Integrate Wazuh Manager with ELK Stack

By
gen_too
-
0
1195

Last updated on April 29th, 2022 at 11:49 pm

In this tutorial, you will learn how to integrate Wazuh manager with ELK stack as a unified Security Information and Event management tool. Wazuh consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Wazuh can be fully integrated with the Elastic Stack, which provides a search engine and data visualization tool that allows users to navigate through their security alerts.

Integrate Wazuh Manager with ELK Stack

There are different deployment methods of how you can integrate Wazuh manager with ELK stack:

  • All-in-one deployment where all the Wazuh and ELK components are installed on a single node. Suitable for testing or small working environements.
  • Distributed deployment where each component is installed on a separate node. Provides high availability and scalability and hence suitable for large working environments.

This tutorial will use an all-in-one deployment method to integrate Wazuh manager with ELK stack.

Also NOTE that we are running our setup on an Debian 10 system.

Install Wazuh Server on Debian 10

Create Wazuh Repository on Debian 10

apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor > /etc/apt/trusted.gpg.d/wazuh.gpg
echo "deb https://packages.wazuh.com/4.x/apt stable main" | tee /etc/apt/sources.list.d/wazuh.list

Update the package information:

apt update

Install Wazuh server on Debian 10

Next, install Wazuh manager on Debian 10.

apt install wazuh-manager

Once the installation is complete, you can start and enable Wazuh-manager to run on system boot;

systemctl enable --now wazuh-manager

Install ELK/Elastic Stack on Debian 10

If you want, you can deploy the OpenDistro ELK, but in this setup, we are using the “usual” ELK/Elastic stack.

According to Wazuh compatibility matrix, ELK/Elastic stack 7.14.2 is compatible with current version (as of this writing) of Wazuh-manager v4.2.6.

Hence, install ELK/Elastic 7.14.2 on Debian 10 as follows;

Create Elastic repository on Debian 10;

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor > /etc/apt/trusted.gpg.d/elastic.gpg
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
apt update

Install Elastic Stack on Debian 10

Next, install ELK stack v7.14.2 on Debian 10. Basically, we only need Kibana, Elasticsearch and Filebeat in this case.

apt install elasticsearch=7.14.2 kibana=7.14.2 filebeat=7.14.2

Configure Elasticsearch

With the default settings, Elasticsearch can run well. However, in this setup, we will adjust some few Elasticsearch settings like JVM maximum and minimum memory settings, discovery type…

To update the JVM min and max memory setup, simply open the jvm.options configuration file and update the value of the Xmx and Xms based on the available memory on your server.

vim /etc/elasticsearch/jvm.options.d/jvm.custom.options

It is set to 512mb in this setup

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms512m
-Xmx512m

Also, if you are running a single node ES, just like in our setup, then you need to define it in the Elasticsearch configuration file by adding the line discovery.type: single-node.

Note, this change is only required if you are configuring Elasticsearch to listen on an interface IP rather than the loopback address.

echo "discovery.type: single-node" >> /etc/elasticsearch/elasticsearch.yml

The above configs are just enough for now.

Start and enable Elasticsearch to run on system boot;

systemctl enable --now elasticsearch

Configure Kibana

Define the IP address in which Kibana will bind to, localhost by default. Replace the IP address accordingly.

sed -i 's/#server.host: "localhost"/server.host: "192.168.59.12"/' /etc/kibana/kibana.yml

Configure Kibana to connect to Elasticsearch, By default, Kibana connects to Elasticsearch on localhost URL. In our setup, Elasticsearch is bound to localhost address.

ss -altnp | grep 9200
LISTEN   0        128        [::ffff:127.0.0.1]:9200                   *:*       users:(("java",pid=8580,fd=258))                                               
LISTEN   0        128                     [::1]:9200                [::]:*       users:(("java",pid=8580,fd=257))

Otherwise, uncomment the line, elasticsearch.hosts: ["http://localhost:9200"] and replace the address accordingly.

Start and enable Kibana to run on system boot;

systemctl enable --now kibana

Integrate Wazuh Manager with ELK Stack

Install Wazuh Manager Kibana App

Run the command below to install Wazuh manager/server for Kibana App.

chown -R kibana: /usr/share/kibana/plugins

Ensure the plugin version to install is compatible with currently installed version of ELK stack.

sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.14.2-1.zip

Sample output of the installation;

Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.14.2-1.zip
Transferring 34175540 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

Create Wazuh Kibana data directory and set the ownership to kibana user.

mkdir /usr/share/kibana/data
chown -R kibana: /usr/share/kibana/data

Restart Kibana;

systemctl restart kibana
Configure Filebeat

Wazuh uses Filebeat to collect its data and forward to Elasticsearch search engine.

