Install Wazuh SIEM Server on Ubuntu 24.04

Kifarunix
|
Last Updated:
|
Security, HowTos, Monitoring, Wazuh
|
2 Comments

In this tutorial, you will learn how to install Wazuh SIEM server on Ubuntu 24.04. The Wazuh platform offers XDR and SIEM functionalities aimed at safeguarding your cloud, container, and server workloads. These capabilities encompass the analysis of log data, detection of intrusions and malware, monitoring file integrity, assessing configurations, identifying vulnerabilities, and ensuring compliance with regulatory standards.

Installing Wazuh SIEM Server on Ubuntu 24.04

Wazuh SIEM Capabilities

Wazuh can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh provides the following capabilities:

  • Security Analytics
  • Intrusion Detection
  • Log Data Analysis
  • File Integrity Monitoring
  • Vulnerability Detection
  • Configuration Assessment
  • Incident Response
  • Regulatory Compliance
  • Cloud Security Monitoring
  • Containers Security

Major Wazuh SIEM Server Components

Wazuh SIEM server is made up of various components;

  • Wazuh Indexer: This is a highly scalable, full-text search and analytics engine that indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. Wazuh indexer is a open source fork of OpenSearch.. It can be installed on the same node as Wazuh server and dashboard or on an individual node if you are using a distributed setup.
  • Wazuh Server: The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when threats or anomalies are detected. It is also used to remotely manage the agents’ configuration and monitor their status.
  • Wazuh Dashboard: It provides intuitive web interface for mining, analyzing, and visualizing security data. It provides out-of-the-box dashboards, allowing you to seamlessly navigate through the user interface.
  • Wazuh agent. These are the agents installed and run on the endpoints that the user wants to monitor. It communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel for processing.

Wazuh SIEM System Hardware Requirements

Each Wazuh SIEM server component requires various system hardware specs to function optimally.

Below are the minimum and recommended hardware requirements for each component.

  • Wazuh Indexer:
    • Minimum: 4 GB RAM, 2 CPU cores
    • Recommended: 16 GB RAM, 8 CPU cores
    • Disk: disk space required varies with the number of generated alerts per second (APS).
  • Wazuh Server:
    • Minimum: 2 GB RAM, 2 CPU cores
    • Recommended: 4 GB RAM, 8 CPU cores
    • Disk: disk space required varies with the number of generated alerts per second (APS).
  • Wazuh Dashboard:
    • Minimum: 4 GB RAM, 2 CPU cores
    • Recommended: 8 GB RAM, 4 CPU cores
    • Disk: disk space required varies with the number of generated alerts per second (APS).

In this tutorial, we will be installing the major components of Wazuh on a single node. Hence, here are our system hardware specs.

RAM: 16G

free -h
               total        used        free      shared  buff/cache   available
Mem:            15Gi       3.9Gi        10Gi       1.2Mi       1.2Gi        11Gi
Swap:          2.0Gi          0B       2.0Gi

CPU Cores:

nproc --all
8

Disk space;

df -hT -P /
Filesystem                        Type  Size  Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv ext4   98G  7.6G   86G   9% /

Next, proceed to install Wazuh SIEM server. As already mentioned, we will install a single node deployment with Wazuh indexer, Wazuh siem and Wazuh dashboard.

Install Wazuh Indexer on Ubuntu 24.04

Install Wazuh Repository on Ubuntu 24.04

To smoothly run the installation of Wazuh SIEM components on Ubuntu 24.04, you need to install Wazuh repository.

Thus, to begin with, install Wazuh repository GPG signing key on Ubuntu 24.04.

sudo su -
apt install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
gpg --dearmor > /etc/apt/trusted.gpg.d/wazuh.gpg

Install the Wazuh 4.x repository;

echo "deb https://packages.wazuh.com/4.x/apt stable main" > /etc/apt/sources.list.d/wazuh.list

Install Wazuh Indexer on Ubuntu 24.04

Update the package cache;

apt update

Next, install Wazuh SIEM server.

apt install wazuh-indexer

Generate Wazuh SSL/TLS Certificates

Generate SSL/TLS certificates that will be used to encrypt communication between the Wazuh SIEM components.

Wazuh provides some tools that can be used to generate the certificates.

Replace the value of the VER below with the current major release version of Wazuh;

VER=4.7

Then, download the tools required to generate the certificates;

wget https://packages.wazuh.com/${VER}/wazuh-certs-tool.sh

Download a configuration file that helps you to define the IP address and name of each Wazuh node.

wget https://packages.wazuh.com/${VER}/config.yml

By default, this is how the configuration looks like;

cat config.yml
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"

You can edit the configuration file and replace the nodes names and IP addresses with your respective names and IP/hostnames based on your architecture.

Since we are running a single node cluster of Wazuh SIEM server, this how our final config.yml looks like

cat config.yml
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: indexer
      ip: "192.168.122.149"
  # Wazuh server nodes
  server:
    - name: wazuh
      ip: "192.168.122.149"

  # Wazuh dashboard nodes
  dashboard:
    - name: dash
      ip: "192.168.122.149"

Save the updated configuration file and generate the SSL/TLS certificates for Wazuh components using the wazuh-certs-tool.sh script. 

bash ./wazuh-certs-tool.sh -A

Option -A or –all allows generation of all commands.

Sample output;

29/02/2024 17:06:03 INFO: Admin certificates created.
29/02/2024 17:06:03 INFO: Wazuh indexer certificates created.
29/02/2024 17:06:04 INFO: Wazuh server certificates created.
29/02/2024 17:06:04 INFO: Wazuh dashboard certificates created.

You can see other options using;

bash wazuh-certs-tool.sh --help

The generated certs are placed under wazuh-certificates directory created in the current working directory.

ls -1 wazuh-certificates
admin-key.pem
admin.pem
dash-key.pem
dash.pem
indexer-key.pem
indexer.pem
root-ca.key
root-ca.pem
wazuh-key.pem
wazuh.pem

Configure Wazuh Indexer on Ubuntu 24.04

Since we are running a single node Wazuh, there are only a few things we will update on the Wazuh indexer configuration.

The default Wazuh indexer configuration is /etc/wazuh-indexer/opensearch.yml.

This is how it looks like by default;

cat /etc/wazuh-indexer/opensearch.yml
network.host: "0.0.0.0"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
#- "node-2"
#- "node-3"
cluster.name: "wazuh-cluster"
#discovery.seed_hosts:
#  - "node-1-ip"
#  - "node-2-ip"
#  - "node-3-ip"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true

As already mentioned, for a single node, there are only a changes we will make here:

  • network.host: We will leave default setting to allow Wazuh indexer to listen on all interfaces for both HTTP and Transport (if we had a cluster) connections.
  • node.name: Set to the name of the indexer as defined config.yml used in generating the SSL/TLS certs.
  • cluster.initial_master_nodes: used during the initial setup of a cluster to identify the master-eligible nodes. It is more relevant when running a multi-node cluster. The value of this setting must exactly match the node.name value(s) based on your cluster architecture.
  • cluster.name: defines cluster name. You can leave default or define your own.
  • plugins.security.nodes_dn: This setting is used to specify the Distinguished Names (DN) of the nodes that are allowed to join the cluster. You can obtain the value using openssl command;

You can get DN using the command below;

openssl x509 -noout -subject -in wazuh-certificates/indexer.pem
subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = indexer

This is how our updated Wazuh indexer configuration looks like;

cat /etc/wazuh-indexer/opensearch.yml
network.host: "0.0.0.0"
node.name: "indexer"
cluster.initial_master_nodes:
- "indexer"
cluster.name: "wazuh-cluster"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

compatibility.override_main_response_version: true

Next, copy the generated SSL/TLS certs for Wazuh indexer as well as the Admin certs/key to certs directory as defined in the /etc/wazuh-indexer/opensearch.yml configuration file.

See;

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem

Thus, create the directory and copy certs;

mkdir /etc/wazuh-indexer/certs/
cp wazuh-certificates/{root-ca.pem,indexer.pem,indexer-key.pem,admin.pem,admin-key.pem} /etc/wazuh-indexer/certs/

Should now look like;

ls -1 /etc/wazuh-indexer/certs/*
/etc/wazuh-indexer/certs/admin-key.pem
/etc/wazuh-indexer/certs/admin.pem
/etc/wazuh-indexer/certs/indexer-key.pem
/etc/wazuh-indexer/certs/indexer.pem
/etc/wazuh-indexer/certs/root-ca.pem

Update the permissions and set the ownership of the SSL/TLS certs to wazuh-indexer;

chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer: /etc/wazuh-indexer/certs

Start and Initialize Wazuh Indexer Cluster

You can now start and enable Wazuh indexer to run on system boot. Ensure there is no service listening in port 9200/tcp.

systemctl enable --now wazuh-indexer
systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-02-29 17:45:06 UTC; 25s ago
       Docs: https://documentation.wazuh.com
   Main PID: 5400 (java)
      Tasks: 90 (limit: 18952)
     Memory: 1.3G (peak: 1.3G)
        CPU: 23.804s
     CGroup: /system.slice/wazuh-indexer.service
             └─5400 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+Alway>

Feb 29 17:44:59 elk.kifarunix-demo.com systemd[1]: Starting wazuh-indexer.service - Wazuh-indexer...
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share>
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager will be removed in a future release
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/w>
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager will be removed in a future release
Feb 29 17:45:06 elk.kifarunix-demo.com systemd[1]: Started wazuh-indexer.service - Wazuh-indexer.

Next, execute the “/usr/share/wazuh-indexer/bin/indexer-security-init.sh” script on a Wazuh indexer node to apply the updated certificate information and start the single-node cluster.

/usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

The Wazuh indexer (opensearch) should now be running. Confirm the ports;

ss -atlnp | grep -E "92|93"
LISTEN 0 4096 *:9200 *:* users:((“java”,pid=5400,fd=565)) LISTEN 0 4096 *:9300 *:* users:((“java”,pid=5400,fd=563))

Or;

curl -k -XGET https://localhost:9200 -u admin

When prompted for password, default is admin.

Enter host password for user 'admin':
{
  "name" : "indexer",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "m5qZ7M3xRdaJ-t9X5AlL0Q",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Install Wazuh Server/Manager on Ubuntu 24.04

Since you already have the Wazuh repository installed, simply execute the command below to install Wazuh server on Ubuntu 24.04.

apt install wazuh-manager

Once the installation is complete, you can start and enable Wazuh-manager to run on system boot;

systemctl enable --now wazuh-manager

Open Wazuh Manager Port on Firewall. Usually, the Wazuh agents is set to communicate with Wazuh manager via TCP port 1514 by default.

ss -alnptu | grep -i wazuh
tcp   LISTEN 0      128                   0.0.0.0:1514       0.0.0.0:*    users:(("wazuh-remoted",pid=49410,fd=4))               
tcp   LISTEN 0      128                   0.0.0.0:1515       0.0.0.0:*    users:(("wazuh-authd",pid=49236,fd=3))

Thus, open port 1514/tcp on Wazuh manager.

iptables -A INPUT -p tcp --dport 1514 -j ACCEPT

Or

ufw allow 1514/tcp

Also, allow port 1515/tcp for agent registration;

iptables -A INPUT -p tcp --dport 1515 -j ACCEPT

Or

ufw allow 1515/tcp

Read more on required ports.

Install and Configure Filebeat for Wazuh Manager

Install Filebeat

Filebeat is required to ship logs and event data to the Wazuh indexer, where they are indexed and stored for efficient searching and analysis.

As of this writing, Wazuh indexer v4.7.2 is compatible with Filebeat-OSS 7.10.2, which is provided by the Wazuh repository.

apt-cache policy filebeat
filebeat:
  Installed: (none)
  Candidate: 7.10.2
  Version table:
     7.10.2 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     7.10.0 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     7.9.1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages

Thus, install Filebeat using the command below;

apt install filebeat

Configure Filebeat

Once the installation is done, make a backup of the default configuration file

mv /etc/filebeat/filebeat.yml{,.stock}

Run the command below to create new Filebeat configuration file with the following configs.

cat > /etc/filebeat/filebeat.yml << 'EOL'
output.elasticsearch:
  hosts: ["192.168.122.149:9200"]
  protocol: https
  username: admin
  password: admin
  ssl.certificate_authorities: "/etc/filebeat/certs/root-ca.pem"
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
EOL

Note, IP address used on the hosts setting should match the one defined while generating ssl certs.

If you want, you can use Filebeat keystore to store the credentials in variables rather than plain text as in above configuration.

To store credentials in keystore, create the keystore;

filebeat keystore create

The store the username and password in keystore using variables;

Both of the commands will prompt you to type the values of each variable.

filebeat keystore add USERNAME
filebeat keystore add PASS

You can then update the credentials on filebeat.yml by changing;

  username: admin
  password: admin

to;

  username: ${USERNAME}
  password: ${PASS}

Next, install root CA Wazuh server certificates generated before to be used by Filebeat;

mkdir /etc/filebeat/certs/

Copy the Wazuh server node certificates (cert files are named as per the Wazuh node name provided in certs config.yml) and rename them as defined in the filebeat.yml;

cp wazuh-certificates/root-ca.pem /etc/filebeat/certs/root-ca.pem
cp wazuh-certificates/wazuh.pem /etc/filebeat/certs/filebeat.pem
cp wazuh-certificates/wazuh-key.pem /etc/filebeat/certs/filebeat-key.pem

Install Filebeat Wazuh Module:

wget -qO- https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz \
| tar -xz -C /usr/share/filebeat/module/

Download and install Wazuh alerts Wazuh indexer template from the Github repo current release branch (v4.7.2 as of this writing):

wget -O /etc/filebeat/wazuh-template.json \
https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Test Filebeat config;

filebeat test config
Config OK

Test Filebeat Elasticsearch output;

filebeat test output
elasticsearch: https://192.168.122.149:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.122.149
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Start and enable Filebeat to run on system boot;

systemctl enable --now filebeat

Check status;

systemctl status filebeat

Everything is now set for the single node Wazuh SIEM server cluster.

