Install and Configure Wazuh Manager on Ubuntu 22.04

In this tutorial, you will learn how to install and configure Wazuh Manager on Ubuntu 22.04. According to the documentation, Wazuh is a free and open source platform for threat detection, security monitoring, incident response and regulatory compliance.

Install and Configure Wazuh Manager on Ubuntu 22.04

Wazuh can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh provides the following capabilities:

• Security Analytics
• Intrusion Detection
• Log Data Analysis
• File Integrity Monitoring
• Vulnerability Detection
• Configuration Assessment
• Incident Response
• Regulatory Compliance
• Cloud Security Monitoring
• Containers Security

Install Elastic Stack on Ubuntu 22.04

In order to fully utilize Wazuh manager capabilities and have a nice UI for visualization, Wazuh has to be integrated with Elastic Stack and to be precise, Kibana, for visualization, Elasticsearch, for data storage and search engine, Filebeat for collecting Wazuh manager event data and pushing them to Elasticsearch search engine.

Thus, in order to install and configure Wazuh manager, you need to begin by setting up Elastic Stack; Kibana, Elasticsearch and Filebeat.

According to the Wazuh components compatibility matrix page, current stable release versions of Wazuh (v4.4.1) supports upto ELK 7.17.9 as of this writing.

This should therefore guide us on the version of Elastic stack to deploy.

To install Elastic Stack components on Ubuntu 22.04, proceed as follows.

• Install Elastic Stack APT repositories on Ubuntu 22.04;

apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch \
| sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/elastic.gpg

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" \
> /etc/apt/sources.list.d/elastic-7.x.list

apt update

• Install Elasticsearch 7.17.9 on Ubuntu 22.04

apt install elasticsearch=7.17.9

• Configure Elasticsearch

By default, Elasticsearch should just work with the default settings by default. Feel free to check Important Elasticsearch settings.

If Elasticsearch will need to be accessed by other external Beats, then you need to set the IP address and define whether to run in a multi node or single node cluster.

• Start and enable Elasticsearch to run on system boot;

systemctl enable --now elasticsearch

Confirm the Elasticsearch port is opened;

ss -altnp | grep 9200

You can check the status;

systemctl status elasticsearch

You can check the logs if need be. By default, the logs are written to /var/log/elasticsearch/CLUSTER_NAME.log, where CLUSTER_NAME is elasticsearch by default. Thus, the default log file is /var/log/elasticsearch/elasticsearch.log.

• Install Kibana 7.17.9 on Ubuntu 22.04

apt install kibana=7.17.9

• Configure Kibana

To begin with, set the Kibana server IP address to allow external access. Usually, it only listens on loopback interface.

For example, my server IP address is 192.168.56.124. Thus, to configure Kibana to listen on this host IP address, run the command below (Be sure to change the address as per your setup environment).

sed -i '/server.host:/s/^#//;s/localhost/192.168.56.124/' /etc/kibana/kibana.yml

If you want to configure Kibana to listen on all interfaces, just use 0.0.0.0 instead of the IP above. For example;

sed -i '/server.host:/s/^#//;s/localhost/0.0.0.0/' /etc/kibana/kibana.yml

We will use the other settings with the default values.

• Start and enable Kibana to run on system boot;

systemctl enable --now kibana

Confirm the Kibana port is opened after a short while.

ss -altnp | grep 5601

If need be, check syslog and /var/log/kibana/kibana.log log files.

Open Kibana port on firewall;

If using UFW, run;

ufw allow 5601/tcp

If using iptables;

iptables -I INPUT -p tcp --dport 5601 -j ACCEPT

iptables-save > /etc/iptables/rules.v4

• Install Filebeat on Ubuntu 22.04

Filebeat is required to forward Wazuh manager alerts and archived events to Elasticsearch. You can install version 7.17.9, currently supported by Wazuh as of this writing, using the command below;

apt install filebeat=7.17.9 -y

Enable it to run on boot;

systemctl enable filebeat

Install Wazuh Manager on Ubuntu 22.04

Next, proceed to install Wazuh server/manager on Ubuntu 22.04

• Install Wazuh APT Repository on Ubuntu 22.04

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
gpg --dearmor > /etc/apt/trusted.gpg.d/wazuh.gpg

echo "deb https://packages.wazuh.com/4.x/apt stable main" > /etc/apt/sources.list.d/wazuh.list

Update the package information:

apt update

Next, install Wazuh manager on Ubuntu 22.04.

apt install wazuh-manager

Once the installation is complete, you can start and enable Wazuh-manager to run on system boot;

systemctl enable --now wazuh-manager

Open Wazuh Manager Port on Firewall. Usually, the Wazuh agents is set to communicate with Wazuh manager via TCP port 1514 by default. Thus, open port 1514/tcp on Wazuh manager.

iptables -A INPUT -p tcp --dport 1514 -j ACCEPT

Or

ufw allow 1514/tcp

Also, allow port 1515/tcp for agent registration;

iptables -A INPUT -p tcp --dport 1515 -j ACCEPT

Or

ufw allow 1515/tcp

Read more on required ports.

