat
sudo apt-get -y install filebeat
Configuring Filebeat
sudo curl -o /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml
sudo filebeat keystore create
echo admin | sudo filebeat keystore add username --stdin --force
echo admin | sudo filebeat keystore add password --stdin --force
sudo curl -o /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.3/extensions/elasticsearch/7.x/wazuh-template.json
sudo chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
Deploying Manager Certificates
NODE_NAME=wazuh-1
sudo mkdir /etc/filebeat/certs
sudo cp -n wazuh-certificates/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
sudo cp -n wazuh-certificates/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
sudo cp -n wazuh-certificates/root-ca.pem /etc/filebeat/certs/root-ca.pem
sudo chmod -R 400 /etc/filebeat/certs/
sudo chmod 500 /etc/filebeat/certs
sudo chown -R root:root /etc/filebeat/certs
sudo systemctl daemon-reload
sudo systemctl enable filebeat
sudo systemctl start filebeat
sudo filebeat test output
elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2
Install Wazuh Dashboard
sudo apt-get -y install wazuh-dashboard
Edit /etc/wazuh-dashboard/opensearch_dashboards.yml
and modify the followings:
- server.host
- opensearch.hosts
Deploying Dashboard Certificates
NODE_NAME=dashboard
sudo mkdir /etc/wazuh-dashboard/certs
sudo cp -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
sudo cp -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
sudo cp -n wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/root-ca.pem
sudo chmod -R 400 /etc/wazuh-dashboard/certs/
sudo chmod 500 /etc/wazuh-dashboard/certs
sudo chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Starting the Dashboard Service
sudo systemctl daemon-reload
sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard
To access the Wazuh web interface, please open https://<wazuh-dashboard-ip> in your browser.
Final Step: Securing Wazuh Installation
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh
