Install and Setup Wazuh Server in CentOS 8/Fedora 32

0
143

In this tutorial, you will learn how to install and setup Wazuh server in CentOS 8/Fedora 32. Wazuh is an open-source tool for visibility, security detection, and compliance. It is a fork of OSSEC HIDS with additional integration with ELK stack and OpenSCAP. The Wazuh stack consists of the Wazuh server (manager), the ELK stack, and the Wazuh agents as shown in the image below.

Install and Setup Wazuh Server in CentOS 8/Fedora 32

. As of this writing, the current version is 3.13.

Prerequsites

Ensure that you have an ELK stack up and running before you can proceed to setup Wazuh Server. You can follow the link below to install and setup ELK stack on CentOS 8. The same applies to Fedora 32.

Installing ELK Stack on CentOS 8/Fedora 32

Deployment Architecture

There are two different deployment architectures for Wazuh server;

  • Single-host Architecture
  • Distributed Architecture

In this tutorial, we will use the single-host architecture.

Install and Setup Wazuh Server in CentOS 8/Fedora 32

The Wazuh server has the primary functions of agent registration, data analysis, and managing of agents.

There are two ways of installing Wazuh server on CentOS 8/Fedora 32.

We are going to cover each both of the installation methods in this tutorial.

Install Wazuh Server from YUM/DNF Repositories

Add Wazuh to repository

We first have to add Wazuh repository to the server by running the command below.

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF

Install Wazuh Server on CentOS 8/Fedora 32

Run the following command to install wazuh server. on CentOS 8/Fedora 32

dnf -y install wazuh-manager

When the installation process is complete Wazuh Manager is set to auto start. You can check the status as shown below;

systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; ve>
Active: active (running) since Thu 2020-07-16 04:55:11 EDT; 3min 31s ago
Process: 21321 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start >
Tasks: 82 (limit: 6766)
Memory: 366.4M
CGroup: /system.slice/wazuh-manager.service
├─21406 /var/ossec/bin/ossec-authd
├─21422 /var/ossec/bin/wazuh-db
├─21446 /var/ossec/bin/ossec-execd
├─21461 /var/ossec/bin/ossec-analysisd
├─21493 /var/ossec/bin/ossec-syscheckd
├─21510 /var/ossec/bin/ossec-remoted
├─21542 /var/ossec/bin/ossec-logcollector
├─21561 /var/ossec/bin/ossec-monitord
└─21581 /var/ossec/bin/wazuh-modulesd
Jul 16 04:55:01 wazuh-server env[21321]: Started wazuh-db…
Jul 16 04:55:02 wazuh-server env[21321]: Started ossec-execd…
Jul 16 04:55:03 wazuh-server env[21321]: Started ossec-analysisd…
Jul 16 04:55:04 wazuh-server env[21321]: Started ossec-syscheckd…
Jul 16 04:55:05 wazuh-server env[21321]: Started ossec-remoted…
Jul 16 04:55:06 wazuh-server env[21321]: Started ossec-logcollector…
Jul 16 04:55:08 wazuh-server env[21321]: Started ossec-monitord…
Jul 16 04:55:09 wazuh-server env[21321]: Started wazuh-modulesd…
Jul 16 04:55:11 wazuh-server env[21321]: Completed.
Jul 16 04:55:11 wazuh-server systemd[1]: Started Wazuh manager.
lines 1-27/27 (END)

Install Wazuh API on CentOS 8/Fedora 32 from Repos

To enable communication and management of agents, the Wazuh API should be installed.

Install NodeJS repos on CentOS 8/Fedora 32.

curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -

Then install NodeJS by executing the command below;

dnf -y install nodejs

The next step is to install Wazuh API;

dnf -y install wazuh-api

After the installation is complete, check the status of the Wazuh API;

systemctl status wazuh-api
● wazuh-api.service - Wazuh API daemon
Loaded: loaded (/etc/systemd/system/wazuh-api.service; enabled; vendor pre>
Active: active (running) since Thu 2020-07-16 05:17:08 EDT; 3min 44s ago
Docs: https://documentation.wazuh.com/current/user-manual/api/index.html
Main PID: 22562 (node)
Tasks: 11 (limit: 6766)
Memory: 23.4M
CGroup: /system.slice/wazuh-api.service
└─22562 /bin/node /var/ossec/api/app.js
Jul 16 05:17:08 kifarunix-demo systemd[1]: Started Wazuh API daemon.
lines 1-11/11 (END)

To avoid issues on version control and updates, it is recommended you disable updates from the repository.

 sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Install Wazuh Server from Sources

We need to install the required packages as follows;

dnf -y install make gcc policycoreutils-python-utils automake autoconf libtool wget vim python36

Proceed by downloading the latest version of Wazuh server

wget https://github.com/wazuh/wazuh/archive/v3.13.1.tar.gz

Then extract

tar -xzvf v3.13.1.tar.gz

Navigate to the extracted directory and run the install.sh script

cd wazuh-*
./install.sh

The installation will run with interactive prompts.

