{"id":803,"date":"2018-10-18T13:51:36","date_gmt":"2018-10-18T13:51:36","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=803"},"modified":"2018-10-18T14:37:55","modified_gmt":"2018-10-18T14:37:55","slug":"how-to-deploy-wazuh","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/how-to-deploy-wazuh\/","title":{"rendered":"How to deploy Wazuh"},"content":{"rendered":"

Adding the Wazuh repository<\/strong><\/span><\/p>\n

The first step to setting up Wazuh is to add the Wazuh repository to your server. If you want to download the wazuh-manager package directly, or check the compatible versions, click\u00a0here<\/a>.<\/p>\n

To set up the repository, run this command:<\/p>\n

# cat > \/etc\/yum.repos.d\/wazuh.repo <<\\EOF<\/p>\n

[wazuh_repo]
\ngpgcheck=1
\ngpgkey=https:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH
\nenabled=1
\nname=Wazuh repository
\nbaseurl=https:\/\/packages.wazuh.com\/3.x\/yum\/
\nprotect=1
\nEOF<\/p>\n

For CentOS-5 and RHEL-5:<\/p>\n

# cat > \/etc\/yum.repos.d\/wazuh.repo <<\\EOF<\/p>\n

[wazuh_repo]
\ngpgcheck=1
\ngpgkey=http:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH-5
\nenabled=1
\nname=Wazuh repository
\nbaseurl=http:\/\/packages.wazuh.com\/3.x\/yum\/5\/$basearch\/
\nprotect=1
\nEOF<\/p>\n

Installing the Wazuh Manager<\/p>\n

The next step is to install the Wazuh Manager on your system:<\/p>\n

# yum install wazuh-manager<\/p>\n

Once the process is complete, you can check the service status with:<\/p>\n

    \n
  1. For Systemd:<\/li>\n<\/ol>\n

    # systemctl status wazuh-manager<\/p>\n

      \n
    1. For SysV Init:<\/li>\n<\/ol>\n

      # service wazuh-manager status<\/p>\n

      Installing the Wazuh API<\/p>\n

        \n
      1. NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend that you add the official NodeJS repository like this:<\/li>\n<\/ol>\n

        # curl –silent –location https:\/\/rpm.nodesource.com\/setup_8.x | bash –<\/p>\n

        and then, install NodeJS:<\/p>\n

        # yum install nodejs<\/p>\n

          \n
        1. Python >= 2.7 is required in order to run the Wazuh API. It is installed by default or included in the official repositories in most Linux distributions.<\/li>\n<\/ol>\n

          To determine if the python version on your system is lower than 2.7, you can run the following:<\/p>\n

          # python –version<\/p>\n

           <\/p>\n

          It is possible to set a custom Python path for the API in “\/var\/ossec\/api\/configuration\/config.js“, in case the stock version of Python in your distro is too old:<\/p>\n

          config.python =<\/strong> [<\/p>\n

          \/\/ Default installation<\/em><\/p>\n

          {<\/p>\n

          bin:<\/strong> “python”,<\/p>\n

          lib:<\/strong> “”<\/p>\n

          },<\/p>\n

          \/\/ Package ‘python27’ for CentOS 6<\/em><\/p>\n

          {<\/p>\n

          bin:<\/strong> “\/opt\/rh\/python27\/root\/usr\/bin\/python”,<\/p>\n

          lib:<\/strong> “\/opt\/rh\/python27\/root\/usr\/lib64”<\/p>\n

          }<\/p>\n

          ];<\/p>\n

          CentOS 6 and Red Hat 6 come with Python 2.6, however, you can install Python 2.7 in parallel to maintain the older version(s):<\/p>\n

            \n
          1. For CentOS 6:<\/li>\n<\/ol>\n

            # yum install -y centos-release-scl<\/strong><\/em><\/p>\n

            # yum install -y python27<\/strong><\/em><\/p>\n

              \n
            1. For RHEL 6:<\/li>\n<\/ol>\n

              # yum install python27<\/strong><\/em><\/p>\n

               <\/p>\n

              You may need to first enable a repository in order to get python27, with a command like this:<\/p>\n

              #\u00a0\u00a0 yum-config-manager –enable rhui-REGION-rhel-server-rhscl<\/strong><\/em><\/p>\n

              #\u00a0\u00a0 yum-config-manager –enable rhel-server-rhscl-6-rpms<\/em><\/strong><\/p>\n

                \n
              1. Install the Wazuh API. It will update NodeJS if it is required:<\/li>\n<\/ol>\n