Install Wazuh Dashboard on Ubuntu 24.04

Since you already have Wazuh repository installed, just execute the command below to install Wazuh dashboard.

apt install wazuh-dashboard

Configure Wazuh dashboard to allow external access and to connect it to Wazuh indexer.

The default configuration file for Wazuh dashboard is /etc/wazuh-dashboard/opensearch_dashboards.yml.

We will only update the Wazuh indexer address;

vim /etc/wazuh-dashboard/opensearch_dashboards.yml
server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://192.168.122.149:9200
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

Save and exit the file.

Install the Wazuh dashboard certificates.

mkdir /etc/wazuh-dashboard/certs/
cp wazuh-certificates/dash.pem /etc/wazuh-dashboard/certs/dashboard.pem
cp wazuh-certificates/dash-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
cp wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/

Update the permissions and set the ownership of the SSL/TLS certs to wazuh-indexer;

chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard: /etc/wazuh-dashboard/certs

Start and enable Wazuh dashboard to run on system boot;

systemctl enable --now wazuh-dashboard

Checking the status of each service;

systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-02-29 19:48:44 UTC; 3s ago
   Main PID: 52149 (node)
      Tasks: 11 (limit: 18952)
     Memory: 231.0M (peak: 237.4M)
        CPU: 3.867s
     CGroup: /system.slice/wazuh-dashboard.service
             └─52149 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist>

Feb 29 19:48:46 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:46Z","tags":["info","savedobjects-service"],"pid":52149,"m>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["info","savedobjects-service"],"pid":52149,"m>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["info","savedobjects-service"],"pid":52149,"m>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["info","savedobjects-service"],"pid":52149,"m>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["info","savedobjects-service"],"pid":52149,"m>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["info","plugins-system"],"pid":52149,"message>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["listening","info"],"pid":52149,"message":"Se>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["info","http","server","OpenSearchDashboards">
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["error","opensearch","data"],"pid":52149,"mes>
Feb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {"type":"log","@timestamp":"2024-02-29T19:48:47Z","tags":["error","opensearch","data"],"pid":52149,...

Accessing Wazuh Dashboard Web Interface

Open the Wazuh dashboard on the Firewall;

ufw allow 443/tcp

You can now access Wazuh dashboard via the url https://<server-IP-or-hostname>.

Accept the self-signed SSL cert warning and proceed to Wazuh dashboard.

The default credentials are admin/admin for user and password.

Install Wazuh SIEM Server on Ubuntu 24.04

You land on Wazuh agents dashboard.

wazuh agents dashboard

No agents are connected by default. However, there should be some default events already collected from the Wazuh manager.

For example head over to Modules > Security information management >Security Events >Dashboard or Events;

wazuh security events dashboard
wazuh siem security events

And that is it!! You have successfully setup Wazuh SIEM server, integrated with Wazuh indexer and Wazuh dashboard.

That closes our guide on installing Wazuh SIEM server on Ubuntu 24.04.

You can now go ahead and install Wazuh agents and start log collection from your end points.

Install Wazuh Agents on Linux

Easy Way to Install Wazuh Agents on Ubuntu/Debian

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Kifarunix
Linux Certified Engineer, with a passion for open-source technology and a strong understanding of Linux systems. With experience in system administration, troubleshooting, and automation, I am skilled in maintaining and optimizing Linux infrastructure.

Related Posts

Configure Guacamole MySQL Database Authentication

Install phpMyAdmin with Nginx on FreeBSD 12

Setup Apache Guacamole OpenLDAP Authentication

Install PostgreSQL on Rocky Linux 8

Install and Configure OpenVPN Client on Rocky Linux 8

Install Zabbix Agent on Windows Systems

2 thoughts on “Install Wazuh SIEM Server on Ubuntu 24.04”

    • Hi,

      you can use the command, filebeat config test to check the Filebeat configuration issue. Ensure Filebeat is stopped before you run the command.

      Reply

Leave a Comment

© 2024 kifarunix.com

Home Advertise with us Privacy Policy