Installing and configuring Wazuh Server on CentOS 7
Wazuh is a free, open-source, and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance.
In this tutorial, we are going to show Distributed architecture installation. The distributed architectures control the Wazuh manager and elastic stack clusters via different hosts. Wazuh manager and Elastic Stack are managed on the same platform by single-host implementations.
Wazuh server: Runs the API and Wazuh Manager. The data from deployed agents are collected and analyzed.
Elastic Stack: Runs Elasticsearch, Filebeat, and Kibana (including Wazuh). It reads, parses, indexes, and stores Wazuh manager alert data.
Wazuh agent: Runs on the host monitored, collecting log and configuration data, and detecting intrusions and anomalies.
1. Installing Wazuh Server – server1
Pre-setup
Let’s set the hostname first. Launch Terminal and enter the following command:
hostnamectl set-hostname wazuh-server
Update CentOS and packages:
yum update -y
Next, install NTP and check its service status.
yum install ntp
systemctl status ntpd
If the service is not started, start it using below command:
systemctl start ntpd
Enable NTP on system boot:
systemctl enable ntpd
Modify firewall rules to allow NTP service. Run the following commands to enable service.
firewall-cmd –add-service=ntp –zone=public –permanent
firewall-cmd –reload
Installing Wazuh Manager
Let’s add key:
rpm –import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Edit the Wazuh repository:
vim /etc/yum.repos.d/wazuh.repo
Add the following content to the file.
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
List the repositories using the repolist command.
yum repolist
Install the Wazuh manager using the below command:
yum install wazuh-manager-3.11.0 -y
Then, install Wazuh Manager, and check the status of it.
systemctl status wazuh-manager
Installing the Wazuh API
NodeJS >= 4.6.1 is required to run the Wazuh API.
Add the official NodeJS repository:
curl –silent –location https://rpm.nodesource.com/setup_8.x | bash –
install NodeJS:
yum install nodejs -y
Install the Wazuh API. It will update NodeJS if it is required:
yum install wazuh-api-3.11.0 -y
Install Wazuh API
Check the status of wazuh-api.
systemctl status wazuh-api
Change the default credentials manually using the following commands:
cd /var/ossec/api/configuration/auth
Set a password for the user.
node htpasswd -Bc -C 10 user neeraj
Restart API.
systemctl restart wazuh-api
If you need it, you can change the port manually. The file /var/ossec/api/configuration/config.js contains the parameter:
// TCP Port used by the API.
config.port = “55000”;
We are not changing the default port.
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch. To install it, run the following command:
rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
Setup repository:
vi /etc/yum.repos.d/elastic.repo
Add the following contents to the server:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Install Filebeat:
yum install filebeat-7.5.1 -y
Install Filebeat
Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:
curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/filebeat/7.x/filebeat.yml
Change file Permissions:
chmod go+r /etc/filebeat/filebeat.yml
Download the alerts template for Elasticsearch:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
Add Elasticsearch server IP. Edit “filebeat.yml.”
vi /etc/filebeat/filebeat.yml
Modify the following line.
output.elasticsearch.hosts: [‘http://ELASTIC_SERVER_IP:9200’]
Enable and start the Filebeat service:
systemctl daemon-reload
systemctl enable filebeat.service
systemctl start filebeat.service
2. Installing Elastic Stack – server2
Now we are going configure second Centos server with ELK.
Do the configurations on your elastic stack server.
Preconfigurations
As usual, let’s set-hostname first.
hostnamectl set-hostname elk
Update the system:
yum update -y
Installing ELK
Install Elastic Stack with RPM packages and then add the Elastic repository and its GPG key:
rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
Create a repository file:
vi /etc/yum.repos.d/elastic.repo
Add the following content to the file:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Installing Elasticsearch
Install the Elasticsearch package:
yum install elasticsearch-7.5.1 -y
Elasticsearch listens by default on the loopback interface (localhost). Configure Elasticsearch to listen to a non-loopback address by editing /etc/elasticsearch/elasticsearch.yml and uncommenting network.host configuration. Adjust the IP value you want to connect to:
vi /etc/elasticsearch/elasticsearch.yml
network.host: 0.0.0.0
Change firewall rules.
firewall-cmd –permanent –zone=public –add-rich-rule=’
rule family=”ipv4″
source address=”34.232.210.23/32″
port protocol=”tcp” port=”9200″ accept’
Reload firewall rules:
firewall-cmd –reload
The further configuration will be necessary for the elastic search configuration file.
