Install Wazuh Server on Rocky Linux 8

By
gen_too
-
0
359

In this tutorial, you will learn how to install Wazuh server on Rocky Linux 8. Wazuh is an open-source tool for visibility, security detection, and compliance. It is a fork of OSSEC HIDS with additional integration with ELK stack and OpenSCAP. The Wazuh stack consists of the Wazuh server (manager), the ELK stack, and the Wazuh agents as shown in the image below.

wazuh arch

As of this writing, the current version is 4.1.

Install Wazuh Server on Rocky Linux 8

The Wazuh server has the primary functions of agent registration, data analysis, and managing of agents.

Deployment Architecture

There are two different deployment architectures for Wazuh server;

  • All-in-one: The Wazuh server and Elastic Stack are installed on the same host.
  • Distributed: Each component is installed on a separate host as a single-node or multi-node cluster. This type of deployment provides high availability and scalability of the product, and it is convenient for large working environments.

In this tutorial, we will use the All-in-one deployment architecture.

System Requirements

Consult the documentation for the recommended system requirements.

Install Wazuh Server on Rocky Linux 8

Add Wazuh to repository

You first have to add Wazuh repository to the server by running the command below.

cat > /etc/yum.repos.d/wazuh.repo << 'EOL'
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOL

Import the Wazuh repository GPG key

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Install Wazuh Server on Rocky Linux 8

Run the following command to install wazuh server. on Rocky Linux 8

dnf -y install wazuh-manager

When the installation process is complete, start Wazuh Manager.

systemctl start wazuh-manager

You can check the status as shown below;

systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2021-07-10 09:40:01 EAT; 4min 33s ago
  Process: 2847 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
    Tasks: 104 (limit: 11388)
   Memory: 522.8M
   CGroup: /system.slice/wazuh-manager.service
           ├─2902 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─2944 /var/ossec/bin/ossec-authd
           ├─2960 /var/ossec/bin/wazuh-db
           ├─2984 /var/ossec/bin/ossec-execd
           ├─2999 /var/ossec/bin/ossec-analysisd
           ├─3043 /var/ossec/bin/ossec-syscheckd
           ├─3060 /var/ossec/bin/ossec-remoted
           ├─3087 /var/ossec/bin/ossec-logcollector
           ├─3097 /var/ossec/bin/ossec-monitord
           └─3107 /var/ossec/bin/wazuh-modulesd

Jul 10 09:39:53 localhost.localdomain env[2847]: Started wazuh-db...
Jul 10 09:39:54 localhost.localdomain env[2847]: Started ossec-execd...
Jul 10 09:39:55 localhost.localdomain env[2847]: Started ossec-analysisd...
Jul 10 09:39:56 localhost.localdomain env[2847]: Started ossec-syscheckd...
Jul 10 09:39:58 localhost.localdomain env[2847]: Started ossec-remoted...
Jul 10 09:39:58 localhost.localdomain env[2847]: Started ossec-logcollector...
Jul 10 09:39:58 localhost.localdomain env[2847]: Started ossec-monitord...
Jul 10 09:39:59 localhost.localdomain env[2847]: Started wazuh-modulesd...
Jul 10 09:40:01 localhost.localdomain env[2847]: Completed.
Jul 10 09:40:01 localhost.localdomain systemd[1]: Started Wazuh manager.

To avoid issues on version control and updates, it is recommended you disable the repository.

 sed -i "s/enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Install Elastic Stack on Rocky Linux 8

Next, you need to install Elasticsearch, Kibana, Filebeat and Wazuh APP to get the most out of Wazuh-manager.

Before you can proceed, you need to ensure that the Elastic components being installed are compatible with the version of Wazuh-manager installed.

In this demo, Wazuh-manager 4.1.5 is installed:

rpm -qa wazuh-manager
wazuh-manager-4.1.5-1.x86_64

Based on the Wazuh compatibility matrix, Wazuh 4.1.5 is compatible with Elastic 7.11.2, as of this writing.

Create Elastic Repository

cat > /etc/yum.repos.d/elasticstack.repo << EOL
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOL

Install Elasticsearch, Kibana and Filebeat

Based on the compatibility matrix for Wazuh 4.1.5, install Elasticsearch 7.11.2, Kibana 7.11.2 and Filebeat 7.11.2 by running the command below;

dnf install elasticsearch-7.11.2 kibana-7.11.2 filebeat-7.11.2

Sample output;

Dependencies resolved.
============================================================================================================================================================================
 Package                                     Architecture                         Version                                 Repository                                   Size
============================================================================================================================================================================
Installing:
 elasticsearch                               x86_64                               7.11.2-1                                elasticsearch                               308 M
 filebeat                                    x86_64                               7.11.2-1                                elasticsearch                                33 M
 kibana                                      x86_64                               7.11.2-1                                elasticsearch                               244 M

Transaction Summary
============================================================================================================================================================================
Install  3 Packages

Total download size: 584 M
Installed size: 1.2 G
Is this ok [y/N]: y

Configuring Elasticsearch

There are only a few changes we are going to make in regards to configuring Elasticsearch.

