Professional Documents
Culture Documents
Step-by-step setup of Wazuh SIEM on Ubuntu 22_04_3 LTS
Step-by-step setup of Wazuh SIEM on Ubuntu 22_04_3 LTS
22.04.3 LTS.
Emmanuel Akobe-Ajibolu
·
14 min read
·
Jan 15, 2024
Welcome to our comprehensive guide on installing Wazuh, a powerful open-source security information and
event management (SIEM) solution. In today’s complex digital landscape, safeguarding your systems and
data is more critical than ever. Wazuh provides a robust platform for threat detection, incident response, and
compliance management. Whether you’re a seasoned cybersecurity professional or a curious enthusiast, this
step-by-step installation tutorial will walk you through the process, making it accessible for all skill levels.
Let’s dive in and empower you to fortify your digital defenses with Wazuh SIEM.
Before we begin the installation process, it’s essential to ensure that your APT (Advanced Package Tool)
repository is up-to-date. This step ensures that you have access to the latest package information and
versions.
Quick install.
Download and execute the Wazuh installation assistant script with the following commands. This script
simplifies the installation process, guiding you through the setup of Wazuh effortlessly.
With this, your Wazuh server is ready. Copy the provided credentials from the terminal, enter the server IP
into your browser, and proceed to login. Navigate to https://your_server_ip in your web browser, log in
using the provided credentials, and start exploring your Wazuh SIEM dashboard.
If you’re someone like me, inclined to take the scenic route and delve deeper into understanding how things
work under the hood, the manual installation process is tailor-made for you. Follow the instructions below to
gain a hands-on understanding of each component’s installation and configuration.
1. Indexer: The Indexer is the backbone of Wazuh, responsible for efficiently storing and managing
vast amounts of security data. It plays a crucial role in facilitating rapid data retrieval and analysis.
2. Server: Acting as the core processing unit, the Server interprets and analyzes the data collected by agents.
It executes essential security operations, such as threat detection, incident response, and compliance
management.
3. Dashboard: The Dashboard is the user-friendly interface that provides a visual representation of your
security data. It offers pre-built dashboards for quick insights into security events, vulnerabilities, file
integrity monitoring, configuration assessments, cloud infrastructure monitoring, and compliance standards.
Together, these three components form the foundation of Wazuh, offering a scalable and flexible solution to
enhance your organization’s cybersecurity posture.
In an all-in-one installation scenario, all three critical components of Wazuh — Indexer, Server, and
Dashboard — are consolidated onto a single server. This streamlined approach simplifies the setup process,
making it particularly convenient for users seeking a quick and straightforward deployment.
The all-in-one configuration is well-suited for environments with moderate security needs or those looking
for a rapid deployment solution. While it offers simplicity, it’s essential to assess your specific security
requirements and infrastructure scalability to determine the most suitable installation approach.
Indexer
The installation process is divided into three stages.
1. Certificate creation.
2. Nodes installation.
3. Cluster initialization.
Don’t forget to switch to root or any high-privileged user and update your apt-get repo before starting.
Let’s create a folder called wazuh-installer for all our setup files.
mkdir wazuh-installer
1. Certificate creation.
Generating the SSL certificates.
Download the wazuh-certs-tool.sh script and the config.yml configuration file. This creates the certificates
that encrypt communications between the Wazuh central components.
nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: "<indexer-node-ip>"
#- name: node-2
# ip: "<indexer-node-ip>"
#- name: node-3
# ip: "<indexer-node-ip>"
Use the ip a command to retrieve your server's IP. In this example, the server IP is 192.168.251.150.
Run ./wazuh-certs-tool.sh to create the certificates. For a multi-node cluster, these certificates need to be
later deployed to all Wazuh instances in your cluster.
bash ./wazuh-certs-tool.sh -A
2. Nodes installation.
Installing package dependencies.
apt-get update
Installing Wazuh indexer.
Edit the /etc/wazuh-indexer/opensearch.yml configuration file and replace the following values:
1. network.host: Sets the address of this node for both HTTP and transport traffic. The node will bind
to this address and use it as its publish address. Accepts an IP address or a hostname. Use the same
node address set in config.yml to create the SSL certificates.