1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager
Manager (server) installation chosen.
2- Setting up the installation environment.
Choose where to install Wazuh [/var/ossec]:
Installation will be made at /var/ossec .
3- Configuring Wazuh.
3.1- Do you want e-mail notification? (y/n) [n]: ENTER
--- Email notification disabled.
3.2- Do you want to run the integrity check daemon? (y/n) [y]: ENTER
Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: ENTER
Running rootcheck (rootkit detection).
3.4- Do you want to run policy monitoring checks? (OpenSCAP) (y/n) [y]: ENTER
Running OpenSCAP (policy monitoring checks).
3.5- Active response allows you to execute a specific
command based on the events received.
By default, no active responses are defined.
Default white list for the active response:
10.7.0.1
192.168.70.10
192.168.100.1
Do you want to add more IPs to the white list? (y/n)? [n]: ENTER
3.6- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: ENTER
Remote syslog enabled.
3.7 - Do you want to run the Auth daemon? (y/n) [y]: ENTER
Running Auth daemon.
3.8- Do you want to start Wazuh after the installation? (y/n) [y]: ENTER
Wazuh will start at the end of installation.
3.9- Setting the configuration to analyze the following logs:
-- /var/log/audit/audit.log
-- /var/ossec/logs/active-responses.log
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at https://documentation.wazuh.com/.
--- Press ENTER to continue ---

Start Wazuh server

systemctl start wazuh-manager

Check status

systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-07-16 06:57:14 EDT; 8min ago
Process: 28841 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
Tasks: 82 (limit: 6766)
Memory: 374.2M
CGroup: /system.slice/wazuh-manager.service
├─28926 /var/ossec/bin/ossec-authd
├─28942 /var/ossec/bin/wazuh-db
├─28966 /var/ossec/bin/ossec-execd
├─28981 /var/ossec/bin/ossec-analysisd
├─29013 /var/ossec/bin/ossec-syscheckd
├─29030 /var/ossec/bin/ossec-remoted
├─29062 /var/ossec/bin/ossec-logcollector
├─29080 /var/ossec/bin/ossec-monitord
└─29101 /var/ossec/bin/wazuh-modulesd
Jul 16 06:57:04 kifarunix-demo env[28841]: Started wazuh-db…
Jul 16 06:57:05 kifarunix-demo env[28841]: Started ossec-execd…
Jul 16 06:57:06 kifarunix-demo env[28841]: Started ossec-analysisd…
Jul 16 06:57:07 kifarunix-demo env[28841]: Started ossec-syscheckd…
Jul 16 06:57:08 kifarunix-demo env[28841]: Started ossec-remoted…
Jul 16 06:57:09 kifarunix-demo env[28841]: Started ossec-logcollector…
Jul 16 06:57:10 kifarunix-demo env[28841]: Started ossec-monitord…
Jul 16 06:57:11 kifarunix-demo env[28841]: Started wazuh-modulesd…
Jul 16 06:57:14 kifarunix-demo env[28841]: Completed.
Jul 16 06:57:14 kifarunix-demo systemd[1]: Started Wazuh manager.

Install Wazuh API from Source

First you need to install NodeJS before installing Wazuh API

curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
dnf -y install nodejs
npm config set user 0

Install the API as follows

curl -s -o install_api.sh https://raw.githubusercontent.com/wazuh/wazuh-api/v3.13.1/install_api.sh && bash ./install_api.sh download

Check if the API is installed

curl -u foo:bar -k https://127.0.0.1:55000?pretty
{
"error": 0,
"data": {
"msg": "Welcome to Wazuh HIDS API",
"api_version": "v3.13.1",
"hostname": "kifarunix-demo",
"timestamp": "Thu Jul 16 2020 07:24:35 GMT-0400 (Eastern Daylight Time)"
}
}

Installing Filebeat on CentOS 8/Fedora 32

Filebeat is a tool used to forward data from the server to ELK stack. We need to add the Elastic repository to the server;

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Then install filebeat

dnf -y install filebeat

Download the preconfigured Filebeat configuration file. It forwards Wazuh alerts to Elasticsearch.

curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.13.1/extensions/filebeat/7.x/filebeat.yml
chmod go+r /etc/filebeat/filebeat.yml

Then download the alerts template for ELK

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.13.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Change the default YOUR_ELASTIC_SERVER_IP in /etc/filebeat/filebeat.yml to your Elasticsearch IP.

vi /etc/filebeat/filebeat.yml
...
output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
...