Edit the “elasticsearch.yml” file.
vim /etc/elasticsearch/elasticsearch.yml
Change or edit “node.name” and “cluster.initial_master_nodes”.
node.name: <node_name>
cluster.initial_master_nodes: [“<node_name>”]
Enable and start the Elasticsearch service:
systemctl daemon-reload
Enable on system boot.
systemctl enable elasticsearch.service
Start elastic search service.
systemctl start elasticsearch.service
Check the status of the elastic search.
systemctl status elasticsearch.service
Check the log file for any issues.
tail -f /var/log/elasticsearch/elasticsearch.log
Once Elasticsearch is up and running, we need to load the Filebeat template. Run the following command on the Wazuh server – server1 (We installed filebeat there.)
filebeat setup –index-management -E setup.template.json.enabled=false
Installing Kibana – server2
Install the Kibana package:
yum install kibana-7.5.1 -y
Install the Wazuh app plugin for Kibana:
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.0_7.5.1.zip
Kibana PluginNeed to modify Kibana configurations to access Kibana from the outside.
Edit the Kibana configuration file.
vi /etc/kibana/kibana.yml
Change the following line.
server.host: “0.0.0.0”
Configure the URLs of the Elasticsearch instances.
elasticsearch.hosts: [“http://localhost:9200”]
Enable and start the Kibana service:
systemctl daemon-reload
systemctl enable kibana.service
systemctl start kibana.service
Adding Wazuh API to Kibana Configurations
Edit “wazuh.yml.”
vi /usr/share/kibana/plugins/wazuh/wazuh.yml
Edit hostname, username, and password:
Kibana_Wazuh_Api
Save and exit the file and restart the Kibana service.
systemctl restart kibana.service
We installed the Wazuh server and the ELK server. Now we are going to add hosts using an agent.
3. Installing Wazuh agent
I. Adding Ubuntu Server
a. Installing needed packages
apt-get install curl apt-transport-https lsb-release gnupg2
Install the Wazuh repository GPG key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add –
Add the repository and then update repositories.
echo “deb https://packages.wazuh.com/3.x/apt/ stable main” | tee /etc/apt/sources.list.d/wazuh.list
apt-get update
b. Installing the Wazuh agent
Blow command adds “WAZUH_MANAGER” IP to wazuh-agent configuration automatically when installing it.
WAZUH_MANAGER=”52.91.79.65″ apt-get install wazuh-agent
II. Adding CentOS host
Add the Wazuh repository.
rpm –import http://packages.wazuh.com/key/GPG-KEY-WAZUH
Edit and add to the repository:
vim /etc/yum.repos.d/wazuh.repo
Add the following contents:
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
Install the agent.
WAZUH_MANAGER=”9.202.176.181″ yum install wazuh-agent-3.11.0 -y
4. Accessing Wazuh Dashboard
Browse Kibana using the IP.
You will see the below interface.
Then click on “Wazuh ” Icon to go to its Dashboard. You will see “Wazuh” Dashboard as follows.
Here you can see connected agents, security information management, etc.. when you click on security events; you can see a graphical view of events.
If you reached this far, congrats! That’s all about installing and configuring the Wazuh server on CentOS.
2. Installing Elastic Stack
Now we are going configure second Centos server with ELK.
Do the configurations on your elastic stack server.
Preconfigurations
As usual, let’s set-hostname first.
hostnamectl set-hostname elk
Update the system:
yum update -y
Installing ELK
Install Elastic Stack with RPM packages and then add the Elastic repository and its GPG key:
rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
Create a repository file:
vi /etc/yum.repos.d/elastic.repo
Add the following content to the file:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Installing Elasticsearch
Install the Elasticsearch package:
yum install elasticsearch-7.6.2 -y
Update heap size in config file:
vi /etc/elasticsearch/jvm.options
-Xms2048m
-Xmx2048m
Elasticsearch listens by default on the loopback interface (localhost). Configure Elasticsearch to listen to a non-loopback address by editing /etc/elasticsearch/elasticsearch.yml and uncommenting network.host configuration. Adjust the IP value you want to connect to:
vi /etc/elasticsearch/elasticsearch.yml
network.host: 0.0.0.0
Change firewall rules.
firewall-cmd –permanent –zone=public –add-rich-rule=’
rule family=”ipv4″
source address=”34.232.210.23/32″
port protocol=”tcp” port=”9200″ accept’
Reload firewall rules:
firewall-cmd –reload
The further configuration will be necessary for the elastic search configuration file.
