Scribd
Upload
92 views4 pages

On The New Log Server, We Will Start by Installing Elk Stack

The document provides instructions for installing the ELK stack including Elasticsearch, Logstash, Kibana, Wazuh manager, and Wazuh API on a log server. It then describes adding Ubuntu and Windows agents so that logs can be forwarded from those servers to the ELK stack for processing and visualization. Key steps include installing each ELK and Wazuh component through apt, configuring services, installing the Wazuh app in Kibana, and using the Wazuh manage_agents tool to onboard the Ubuntu and Windows servers as agents.

Uploaded by

Shishir Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
92 views4 pages

On The New Log Server, We Will Start by Installing Elk Stack

The document provides instructions for installing the ELK stack including Elasticsearch, Logstash, Kibana, Wazuh manager, and Wazuh API on a log server. It then describes adding Ubuntu and Windows agents so that logs can be forwarded from those servers to the ELK stack for processing and visualization. Key steps include installing each ELK and Wazuh component through apt, configuring services, installing the Wazuh app in Kibana, and using the Wazuh manage_agents tool to onboard the Ubuntu and Windows servers as agents.

Uploaded by

Shishir Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Part 02: Install ELK Stack on the log server

On the new log server, we will start by installing Elk Stack

apt-get install openjdk-8-jre

Install the Elastic repository and its GPG key:

apt-get install curl apt-transport-https

curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key


add -

echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" |


tee /etc/apt/sources.list.d/elastic-6.x.list

apt-get install elasticsearch=6.5.4

Start the service

systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service

Check the status

curl "http://localhost:9200/?pretty"

Check to see if the Elasticsearch template was properly inserted

Note: The below is one long command…

curl
https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticse
arch/wazuh-elastic6-template-alerts.json | curl -X PUT
"http://localhost:9200/_template/wazuh" -H 'Content-Type:
application/json' -d @-

Part 03: Install Logstash and Kibana

Install Logstash
apt-get install logstash=1:6.5.4-1
curl -so /etc/logstash/conf.d/01-wazuh.conf
https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/
01-wazuh-local.conf

Create a user group called ossec

Sudo groupadd ossec

Add logstash to the group

usermod -a -G ossec logstash

Start the service

systemctl daemon-reload
systemctl enable logstash.service
systemctl start logstash.service

Install Kibana
apt-get install kibana=6.5.4

sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072"


/usr/share/kibana/bin/kibana-plugin install
https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip

Start the service

systemctl daemon-reload
systemctl enable kibana.service
systemctl start kibana.service

Install Wazuh Manager


apt-get install python gcc make libc6-dev curl policycoreutils
automake autoconf libtool

curl -Ls https://github.com/wazuh/wazuh/archive/v3.10.2.tar.gz | tar


zx

cd wazuh-*
./install.sh

cd wazuh-*
make -C src clean
make -C src clean-deps

If you are asked what kind of installation you want, type in manager
Once installed, check the status to see if it is running

systemctl status wazuh-manager

Install Wazuh API


curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
apt-get install -y nodejs
npm config set user 0

Download the installation script

curl -s -o install_api.sh
https://raw.githubusercontent.com/wazuh/wazuh-
api/v3.10.2/install_api.sh

Run the installation script

bash ./install_api.sh download

Once finished, check the status

systemctl status wazu-api

Add user and pass to Kibana in wazuh server

cd /var/ossec/api/configuration/auth

node htpasswd -c user myUserName

FOLusername / YOURpassword

systemctl restart wazuh-api

Part 04: Adding Agents


run manage_agents found in /var/ossec/bin/manage_agents

You will need to add two agents. One of the Ubuntu Web Server and one for the
Windows 2016 Server

The Windows agent will require you to download the .msi file and enter the IP of the log
server and the key that was created
Adding Ubuntu Agent

apt-get install curl apt-transport-https lsb-release

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee


/etc/apt/sources.list.d/wazuh.list

apt-get install wazuh-agent

You might also like