Enable and start filebeat service

systemctl daemon-reload
systemctl enable --now filebeat.service

To avoid issues on update and versions, disable the Elastick stack repository

sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

Open Ports on Firewall

You need to allow some ports on firewall. These include;

  • 5601/tcp for external access to Kibana
  • 1514/udp to allow collection of events from agents (when configured for UDP).
  • 1515/udp for Agents registration service
firewall-cmd --add-port=5601/tcp --permanent
firewall-cmd --add-port={1514,1515}/udp --permanent

Then reload the firewall

firewall-cmd --reload

You have successfully installed Wazuh server both from packages and sources on CentOS 8/Fedora 32.

In the next section, we will learn how to push event data/logs to Elasticsearch via the Wazuh agents.

Sending Events/Data to Wazuh Server using Wazuh Agents

Wazuh agents can be installed on client servers or workstations from which logs are collected. Agents are available for both Windows and UNIX systems.

Install Wazuh Agent on CentOS 8/Fedora 32

In this tutorial, we are going to install the Wazuh agent in another CentOS 8 server acting at the end point from which we are collecting logs.

Create the Wazuh Repository

Copy and paste the following content to add Wazuh repository on a CentOS 8 agent.

rpm --import http://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo <<\EOF 
[wazuh_repo] 
gpgcheck=1 
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH 
enabled=1 
name=Wazuh repository 
baseurl=https://packages.wazuh.com/3.x/yum/ 
protect=1 
EOF
Install Wazuh Agents on CentOS 8/Fedora 32

Once the repos are in place, you can install Wazuh agent by running the command below;

dnf -y install wazuh-agent

The installation is now complete. The next step is to enable the agent to communicate with the manager.

Add Wazuh Agent on Wazuh Server

On Wazuh manger,navigate to the /var/ossec/bin directory to add agents.

cd /var/ossec/bin

Run the script manage_agents

./manage_agents

Select add an agent (A) and press enter.

Wazuh v3.13.1 Agent manager. *
The following options are available: *

(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A

Provide a name for the agent(in our case RHAgent) and IP of the agent and confirm.

Note the ID given to the agent.

Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
A name for the new agent: RHAgent
The IP Address of the new agent: 192.168.56.130
Confirm adding it?(y/n): y
Agent added with ID 002.
Extract Wazuh Agent Key

For an agent to communicate with the manager, the agent needs a key. Proceed to extract agent key by typing E.Select the ID of the Agent (002 in this case).

Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: centos8, IP: 192.168.56.103
ID: 002, Name: RHAgent, IP: 192.168.56.130
Provide the ID of the agent to extract the key (or '\q' to quit): 002
Agent key information for '002' is:
MDAyIFJIQWdlbnQgMTkyLjE2OC41Ni4xMzAgMzFjNTVjOGNiMzU2YmJkOTcyYzE2YjVhMDZiNzNkMGNmYTFhYmJlYWM4OTZmMGE0OWY3NzdjNjEwNTJiMGZjMQ==

Copy the key and paste it in an accessible place as we will be using in the next step.

Set the Wazuh Server Address on Wazuh Agent

On the agent, edit the file /var/ossec/etc/ossec.conf and add the Wazuh manager IP/resolvable hostname.

vim /var/ossec/etc/ossec.conf
... 
<server>
      <address>192.168.56.145</address>
      <port>1514</port>
      <protocol>udp</protocol>
    </server>
...

Save and quit

Navigate to /var/ossec/bin and run manage_agents script to import the agent key.

cd /var/ossec/bin
./manage_agents

Press I to import the key previously generated from the manager.

Provide the Key generated by the server.
The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): PASTE THE AGENT KEY HERE
Agent information:
ID:002
Name:RHAgent
IP Address:192.168.56.130
Confirm adding it?(y/n): y
Added.

Quit and restart the agent.

./ossec-control restart
wazuh-modulesd not running…
ossec-logcollector not running…
ossec-syscheckd not running…
ossec-agentd not running…
ossec-execd not running…
Wazuh v3.13.1 Stopped
Starting Wazuh v3.13.1…
Started ossec-execd…
Started ossec-agentd…
Started ossec-syscheckd…
Started ossec-logcollector…
Started wazuh-modulesd…
Completed.
Verify Agent Data Reception on Kibana

The agent registration is complete. Let us check its data from the Wazuh module in Kibana.

Install and Setup Wazuh Server in CentOS 8/Fedora 32

Navigate to Wazuh>Modules>Security Events to view security related events and dashboards.

Install and Setup Wazuh Server in CentOS 8/Fedora 32

You can explore more on the modules such as Auditing and Policy Monitoring,Regulatory Compliance and Threat Detection and Response.

That marks the end of our tutorial on how to Install and setup Wazuh Server in CentOS 8/Fedora 32.

Further Reading

Installing Wazuh Server on CentOS

Related Tutorials

Install OSSEC Agent on CentOS 8

Installing ELK Stack on CentOS 8

Install Elastic Stack 7 on Fedora 30/Fedora 29/CentOS 7

LEAVE A REPLY

Please enter your comment!
Please enter your name here