Make a backup of the default configuration file and replace it with the following configs.

mv /etc/filebeat/filebeat.{yml,orig}
cat > /etc/filebeat/filebeat.yml << 'EOL'
output.elasticsearch:
  hosts: ["localhost:9200"]
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
EOL

Install Filebeat Wazuh Module:

wget -qO- https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xz -C /usr/share/filebeat/module/

Download Wazuh alerts Elasticsearch template:

wget -O /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json

Test Filebeat config;

filebeat test config
Config OK

Test Filebeat Elasticsearch output;

filebeat test output
elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1, ::1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.14.2

Restart Kibana, Elasticsearch, Filebeat ans Wazuh-manager

systemctl restart elasticsearch kibana filebeat wazuh-manager

Checking the status of each service;

systemctl status elasticsearch kibana filebeat wazuh-manager
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-11 00:43:05 EDT; 2min 20s ago
     Docs: https://www.elastic.co
 Main PID: 10698 (java)
    Tasks: 64 (limit: 2359)
   Memory: 819.4M
   CGroup: /system.slice/elasticsearch.service
           ├─10698 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m 
           └─10880 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

May 11 00:42:38 debian systemd[1]: Starting Elasticsearch...
May 11 00:43:05 debian systemd[1]: Started Elasticsearch.

● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-11 00:42:33 EDT; 2min 52s ago
 Main PID: 10666 (node)
    Tasks: 11 (limit: 2359)
   Memory: 285.9M
   CGroup: /system.slice/kibana.service
           └─10666 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist

May 11 00:43:15 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:15Z","tags":["info","plugins","crossClusterReplication"],"pid":10666,"message":"Your basi
May 11 00:43:15 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:15Z","tags":["info","plugins","watcher"],"pid":10666,"message":"Your basic license does n
May 11 00:43:15 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:15Z","tags":["info","plugins","monitoring","monitoring","kibana-monitoring"],"pid":10666,
May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng
May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng
May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng
May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng
May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["listening","info"],"pid":10666,"message":"Server running at http://192.168.
May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["info","http","server","Kibana"],"pid":10666,"message":"http server running

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-11 00:42:33 EDT; 4min 32s ago
     Docs: https://www.elastic.co/products/beats/filebeat
 Main PID: 10667 (filebeat)
    Tasks: 8 (limit: 2359)
   Memory: 31.6M
   CGroup: /system.slice/filebeat.service
           └─10667 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.d

May 11 00:42:33 debian systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..

● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-11 00:48:02 EDT; 8s ago
  Process: 11127 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
    Tasks: 100 (limit: 2359)
   Memory: 277.5M
   CGroup: /system.slice/wazuh-manager.service
           ├─11179 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─11219 /var/ossec/bin/ossec-authd
           ├─11233 /var/ossec/bin/wazuh-db
           ├─11256 /var/ossec/bin/ossec-execd
           ├─11271 /var/ossec/bin/ossec-analysisd
           ├─11315 /var/ossec/bin/ossec-syscheckd
           ├─11328 /var/ossec/bin/ossec-remoted
           ├─11360 /var/ossec/bin/ossec-logcollector
           ├─11380 /var/ossec/bin/ossec-monitord
           └─11407 /var/ossec/bin/wazuh-modulesd

May 11 00:47:53 debian env[11127]: Started wazuh-db...
May 11 00:47:54 debian env[11127]: Started ossec-execd...
May 11 00:47:55 debian env[11127]: Started ossec-analysisd...
May 11 00:47:56 debian env[11127]: Started ossec-syscheckd...
May 11 00:47:57 debian env[11127]: Started ossec-remoted...
May 11 00:47:58 debian env[11127]: Started ossec-logcollector...
May 11 00:47:59 debian env[11127]: Started ossec-monitord...
May 11 00:48:00 debian env[11127]: Started wazuh-modulesd...
May 11 00:48:02 debian env[11127]: Completed.
May 11 00:48:02 debian systemd[1]: Started Wazuh manager.

Accessing Kibana Web Interface

You can now access Kibana via the url http://<server-IP-or-hostname>:5601.

Under the Kibana menu section, you should be able to see Wazuh App.

Integrate Wazuh Manager with ELK Stack

When you click on the App, it takes you the modules page;

Integrate Wazuh Manager with ELK Stack

And there you go. you can now go ahead and install the agents to collect logs from your endpoints and sent them to Wazuh manager for visualization on Kibana.

That concludes our guide on how to integrate Wazuh Manager with ELK Stack.

Reference

Step-by-step installation

Other Tutorials

Configure ELK Stack Alerting with ElastAlert

Monitor Linux System Metrics with ELK Stack

Visualize WordPress User Activity Logs on ELK Stack

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here