Step-by-step setup of Wazuh SIEM on Ubuntu

22.04.3 LTS.

Emmanuel Akobe-Ajibolu

·
14 min read
·
Jan 15, 2024

Welcome to our comprehensive guide on installing Wazuh, a powerful open-source security information and
event management (SIEM) solution. In today’s complex digital landscape, safeguarding your systems and
data is more critical than ever. Wazuh provides a robust platform for threat detection, incident response, and
compliance management. Whether you’re a seasoned cybersecurity professional or a curious enthusiast, this
step-by-step installation tutorial will walk you through the process, making it accessible for all skill levels.
Let’s dive in and empower you to fortify your digital defenses with Wazuh SIEM.

Ubuntu server setup.

Download Ubuntu 22.04.3 LTS from here. Once your server is set up and ready follow the instructions
below.

Before we begin the installation process, it’s essential to ensure that your APT (Advanced Package Tool)
repository is up-to-date. This step ensures that you have access to the latest package information and
versions.

Open your terminal and run the following command

sudo apt update

You need to be the root user or a high-privileged user to run all commands described below — sudo su

Quick install.
Download and execute the Wazuh installation assistant script with the following commands. This script
simplifies the installation process, guiding you through the setup of Wazuh effortlessly.

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-

install.sh -a

With this, your Wazuh server is ready. Copy the provided credentials from the terminal, enter the server IP
into your browser, and proceed to login. Navigate to https://your_server_ip in your web browser, log in
using the provided credentials, and start exploring your Wazuh SIEM dashboard.

Troubleshooting Dashboard Load Issues:

Encountered problems loading the dashboard? If issues persist, it’s likely attributed to the indexer. Resolve
this by increasing your system resources and performing a quick reboot. This straightforward step should
alleviate any loading hurdles.

If you’re someone like me, inclined to take the scenic route and delve deeper into understanding how things
work under the hood, the manual installation process is tailor-made for you. Follow the instructions below to
gain a hands-on understanding of each component’s installation and configuration.

All in one installation.

Wazuh is structured around three pivotal components, each playing a distinct role in ensuring a robust and
comprehensive security information and event management (SIEM) solution:

1. Indexer: The Indexer is the backbone of Wazuh, responsible for efficiently storing and managing
vast amounts of security data. It plays a crucial role in facilitating rapid data retrieval and analysis.

2. Server: Acting as the core processing unit, the Server interprets and analyzes the data collected by agents.
It executes essential security operations, such as threat detection, incident response, and compliance
management.

3. Dashboard: The Dashboard is the user-friendly interface that provides a visual representation of your
security data. It offers pre-built dashboards for quick insights into security events, vulnerabilities, file
integrity monitoring, configuration assessments, cloud infrastructure monitoring, and compliance standards.
Together, these three components form the foundation of Wazuh, offering a scalable and flexible solution to
enhance your organization’s cybersecurity posture.

In an all-in-one installation scenario, all three critical components of Wazuh — Indexer, Server, and
Dashboard — are consolidated onto a single server. This streamlined approach simplifies the setup process,
making it particularly convenient for users seeking a quick and straightforward deployment.

The all-in-one configuration is well-suited for environments with moderate security needs or those looking
for a rapid deployment solution. While it offers simplicity, it’s essential to assess your specific security
requirements and infrastructure scalability to determine the most suitable installation approach.

Indexer
The installation process is divided into three stages.

1. Certificate creation.
2. Nodes installation.
3. Cluster initialization.

Don’t forget to switch to root or any high-privileged user and update your apt-get repo before starting.

Let’s create a folder called wazuh-installer for all our setup files.

mkdir wazuh-installer

cd into the specified directory, then follow these steps.

1. Certificate creation.
Generating the SSL certificates.

Download the wazuh-certs-tool.sh script and the config.yml configuration file. This creates the certificates
that encrypt communications between the Wazuh central components.

curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh

curl -sO https://packages.wazuh.com/4.7/config.yml
Edit ./config.yml and replace the node names and IP values with the corresponding names and IP addresses.
You need to do this for all Wazuh server, Wazuh indexer, and Wazuh dashboard nodes. Add as many node
fields as needed.

nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: "<indexer-node-ip>"
#- name: node-2
# ip: "<indexer-node-ip>"
#- name: node-3
# ip: "<indexer-node-ip>"

# Wazuh server nodes

# If there is more than one Wazuh server
# node, each one must have a node_type
server:
- name: wazuh-1
ip: "<wazuh-manager-ip>"
# node_type: master
#- name: wazuh-2
# ip: "<wazuh-manager-ip>"
# node_type: worker
#- name: wazuh-3
# ip: "<wazuh-manager-ip>"
# node_type: worker

