Scribd
Upload
332 views28 pages

Wazuh

This document provides steps to install Wazuh server on an Ubuntu virtual machine in Azure cloud. It involves setting up the VM, installing Wazuh manager, Elasticsearch, Filebeat, Kibana and configuring them. The Wazuh server collects data from agents, Elasticsearch stores the data, Filebeat forwards alerts to Elasticsearch, and Kibana provides a dashboard interface for visualization and monitoring.

Uploaded by

encryptedside
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
332 views28 pages

Wazuh

This document provides steps to install Wazuh server on an Ubuntu virtual machine in Azure cloud. It involves setting up the VM, installing Wazuh manager, Elasticsearch, Filebeat, Kibana and configuring them. The Wazuh server collects data from agents, Elasticsearch stores the data, Filebeat forwards alerts to Elasticsearch, and Kibana provides a dashboard interface for visualization and monitoring.

Uploaded by

encryptedside
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Document By:

https://www.linkedin.com/in/ehtishamcyber/
Documentation Wazuh
In this Documentation I will be Demonstrating the Wazuh Server on Cloud Platform such as
Microsoft Azure.
Process will be like:
Login to your Azure Account and create a Virtual Machine of Ubuntu server.

Create New Virtual Machine of Ubuntu Server.


Setting up the basics.

Setting up ports

Setting up Disk for storing Server related


Setting up Network for communication
Management

Monitoring
Review and Create

Download Key
Created

Now start and Connect the Ubuntu Server Virtual Machine to access the Terminal.
Open Native SSH

Open properties of pem file


Copy the path of file and paste in ssh command.
Copy the command and run this in PowerShell as Administrator mode
ssh -i C:\Users\SHAM\Downloads\ubuntu.pem [email protected]

And you have accessed the Ubuntu server.


First Update and upgrade machine.

Installing initial packages

Installing Wazuh Server on Ubuntu server.

Step-by-step installation:
Installing Wazuh
The Wazuh server collects and analyzes data from the deployed Wazuh agents. It runs the
Wazuh manager, the Wazuh API and Filebeat.
To start setting up Wazuh, add the Wazuh repository to the server.
Command:
1- Install the necessary packages for the installation:
sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-
common lsb-release gnupg
2- Install the GPG key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

3- Add the repository:


echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a
/etc/apt/sources.list.d/wazuh.list
4- Update the package information:
apt-get update

Installing the Wazuh manager


1- Install the Wazuh manager package:
apt-get install wazuh-manager=4.2.7-1
2- Enable and start the Wazuh manager service:
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

3- Run the following command to check if the Wazuh manager is active:


systemctl status wazuh-manager
Installing Elasticsearch
1- Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly
scalable full-text search engine. It offers advanced security, alerting, index
management, deep performance analysis, and several other additional features.

Install Elasticsearch OSS and Open Distro for Elasticsearch:

apt install elasticsearch-oss opendistroforelasticsearch

Configuring Elasticsearch
Run the following command to download the configuration file
/etc/elasticsearch/elasticsearch.yml:

curl -so /etc/elasticsearch/elasticsearch.yml


https://packages.wazuh.com/resources/4.2/open-
distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Elasticsearch users and roles


You need to add users and roles in order to use the Wazuh Kibana properly.
Run the following commands to add the Wazuh users and additional roles in Kibana:
curl -so
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
https://packages.wazuh.com/resources/4.2/open-
distro/elasticsearch/roles/roles.yml
curl -so
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mappin
g.yml https://packages.wazuh.com/resources/4.2/open-
distro/elasticsearch/roles/roles_mapping.yml
curl -so
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_user
s.yml https://packages.wazuh.com/resources/4.2/open-
distro/elasticsearch/roles/internal_users.yml

Certificates creation
1- Remove the demo certificates:
rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem
/etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem
/etc/elasticsearch/root-ca.pem –f
2- Generate and deploy the certificates:
 Download the wazuh-cert-tool.sh:
curl -so ~/wazuh-cert-tool.sh
https://packages.wazuh.com/resources/4.2/open-
distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml
https://packages.wazuh.com/resources/4.2/open-
distro/tools/certificate-utility/instances_aio.yml

 Run the wazuh-cert-tool.sh to create the certificates:


bash ~/wazuh-cert-tool.sh
 Move the Elasticsearch certificates to their corresponding location:
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

3- Enable and start the Elasticsearch service:

Warning
Add the following configuration to mitigate Apache Log4j2 Remote Code
Execution (RCE) vulnerability - CVE-2021-44228 - ESA-2021-31.
mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' >
/etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch
/etc/elasticsearch/jvm.options.d/disabledlog4j.options
4- Run the Following commands to start elastic search
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

5- Run the Elasticsearch securityadmin script to load the new certificates


information and start the cluster:
export JAVA_HOME=/usr/share/elasticsearch/jdk/ &&
/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -
cacert /etc/elasticsearch/certs/root-ca.pem -cert
/etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
6- Run the following command to ensure that the installation is successful:
curl -XGET https://localhost:9200 -u admin:admin –k

Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to
Elasticsearch.
1- Install the Filebeat package:
apt-get install filebeat
2- Download the preconfigured Filebeat configuration file used to forward the Wazuh alerts
to Elasticsearch:
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-
distro/filebeat/7.x/filebeat_all_in_one.yml

3- Download the alerts template for Elasticsearch:


curl -so /etc/filebeat/wazuh-template.json
https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-
template.json
chmod go+r /etc/filebeat/wazuh-template.json
4- Download the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C
/usr/share/filebeat/module

5- Copy the Elasticsearch certificates into /etc/filebeat/certs:


mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/
5- Enable and start the Filebeat service:
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

6- To ensure that Filebeat is successfully installed, run the following command:


filebeat test output
Installing Kibana
Kibana is a flexible and intuitive web interface for mining and visualizing the events and
archives stored in Elasticsearch.
1- Install the Kibana package:
apt-get install opendistroforelasticsearch-kibana

2- Download the Kibana configuration file:


curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-
distro/kibana/7.x/kibana_all_in_one.yml

3- Create the /usr/share/kibana/data directory:


mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
4- Install the Wazuh Kibana plugin. The installation of the plugin must be done from the
Kibana home directory as follows:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install
https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.7_7.10.2-1.zip

5- Copy the Elasticsearch certificates into /etc/kibana/certs:


mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

6- Link Kibana socket to privileged port 443:


setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
7- Enable and start the Kibana service:
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

8- Access the web interface:

URL: https://<wazuh_server_ip>

user: admin

password: admin
And Finally we got the DashBoard

Conclusions:

This documentation outlines the deployment of Wazuh Server on a cloud platform,

covering setup, configuration, and integration with Elasticsearch, Filebeat, and Kibana for

effective security monitoring and management. The step-by-step guide enables users to

establish a comprehensive security infrastructure, leveraging Elasticsearch's scalability


and Kibana's visualization capabilities to create a functional security dashboard.

You might also like