                # yum install wazuh-api<\/strong><\/em><\/p>\n

                  \n
                1. Once the process is complete, you can check the service status with:<\/li>\n<\/ol>\n
                    \n
                  1. For Systemd:<\/li>\n<\/ol>\n

                    # systemctl status wazuh-api<\/strong><\/em><\/p>\n

                      \n
                    1. For SysV Init:<\/li>\n<\/ol>\n

                      # service wazuh-api status<\/p>\n

                      Installing Filebeat<\/strong><\/span><\/p>\n

                      Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to the Logstash service on the Elastic Stack server(s).<\/p>\n

                      Warning<\/strong><\/p>\n

                      In a single-host architecture (where Wazuh server and Elastic Stack are installed in the same system), the installation of Filebeat is not needed since Logstash will be able to read the event\/alert data directly from the local filesystem without the assistance of a forwarder.<\/p>\n

                      The RPM package is suitable for installation on Red Hat, CentOS and other modern RPM-based systems.<\/p>\n

                        \n
                      1. Install the GPG keys from Elastic and then the Elastic repository:<\/li>\n<\/ol>\n

                        # rpm –import https:\/\/packages.elastic.co\/GPG-KEY-elasticsearch<\/p>\n

                         <\/p>\n

                        # cat > \/etc\/yum.repos.d\/elastic.repo << EOF<\/p>\n

                        [elasticsearch-6.x]
                        \nname=Elasticsearch repository for 6.x packages
                        \nbaseurl=https:\/\/artifacts.elastic.co\/packages\/6.x\/yum
                        \ngpgcheck=1
                        \ngpgkey=https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch
                        \nenabled=1
                        \nautorefresh=1
                        \ntype=rpm-md
                        \nEOF<\/p>\n

                          \n
                        1. Install Filebeat Note: If you are doing an all in one setup do not install filebeat<\/strong><\/li>\n<\/ol>\n

                          # yum install filebeat-6.4.2<\/strong><\/em><\/p>\n

                            \n
                          1. Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Logstash:<\/li>\n<\/ol>\n

                            # curl -so \/etc\/filebeat\/filebeat.yml https:\/\/raw.githubusercontent.com\/wazuh\/wazuh\/3.6\/extensions\/filebeat\/filebeat.yml<\/p>\n

                              \n
                            1. Edit the file\u00a0\/etc\/filebeat\/filebeat.ymland replace\u00a0ELASTIC_SERVER_IP\u00a0with the IP address or the hostname of the Elastic Stack server. For example:<\/li>\n<\/ol>\n

                              output:<\/p>\n

                              logstash:<\/p>\n

                              hosts: [“ELASTIC_SERVER_IP:5000”]<\/p>\n

                                \n
                              1. Enable and start the Filebeat service:<\/li>\n<\/ol>\n
                                  \n
                                1. For Systemd:<\/li>\n<\/ol>\n

                                  # systemctl daemon-reload<\/strong><\/em><\/p>\n

                                  # systemctl enable filebeat.service<\/strong><\/em><\/p>\n

                                  # systemctl start filebeat.service<\/strong><\/em><\/p>\n

                                    \n
                                  1. For SysV Init:<\/li>\n<\/ol>\n

                                    # chkconfig –add filebeat<\/strong><\/em><\/p>\n

                                    # service filebeat start<\/strong><\/em><\/p>\n

                                    Next steps<\/p>\n

                                    Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install<\/p>\n

                                    \u00a0<\/u><\/strong><\/p>\n

                                    Installing Elastic Stack<\/strong><\/h1>\n

                                    This guide describes the installation of an Elastic Stack server comprised of Logstash, Elasticsearch, and Kibana. We will illustrate package-based installations of these components. You can also install them from binary tarballs, however, this is not preferred or supported under Wazuh documentation.<\/p>\n

                                    In addition to Elastic Stack components, you will also find the instructions to install and configure the Wazuh app (deployed as a Kibana plugin).<\/p>\n

                                    Depending on your operating system you can choose to install Elastic Stack from RPM or DEB packages. Consult the table below and choose how to proceed:<\/p>\n

                                    Install Elastic Stack with RPM packages<\/strong><\/h1>\n

                                    The RPM packages are suitable for installation on Red Hat, CentOS and other RPM-based systems.<\/p>\n

                                    Note<\/strong><\/p>\n

                                    Many of the commands described below need to be executed with root user privileges.<\/p>\n

                                    Preparation<\/h2>\n
                                      \n
                                    1. Oracle Java JRE 8 is required by Logstash and Elasticsearch.<\/li>\n<\/ol>\n

                                      Note<\/strong><\/p>\n

                                      The following command accepts the necessary cookies to download Oracle Java JRE. Please, visit\u00a0Oracle Java 8 JRE Download Page<\/a>\u00a0for more information.<\/p>\n