# Wazuh dashboard nodes

dashboard:
- name: dashboard
ip: "<dashboard-node-ip>"

Use the ip a command to retrieve your server's IP. In this example, the server IP is 192.168.251.150.
Run ./wazuh-certs-tool.sh to create the certificates. For a multi-node cluster, these certificates need to be
later deployed to all Wazuh instances in your cluster.

bash ./wazuh-certs-tool.sh -A

Compress all the necessary files.

tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .

rm -rf ./wazuh-certificates

2. Nodes installation.
Installing package dependencies.

apt-get install debconf adduser procps

Adding Wazuh repository.

Install the following packages if you don’t have them already.

apt-get install gnupg apt-transport-https

Install GPG key.

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --

keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644
/usr/share/keyrings/wazuh.gpg

Adding the repository.

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/

stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the package information.

apt-get update
Installing Wazuh indexer.

Install the Wazuh indexer package.

apt-get -y install wazuh-indexer

Configuring Wazuh indexer.

Edit the /etc/wazuh-indexer/opensearch.yml configuration file and replace the following values:

1. network.host: Sets the address of this node for both HTTP and transport traffic. The node will bind
to this address and use it as its publish address. Accepts an IP address or a hostname. Use the same
node address set in config.yml to create the SSL certificates.
2. node.name: Name of the Wazuh indexer node as defined in the config.yml file. For example,
node-1.
3. cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are
defined in the config.yml file. Uncomment the node-2 and node-3 lines, change the names, or add
more lines, according to your config.yml definitions.

Deploying certificate.
Ensure you are in the “wazuh-installer” directory created earlier. This is crucial as we will require the
“wazuh-certificates.tar” file from the previous steps.

Run the following commands replacing node-1 (<indexer-node-name>) with the name of the Wazuh indexer
node you are configuring as defined in config.yml. For example, node-1. This deploys the SSL certificates
to encrypt communications between the Wazuh central components.

NODE_NAME=node-1

mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem
./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-
key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Recommended action: If no other Wazuh components are going to be installed on this node, remove the
wazuh-certificates.tar file by running rm -f ./wazuh-certificates.tar to increase security.

Starting the service

Enable and start the Wazuh indexer service.

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

Confirm the status of the Wazuh-Index service with the command below. If it shows “running,” you’re good
to go.

systemctl status wazuh-indexer

3. Cluster initialization.
Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new
certificates information and start the single-node.
/usr/share/wazuh-indexer/bin/indexer-security-init.sh

Testing the cluster installation.

Replace <WAZUH_INDEXER_IP> and run the following commands to confirm that the installation is
successful. Output should look like the screenshot attached below.

curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200

Replace <WAZUH_INDEXER_IP> and run the following command to check if the single-node is working
correctly.

curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v

Mine works perfectly fine :)

Wazuh server.
The Wazuh indexer is now successfully installed on your single-node or multi-node cluster, and you can
proceed with installing the Wazuh server.

The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when threats or
anomalies are detected. It is also used to remotely manage the agents’ configuration and monitor their status.
If you want to learn more about the Wazuh components, check here.

Wazuh server installation process is divided into two stages.

 1. Wazuh server node installation
2. Cluster configuration for multi-node deployment

Wazuh server node installation.

Installing the Wazuh manager.

Install the Wazuh manager package.

apt-get -y install wazuh-manager

Enable and start Wazuh manager service.

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Run the following command to verify the Wazuh manager status.

systemctl status wazuh-manager

Installing Filebeat.
Install the Filebeat package.

apt-get -y install filebeat

Configuring Filebeat.

Download the preconfigured Filebeat configuration file.

curl -so /etc/filebeat/filebeat.yml

https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value.

1. hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames.
By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh
indexer address accordingly.

This default setting should work for us but let’s change it to our host IP address which we have been using
all along. Scroll down and find the Elasticsearch Output section and edit your host IP as shown below.

Remove the comment symbols from the protocol, username, and password. Then, establish variables for the
username and password as illustrated below. These variables will be utilized in the upcoming step, utilizing
keystore for enhanced security.

# Wazuh - Filebeat configuration file

output.elasticsearch:
hosts: ["192.168.251.150:9200"]
protocol: https
username: ${username}
password: ${password}
Create a Filebeat keystore to securely store authentication credentials.

filebeat keystore create

Add the default username and password admin:admin to the secrets keystore.

echo admin | filebeat keystore add username --stdin --force

echo admin | filebeat keystore add password --stdin --force

Download the alerts template for the Wazuh indexer.

curl -so /etc/filebeat/wazuh-template.json

https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/
wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat.