Integrate Wazuh Manager with ELK Stack

• Install Wazuh Manager Kibana App plugin

To install Wazuh manager/server Kibana App, proceed as follows;

chown -R kibana: /usr/share/kibana/plugins

Ensure the plugin version to install is compatible with currently installed version of ELK stack as well as the Wazuh manager installed.

sudo -u kibana /usr/share/kibana/bin/kibana-plugin install \
https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.4.1_7.17.9-1.zip

Sample output of the installation;

Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.4.1_7.17.9-1.zip
Transferring 38527322 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

Create Wazuh Kibana data directory and set the ownership to kibana user.

mkdir /usr/share/kibana/data

chown -R kibana: /usr/share/kibana/data

Restart Kibana;

systemctl restart kibana

• Configure Filebeat for Wazuh Manager

Make a backup of the default configuration file and replace it with the following configs.

mv /etc/filebeat/filebeat.{yml,stock}

cat > /etc/filebeat/filebeat.yml << 'EOL'
output.elasticsearch:
  hosts: ["localhost:9200"]
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
EOL

Install Filebeat Wazuh Module:

wget -qO- https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz \
| tar -xz -C /usr/share/filebeat/module/

Download and install Wazuh alerts Elasticsearch template:

wget -O /etc/filebeat/wazuh-template.json \
https://raw.githubusercontent.com/wazuh/wazuh/4.4/extensions/elasticsearch/7.x/wazuh-template.json

chmod go+r /etc/filebeat/wazuh-template.json

Test Filebeat config;

filebeat test config

Config OK

Test Filebeat Elasticsearch output;

filebeat test output

elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.17.9

Restart Kibana, Elasticsearch, Filebeat ans Wazuh-manager

The configuration is done!

systemctl restart elasticsearch kibana filebeat wazuh-manager

Checking the status of each service;

systemctl status elasticsearch kibana filebeat wazuh-manager

● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-05-09 18:09:56 EAT; 3min 14s ago
       Docs: https://www.elastic.co
   Main PID: 2512 (java)
      Tasks: 74 (limit: 4607)
     Memory: 1.7G
        CPU: 58.290s
     CGroup: /system.slice/elasticsearch.service
             ├─2512 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfi>
             └─2782 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

May 09 18:09:02 ubuntu22 systemd[1]: Starting Elasticsearch...
May 09 18:09:56 ubuntu22 systemd[1]: Started Elasticsearch.

 kibana.service - Kibana
     Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-05-09 18:09:02 EAT; 4min 31s ago
       Docs: https://www.elastic.co
   Main PID: 2506 (node)
      Tasks: 11 (limit: 4607)
     Memory: 415.1M
        CPU: 24.582s
     CGroup: /system.slice/kibana.service
             └─2506 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid "--deprecation.skip_deprecate>

May 09 18:09:02 ubuntu22 systemd[1]: Started Kibana.

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-05-09 18:09:02 EAT; 5min ago
       Docs: https://www.elastic.co/beats/filebeat
   Main PID: 2507 (filebeat)
      Tasks: 9 (limit: 4607)
     Memory: 31.9M
        CPU: 360ms
     CGroup: /system.slice/filebeat.service
             └─2507 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.>

May 09 18:09:02 ubuntu22 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..

● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-05-09 18:09:16 EAT; 5min ago
    Process: 2514 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 126 (limit: 4607)
     Memory: 502.4M
        CPU: 51.901s
     CGroup: /system.slice/wazuh-manager.service
             ├─2780 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─2824 /var/ossec/bin/wazuh-authd
             ├─2846 /var/ossec/bin/wazuh-db
             ├─2875 /var/ossec/bin/wazuh-execd
             ├─2888 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─2891 /var/ossec/bin/wazuh-analysisd
             ├─2893 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─2908 /var/ossec/bin/wazuh-syscheckd
             ├─2926 /var/ossec/bin/wazuh-remoted
             ├─3001 /var/ossec/bin/wazuh-logcollector
             ├─3022 /var/ossec/bin/wazuh-monitord
             └─3034 /var/ossec/bin/wazuh-modulesd

May 09 18:09:11 ubuntu22 env[2514]: wazuh-remoted: Process 54267 not used by Wazuh, removing...
May 09 18:09:12 ubuntu22 env[2514]: Started wazuh-remoted...
May 09 18:09:12 ubuntu22 env[2514]: wazuh-logcollector: Process 54337 not used by Wazuh, removing...
May 09 18:09:13 ubuntu22 env[2514]: Started wazuh-logcollector...
May 09 18:09:13 ubuntu22 env[2514]: wazuh-monitord: Process 54353 not used by Wazuh, removing...
May 09 18:09:13 ubuntu22 env[2514]: Started wazuh-monitord...
May 09 18:09:13 ubuntu22 env[2514]: wazuh-modulesd: Process 54364 not used by Wazuh, removing...
May 09 18:09:14 ubuntu22 env[2514]: Started wazuh-modulesd...
May 09 18:09:16 ubuntu22 env[2514]: Completed.
May 09 18:09:16 ubuntu22 systemd[1]: Started Wazuh manager.

Accessing Kibana Web Interface

You can now access Kibana via the url http://<server-IP-or-hostname>:5601.

On the UI, click Explore on my own and under the Kibana menu section, you should be able to see Wazuh App.

When you click on the APP, you should see such dashboard.

No agents are connected by default. However, there should be some default events already collected from the Wazuh manager.

For example head over to Modules > Security Events >Dashboard or Events;

You can now go ahead and install Wazuh agents and start log collection from your end points.

Easy Way to Install Wazuh Agents on Ubuntu/Debian

Install Wazuh Agent on Rocky Linux 8

That marks the end of our tutorial on how to install and configure Wazuh manager on Ubuntu.

Other Tutorials

Monitor Process Creation Events on Windows Systems using Wazuh and ELK stack

Install ELK Stack 8.x on Ubuntu

How to Enable Basic Authentication on ELK Stack