Edit the “elasticsearch.yml” file.
vi /etc/elasticsearch/elasticsearch.yml
Change or edit “node.name” and “cluster.initial_master_nodes”.
node.name: <node_name>
cluster.initial_master_nodes: [“<node_name>”]
Enable and start the Elasticsearch service:
systemctl daemon-reload
Enable on system boot.
systemctl enable elasticsearch.service
Start elastic search service.
systemctl start elasticsearch.service
Check the status of the elastic search.
systemctl status elasticsearch.service
[root@alohas1 ~]# systemctl status elasticsearch.service
● elasticsearch.service – Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-04-30 05:35:50 PDT; 15s ago
Docs: http://www.elastic.co
Main PID: 17830 (java)
CGroup: /system.slice/elasticsearch.service
├─17830 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+A…
└─17943 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Apr 30 05:35:30 alohas1.fyre.ibm.com systemd[1]: Starting Elasticsearch…
Apr 30 05:35:31 alohas1.fyre.ibm.com elasticsearch[17830]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecate…lease.
Apr 30 05:35:50 alohas1.fyre.ibm.com systemd[1]: Started Elasticsearch.
Hint: Some lines were ellipsized, use -l to show in full.
vi /etc/elasticsearch/jvm.options
## GC configuration
#8-13:-XX:+UseConcMarkSweepGC
systemctl restart elasticsearch.service
Check the log file for any issues.
tail -f /var/log/elasticsearch/elasticsearch.log
1. Installing Wazuh Server
Pre-setup
Let’s set the hostname first. Launch Terminal and enter the following command:
hostnamectl set-hostname wazuh-server
Update CentOS and packages:
yum update -y
Next, install NTP and check its service status.
yum install ntp
systemctl status ntpd
If the service is not started, start it using below command:
systemctl start ntpd
Enable NTP on system boot:
systemctl enable ntpd
Modify firewall rules to allow NTP service. Run the following commands to enable service.
firewall-cmd –add-service=ntp –zone=public –permanent
firewall-cmd –reload
Installing Wazuh Manager
Let’s add key:
rpm –import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Edit the Wazuh repository:
vi /etc/yum.repos.d/wazuh.repo
Add the following content to the file.
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
Save and exit the file.
List the repositories using the repolist command.
yum repolist
Install the Wazuh manager using the below command:
yum install wazuh-manager -y
Then, install Wazuh Manager, and check the status of it.
systemctl status wazuh-manager
Installing the Wazuh API
NodeJS >= 4.6.1 is required to run the Wazuh API.
Add the official NodeJS repository:
curl –silent –location https://rpm.nodesource.com/setup_8.x | bash –
install NodeJS:
yum install nodejs -y
Install the Wazuh API. It will update NodeJS if it is required:
yum install wazuh-api -y
Check the status of wazuh-api.
systemctl status wazuh-api
Change the default credentials manually using the following commands:
cd /var/ossec/api/configuration/auth
Set a password for the user.
node htpasswd -Bc -C 10 user neeraj
Restart API.
systemctl restart wazuh-api
If you need it, you can change the port manually. The file /var/ossec/api/configuration/config.js contains the parameter:
// TCP Port used by the API.
config.port = “55000”;
We are not changing the default port.
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch. To install it, run the following command:
rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
Setup repository:
vi /etc/yum.repos.d/elastic.repo
Add the following contents to the server:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Install Filebeat:
yum install filebeat-7.6.2 -y
Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:
curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.12.0/extensions/filebeat/7.x/filebeat.yml
chmod go+r /etc/filebeat/filebeat.yml
Download the alerts template for Elasticsearch:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.12.0/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
Add Elasticsearch server IP. Edit “filebeat.yml.”
vi /etc/filebeat/filebeat.yml
Modify the following line.
output.elasticsearch.hosts: [‘http://ELASTIC_SERVER_IP:9200’]
Enable and start the Filebeat service:
systemctl daemon-reload
systemctl enable filebeat.service
systemctl start filebeat.service
Once Elasticsearch is up and running, we need to load the Filebeat template. Run the following command on the Wazuh server (We installed filebeat there.)
filebeat setup –index-management -E setup.template.json.enabled=false
Installing Kibana
Install the Kibana package:
yum install kibana-7.6.2 -y
Install the Wazuh app plugin for Kibana:
cd /usr/share/kibana/
sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.12.2_7.6.2.zip
Kibana PluginNeed to modify Kibana configurations to access Kibana from the outside.