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C

/usr/share/filebeat/module
Deploying certificates.

Our wazuh-certificate.tar is still in this folder and our NODE_NAME environment variable is still set so we
can proceed.

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-
key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Starting the Filebeat service.

Enable and start the Filebeat service.

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Run the following command to verify that Filebeat is successfully installed.

filebeat test output

If you get the handshake … ERROR x509 error just like me, fret not, we are using a self signed certificate,
remember? This will be resolved later.
Your Wazuh server node is now successfully installed.

Wazuh dashboard.
This central component serves as a versatile and user-friendly web interface designed for extracting,
analyzing, and presenting security data. Offering pre-built dashboards, it enables effortless navigation
through the user interface.

The Wazuh dashboard empowers users to visualize a spectrum of security elements, including security
events, identified vulnerabilities, data from file integrity monitoring, results of configuration assessments,
events from cloud infrastructure monitoring, and adherence to regulatory compliance standards.

Wazuh dashboard installation.

Installing package dependencies.

Install the following packages.

apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

Installing the Wazuh dashboard.

Install the Wazuh dashboard package.

apt-get -y install wazuh-dashboard

Configuring the Wazuh dashboard.

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and replace the following values:

1. server.host: This setting specifies the host of the Wazuh dashboard server. To allow remote users
to connect, set the value to the IP address or DNS name of the Wazuh dashboard server. The value
0.0.0.0 will accept all the available IP addresses of the host.
2. opensearch.hosts: The URLs of the Wazuh indexer instances to use for all your queries. The
Wazuh dashboard can be configured to connect to multiple Wazuh indexer nodes in the same cluster.
The addresses of the nodes can be separated by commas. For example,
["<https://10.0.0.2:9200>", "<https://10.0.0.3:9200>","<https://10.0.0.4:9200>"]
Deploying certificates.

mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem
./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem
/etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem
/etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Starting the Wazuh dashboard service.

Enable and start the Wazuh dashboard service.

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

Access the Wazuh web interface with your credentials.

URL: https://<wazuh-dashboard-ip>

Username: admin

Password: admin
If you had the Filebeat error ealiar like me, then you will probably get the [Alerts index pattern] No
template found for the selected index-pattern title [wazuh-alerts-*] error on logging in (remember the error
from the Filebeat above — yeah that’s what is causing this error). To resolve this error use the command
below.

curl https://raw.githubusercontent.com/wazuh/wazuh/v4.5.2/extensions/elasticsearch/
7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H
'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password>
-k

Change the elastic search username and password to admin:admin and the localhost to your server IP as
shown in the image below.

Reload the webpage, and the error should be resolved. Welcome to your newly installed Wazuh server
dashboard!

Securing your Wazuh installation.

Now that you’ve successfully installed and configured all Wazuh central components, it’s highly advisable
to modify the default credentials. This step enhances the security of your infrastructure, guarding against
potential attacks.

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --
change-all --admin-user wazuh --admin-password wazuh

Safely note down these creds in your password manager.

With this we have come to the end of the setup, but why not take things a step further and add a few agents ?
Adding agents.
Wazuh default page:

Add our first agent — Windows Agent.

Click Add agent, highlighted in the image below.

Select the agent platform — windows (1) in this case, and enter the wazuh server IP address (2).
Assign a name to the agent.

Copy the PowerShell command.

Open Powershell as administrator on the intended Windows host, paste the command copied above, and hit
enter. This might take a while as the agent is being downloaded to the Windows machine.

Start the Wazuh agent on the host using the command provided — execute in Powershell also.

The agent should show up as connected on the dashboard now.

Adding another agent — Ubuntu desktop:

To add a new agent follow the step.

Follow the steps highlighted in the images above.

Copy and paste the command in the terminal — the command should be executed as a privileged user:

Startwazuh agent.

sudo systemctl daemon-reload

sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Wazuh dashboard should now show that the new agent has been added.
Congratulations on successfully installing and configuring Wazuh SIEM! With the completion of this guide,
your SIEM setup is now fully operational, and equipped to detect and respond to security threats effectively.

Don’t forget to fortify your system’s security by changing the default credentials. This simple yet crucial
step adds an extra layer of protection against potential threats.

Having already added two agents to your SIEM, you’ve extended its reach to monitor additional endpoints.
This proactive approach ensures comprehensive security coverage across your digital environment.

Stay tuned for more insights and best practices as we continue to explore advanced features and
optimizations in upcoming posts.