                                      # curl -Lo jre-8-linux-x64.rpm –header “Cookie: oraclelicense=accept-securebackup-cookie” “https:\/\/download.oracle.com\/otn-pub\/java\/jdk\/8u191-b12\/2787e4a523244c269598db4e85c51e0c\/jre-8u191-linux-x64.rpm”<\/p>\n

                                      Now, check if the package was download successfully:<\/p>\n

                                      # rpm -qlp jre-8-linux-x64.rpm > \/dev\/null 2>&1 &&<\/strong> echo “Java package downloaded successfully” ||<\/strong> echo “Java package did not download successfully”<\/p>\n

                                      Finally, install the RPM package using yum:<\/p>\n

                                      # yum -y install jre-8-linux-x64.rpm# rm -f jre-8-linux-x64.rpm<\/p>\n

                                        \n
                                      1. Install the Elastic repository and its GPG key:<\/li>\n<\/ol>\n

                                        # rpm –import https:\/\/packages.elastic.co\/GPG-KEY-elasticsearch\u00a0# cat > \/etc\/yum.repos.d\/elastic.repo << EOF[elasticsearch-6.x]name=Elasticsearch repository for 6.x packagesbaseurl=https:\/\/artifacts.elastic.co\/packages\/6.x\/yumgpgcheck=1gpgkey=https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearchenabled=1autorefresh=1type=rpm-mdEOF<\/p>\n

                                        Elasticsearch<\/h2>\n

                                        Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see\u00a0Elasticsearch<\/a>.<\/p>\n

                                          \n
                                        1. Install the Elasticsearch package:<\/li>\n<\/ol>\n

                                          # yum install elasticsearch-6.4.2<\/p>\n

                                            \n
                                          1. Enable and start the Elasticsearch service:<\/li>\n
                                          2. For Systemd:<\/li>\n<\/ol>\n

                                            # systemctl daemon-reload# systemctl enable elasticsearch.service# systemctl start elasticsearch.service<\/p>\n

                                              \n
                                            1. For SysV Init:<\/li>\n<\/ol>\n

                                              # chkconfig –add elasticsearch# service elasticsearch start<\/p>\n

                                              It\u2019s important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:<\/p>\n

                                              # curl “localhost:9200\/?pretty”\u00a0{\u00a0 “name” : “Zr2Shu_”,\u00a0 “cluster_name” : “elasticsearch”,\u00a0 “cluster_uuid” : “M-W_RznZRA-CXykh_oJsCQ”,\u00a0 “version” : {\u00a0\u00a0\u00a0 “number” : “6.4.2”,\u00a0\u00a0\u00a0 “build_flavor” : “default”,\u00a0\u00a0\u00a0 “build_type” : “rpm”,\u00a0\u00a0\u00a0 “build_hash” : “053779d”,\u00a0\u00a0\u00a0 “build_date” : “2018-07-20T05:20:23.451332Z”,\u00a0\u00a0\u00a0 “build_snapshot” : false,\u00a0\u00a0\u00a0 “lucene_version” : “7.3.1”,\u00a0\u00a0\u00a0 “minimum_wire_compatibility_version” : “5.6.0”,\u00a0\u00a0\u00a0 “minimum_index_compatibility_version” : “5.0.0”\u00a0 },\u00a0 “tagline” : “You Know, for Search”}<\/p>\n

                                                \n
                                              1. Load the Wazuh template for Elasticsearch:<\/li>\n<\/ol>\n

                                                # curl https:\/\/raw.githubusercontent.com\/wazuh\/wazuh\/3.6\/extensions\/elasticsearch\/wazuh-elastic6-template-alerts.json | curl -XPUT ‘http:\/\/localhost:9200\/_template\/wazuh’ -H ‘Content-Type: application\/json’ -d @-<\/p>\n

                                                Note<\/strong><\/p>\n

                                                It is recommended that the default configuration be edited to improve the performance of Elasticsearch. To do so, please see\u00a0Elasticsearch tuning<\/a>.<\/p>\n

                                                 <\/p>\n

                                                Logstash<\/p>\n

                                                Logstash is the tool that collects, parses, and forwards data to Elasticsearch for indexing and storage of all logs generated by the Wazuh server. For more information, please see\u00a0Logstash<\/a>.<\/p>\n

                                                  \n
                                                1. Install the Logstash package:<\/li>\n<\/ol>\n

                                                  # yum install logstash-6.4.2<\/p>\n

                                                    \n
                                                  1. Download the Wazuh configuration file for Logstash:<\/li>\n<\/ol>\n