Unix Guide

Uncategorized

How to Install Wazuh on Ubuntu 22.04

By Yevonnael Andrew

Prerequisites

Before we begin, make sure you have the following:

  • A server running Ubuntu 22.04.
  • A non-root user with sudo privileges.

Install Wazuh Indexer

Update System

sudo apt-get update
sudo apt-get upgrade

Generating SSL Certificates

curl -O https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
curl -O https://packages.wazuh.com/4.7/config.yml

Edit config.yml, you can use editor like nano or vim to do that. In this tutorial, we assume that that indexer, server, and dashboard are single node and installed in the same server. Replace the ip with your server ip address. Let’s say your server IP address is 100.200.200.200, then the final configuration should look similar to this:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "127.0.0.1"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "100.200.200.200"

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "100.200.200.200"

Now let’s create the certificates:

 bash ./wazuh-certs-tool.sh -A
17/04/2024 08:30:41 INFO: Admin certificates created.
17/04/2024 08:30:41 INFO: Wazuh indexer certificates created.
17/04/2024 08:30:41 INFO: Wazuh server certificates created.
17/04/2024 08:30:42 INFO: Wazuh dashboard certificates created.

A new directory wazuh-certificates contains the certificates will be created.

Indexer Node Installation

sudo apt-get install debconf adduser procps gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && sudo chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported
gpg: Total number processed: 1
gpg:               imported: 1

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
sudo apt-get -y install wazuh-indexer

Configuring the Wazuh Indexer

Edit /etc/wazuh-indexer/opensearch.yml and replace the following values:

  • network.host: Use the same node address set in config.yml. In this tutorial, the address is 127.0.0.1.
  • node.name: Use the same node name set in config.yml.
  • cluster.initial_master_nodes: In this tutorial, we only use single node, thus, use the same node name set in config.yml.

Deploying Indexer Certificates

Run the following command assign node name as variable. In this tutorial, we use node-1 as node name.

NODE_NAME=node-1

Then deploy the SSL certificates:

sudo mkdir /etc/wazuh-indexer/certs
sudo cp -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
sudo cp -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
sudo cp -n wazuh-certificates/admin.pem /etc/wazuh-indexer/certs/admin.pem
sudo cp -n wazuh-certificates/admin-key.pem /etc/wazuh-indexer/certs/admin-key.pem
sudo cp -n wazuh-certificates/root-ca.pem /etc/wazuh-indexer/certs/root-ca.pem
sudo chmod -R 400 /etc/wazuh-indexer/certs/
sudo chmod 500 /etc/wazuh-indexer/certs
sudo chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Starting the Indexer Service

sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer

To check if Wazuh Indexer run successfully:

sudo systemctl status wazuh-indexer

In the status, it should shows as active (running).

Cluster Initialization

sudo /usr/share/wazuh-indexer/bin/indexer-security-init.sh

In this tutorial, the indexer IP is 127.0.0.1.

curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "zP2tu6oPREymrFacYQuKMg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Install Wazuh Manager

sudo apt-get -y install wazuh-manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
sudo systemctl status wazuh-manager

Install Filebeat

sudo apt-get -y install filebeat

Configuring Filebeat

sudo curl -o /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml
sudo filebeat keystore create
echo admin | sudo filebeat keystore add username --stdin --force
echo admin | sudo filebeat keystore add password --stdin --force
sudo curl -o /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.3/extensions/elasticsearch/7.x/wazuh-template.json
sudo chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Deploying Manager Certificates

NODE_NAME=wazuh-1
sudo mkdir /etc/filebeat/certs
sudo cp -n wazuh-certificates/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
sudo cp -n wazuh-certificates/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
sudo cp -n wazuh-certificates/root-ca.pem /etc/filebeat/certs/root-ca.pem
sudo chmod -R 400 /etc/filebeat/certs/
sudo chmod 500 /etc/filebeat/certs
sudo chown -R root:root /etc/filebeat/certs
sudo systemctl daemon-reload
sudo systemctl enable filebeat
sudo systemctl start filebeat
sudo filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Install Wazuh Dashboard

sudo apt-get -y install wazuh-dashboard

Edit /etc/wazuh-dashboard/opensearch_dashboards.yml and modify the followings:

  • server.host
  • opensearch.hosts

Deploying Dashboard Certificates

NODE_NAME=dashboard
sudo mkdir /etc/wazuh-dashboard/certs
sudo cp -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
sudo cp -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
sudo cp -n wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/root-ca.pem
sudo chmod -R 400 /etc/wazuh-dashboard/certs/
sudo chmod 500 /etc/wazuh-dashboard/certs
sudo chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Starting the Dashboard Service

sudo systemctl daemon-reload
sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard

To access the Wazuh web interface, please open https://<wazuh-dashboard-ip> in your browser.

Final Step: Securing Wazuh Installation

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh

By Yevonnael Andrew

Related Post

Uncategorized

How to Install Security Onion 2.4 on Vultr Cloud VPS

Yevonnael Andrew
Uncategorized

How to Install and Configure Suricata IDS/IPS on Ubuntu 22.04

Yevonnael Andrew
Uncategorized

How to Install Multiple Python Versions on Ubuntu and Manage Them with venv

Yevonnael Andrew

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

Uncategorized

How to Install Security Onion 2.4 on Vultr Cloud VPS

Uncategorized

How to Install and Configure Suricata IDS/IPS on Ubuntu 22.04

Uncategorized

How to Install Multiple Python Versions on Ubuntu and Manage Them with venv

Uncategorized

How to Add a Non-Root Sudo User in FreeBSD 14.0