You can optionally set the Elastic cluster name;

sed -i 's/#cluster.name: my-application/cluster.name: wazuh-elastic/' /etc/elasticsearch/elasticsearch.yml

Next, configure JVM heap size to no more than half the size of your memory. In this case, our test server has 2G RAM and the heap size is set to 512M for both maximum and minimum sizes.

sed -i -e '/4g/s/^## //' -e '/4g/s//512m/' /etc/elasticsearch/jvm.options

The config now looks like;

...
################################################################

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms512m
-Xmx512m
...

Start and enable ES to run on system boot.

systemctl daemon-reload
systemctl enable --now elasticsearch

Verify that Elasticsearch is running as expected.

curl -XGET localhost:9200
{
  "name" : "localhost.localdomain",
  "cluster_name" : "wazuh-elastic",
  "cluster_uuid" : "G-GICWOxRH6U0y-MJ5omaw",
  "version" : {
    "number" : "7.11.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "3e5a16cfec50876d20ea77b075070932c6464c7d",
    "build_date" : "2021-03-06T05:54:38.141101Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Configure Filebeat

Create a backup of the Filebeat configuration file.

mv /etc/filebeat/filebeat.yml{,.original}

In our setup, we use the Filebeat configuration file below. You can configure it to your liking.

cat > /etc/filebeat/filebeat.yml << 'EOL'
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["localhost:9200"]
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
      
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
EOL

Then download the alerts template for ELK

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Test Filebeat connection to Elasticsearch

filebeat test output

Sample output;

elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: ::1, 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.11.2

Install the Wazuh module for Filebeat:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xz -C /usr/share/filebeat/module

Start and enable Filebeat to run on system boot;

systemctl daemon-reload
systemctl enable --now filebeat

Filebeat will write logs to /var/log/filebeat/ just in case you need to check something.

Configure Kibana

Define the address to which the Kibana server will bind. By IP addresses and host names are both valid values. localhost is the default value.

In my case, the IP address of my Wazuh server is 192.168.60.19. Hence, I will configure Kibana to listen on this address.

sed -i -e '/server.host:/s/^#//' -e '/server.host:/s/localhost/192.168.60.19/' /etc/kibana/kibana.yml

Install Wazuh App Kibana Plugin

mkdir /usr/share/kibana/data
chown -R kibana: /usr/share/kibana/data
chown -R kibana: /usr/share/kibana/plugins

Before you download and install the plugin, get the tag for your specific version of Wazuh;

sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip

You can list installed plugins;

sudo -u kibana /usr/share/kibana/bin/kibana-plugin list

Output;

[email protected]

Start Kibana;

systemctl enable --now kibana

Restart Elasticsearch and Wazuh manager;

systemctl restart elasticsearch wazuh-manager

Open Ports on Firewall

Read about Wazuh Server ports on Required Wazuh Ports page.

You need to allow some ports on firewall. These include;

  • 5601/tcp for external access to Kibana
  • 1514/udp/tcp to allow collection of events from agents (when configured for UDP, TCP is used by default).
  • 1515/udp for Agents registration service
firewall-cmd --add-port=5601/tcp --permanent
firewall-cmd --add-port={1514,1515}/udp --permanent
firewall-cmd --add-port={1514,1515}/tcp --permanent

Then reload the firewall

firewall-cmd --reload

Accessing Kibana Web Interface

You can now access Kibana web interface via the address http://server-IP-or-hostname:5601.

Install and Setup Wazuh Server in Rocky Linux 8

Wazuh App dashboard

Install and Setup Wazuh Server in Rocky Linux 8

In the next guide, you will learn how to push event data/logs to Wazuh server.

Install Wazuh Agent on Rocky Linux 8

That marks the end of our tutorial on how to Install Wazuh Server on Rocky Linux 8.

Further Reading

Installing Wazuh Server on CentOS

Related Tutorials

Install OSSEC Agent on CentOS 8

Installing ELK Stack on CentOS 8

Install Elastic Stack 7 on Fedora 30/Fedora 29/CentOS 7

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here