Edit the Kibana configuration file.
vi /etc/kibana/kibana.yml
Change the following line.
server.host: “0.0.0.0”
Configure the URLs of the Elasticsearch instances.
elasticsearch.hosts: [“http://localhost:9200”]
Enable and start the Kibana service:
systemctl daemon-reload
systemctl enable kibana.service
systemctl start kibana.service
Adding Wazuh API to Kibana Configurations
Edit “wazuh.yml.”
vi /usr/share/kibana/optimize/wazuh/config/wazuh.yml
vi /usr/share/kibana/plugins/wazuh/wazuh.yml
Edit hostname, username, and password:
hosts:
– default:
url: https://9.202.176.181
port: 55000
user: darshana
password: password
Save and exit the file and restart the Kibana service.
systemctl restart kibana.service
We installed the Wazuh server and the ELK server. Now we are going to add hosts using an agent.
3. Installing Wazuh agent
I. Adding Ubuntu Server
a. Installing needed packages
apt-get install curl apt-transport-https lsb-release gnupg2
Install the Wazuh repository GPG key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add –
Add the repository and then update repositories.
echo “deb https://packages.wazuh.com/3.x/apt/ stable main” | tee /etc/apt/sources.list.d/wazuh.list
apt-get update
b. Installing the Wazuh agent
Blow command adds “WAZUH_MANAGER” IP to wazuh-agent configuration automatically when installing it.
WAZUH_MANAGER=”52.91.79.65″ apt-get install wazuh-agent
II. Adding CentOS host
Add the Wazuh repository.
rpm –import http://packages.wazuh.com/key/GPG-KEY-WAZUH
Edit and add to the repository:
vi /etc/yum.repos.d/wazuh.repo
Add the following contents:
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
Install the agent.
WAZUH_MANAGER=”9.202.176.181″ yum install wazuh-agent
4. Accessing Wazuh Dashboard
Browse Kibana using the IP.
http://IP or hostname:5601/
You will see the below interface.
vi /etc/elasticsearch/jvm.options
-Xms1024m
-Xmx1024m
systemctl restart elasticsearch.service
systemctl restart kibana.service
[root@hodman1 ~]# npm update
[root@hodman1 ~]# systemctl status kibana.service
● kibana.service – Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-04-30 02:50:34 PDT; 1min 36s ago
Main PID: 4243 (node)
CGroup: /system.slice/kibana.service
└─4243 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
Apr 30 02:50:46 hodman1.fyre.ibm.com kibana[4243]: {“type”:”log”,”@timestamp”:”2020-04-30T09:50:46Z”,”tags”:[“info”,”plugins-system”],”pid”:4243,”mes…
Apr 30 02:50:48 hodman1.fyre.ibm.com kibana[4243]: {“type”:”log”,”@timestamp”:”2020-04-30T09:50:48Z”,”tags”:[“info”,”optimize”],”pid”:4243,”message”:…
Apr 30 02:50:51 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Apr 30 02:50:51 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Apr 30 02:50:51 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Apr 30 02:50:51 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Apr 30 02:50:51 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Apr 30 02:50:51 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Apr 30 02:50:51 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Apr 30 02:50:52 hodman1.fyre.ibm.com kibana[4243]: Browserslist: caniuse-lite is outdated. Please run next command `npm update`
Hint: Some lines were ellipsized, use -l to show in full.
[root@hodman1 ~]# systemctl restart kibana.service
[root@hodman1 ~]# systemctl status kibana.service
● kibana.service – Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-04-30 02:52:23 PDT; 3s ago
Main PID: 4437 (node)
CGroup: /system.slice/kibana.service
└─4437 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
Apr 30 02:52:23 hodman1.fyre.ibm.com systemd[1]: Started Kibana.
[root@hodman1 ~]#
[root@hodman1 ~]# systemctl status elasticsearch.service
● elasticsearch.service – Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-04-30 02:43:05 PDT; 11min ago
Docs: http://www.elastic.co
Main PID: 1389 (java)
CGroup: /system.slice/elasticsearch.service
├─1389 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouc…
└─1820 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Apr 30 02:42:45 hodman1.fyre.ibm.com systemd[1]: Starting Elasticsearch…
Apr 30 02:42:46 hodman1.fyre.ibm.com elasticsearch[1389]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in versio…elease.
Apr 30 02:43:05 hodman1.fyre.ibm.com systemd[1]: Started Elasticsearch.
Hint: Some lines were ellipsized, use -l to show in full.
Now you should be able to open the web interface of Wazuh like given below:
https://<IP address>:5601