2. node.name: Name of the Wazuh indexer node as defined in the config.yml file. For example,
node-1.
3. cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are
defined in the config.yml file. Uncomment the node-2 and node-3 lines, change the names, or add
more lines, according to your config.yml definitions.
Deploying certificate.
Ensure you are in the “wazuh-installer” directory created earlier. This is crucial as we will require the
“wazuh-certificates.tar” file from the previous steps.
Run the following commands replacing node-1 (<indexer-node-name>) with the name of the Wazuh indexer
node you are configuring as defined in config.yml. For example, node-1. This deploys the SSL certificates
to encrypt communications between the Wazuh central components.
NODE_NAME=node-1
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem
./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-
key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
Recommended action: If no other Wazuh components are going to be installed on this node, remove the
wazuh-certificates.tar file by running rm -f ./wazuh-certificates.tar to increase security.
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer
Confirm the status of the Wazuh-Index service with the command below. If it shows “running,” you’re good
to go.
3. Cluster initialization.
Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new
certificates information and start the single-node.
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
Replace <WAZUH_INDEXER_IP> and run the following commands to confirm that the installation is
successful. Output should look like the screenshot attached below.
Replace <WAZUH_INDEXER_IP> and run the following command to check if the single-node is working
correctly.
Wazuh server.
The Wazuh indexer is now successfully installed on your single-node or multi-node cluster, and you can
proceed with installing the Wazuh server.
The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when threats or
anomalies are detected. It is also used to remotely manage the agents’ configuration and monitor their status.
If you want to learn more about the Wazuh components, check here.
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
Installing Filebeat.
Install the Filebeat package.
Configuring Filebeat.
Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value.
1. hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames.
By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh
indexer address accordingly.
This default setting should work for us but let’s change it to our host IP address which we have been using
all along. Scroll down and find the Elasticsearch Output section and edit your host IP as shown below.
Remove the comment symbols from the protocol, username, and password. Then, establish variables for the
username and password as illustrated below. These variables will be utilized in the upcoming step, utilizing
keystore for enhanced security.
Add the default username and password admin:admin to the secrets keystore.
Our wazuh-certificate.tar is still in this folder and our NODE_NAME environment variable is still set so we
can proceed.
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-
key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
If you get the handshake … ERROR x509 error just like me, fret not, we are using a self signed certificate,
remember? This will be resolved later.
Your Wazuh server node is now successfully installed.
Wazuh dashboard.
This central component serves as a versatile and user-friendly web interface designed for extracting,
analyzing, and presenting security data. Offering pre-built dashboards, it enables effortless navigation
through the user interface.
The Wazuh dashboard empowers users to visualize a spectrum of security elements, including security
events, identified vulnerabilities, data from file integrity monitoring, results of configuration assessments,
events from cloud infrastructure monitoring, and adherence to regulatory compliance standards.
1. server.host: This setting specifies the host of the Wazuh dashboard server. To allow remote users
to connect, set the value to the IP address or DNS name of the Wazuh dashboard server. The value
0.0.0.0 will accept all the available IP addresses of the host.
2. opensearch.hosts: The URLs of the Wazuh indexer instances to use for all your queries. The
Wazuh dashboard can be configured to connect to multiple Wazuh indexer nodes in the same cluster.
The addresses of the nodes can be separated by commas. For example,
["<https://10.0.0.2:9200>", "<https://10.0.0.3:9200>","<https://10.0.0.4:9200>"]
Deploying certificates.
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem
./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem
/etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem
/etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard
URL: https://<wazuh-dashboard-ip>
Username: admin
Password: admin
If you had the Filebeat error ealiar like me, then you will probably get the [Alerts index pattern] No
template found for the selected index-pattern title [wazuh-alerts-*] error on logging in (remember the error
from the Filebeat above — yeah that’s what is causing this error). To resolve this error use the command
below.
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.5.2/extensions/elasticsearch/
7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H
'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password>
-k
Change the elastic search username and password to admin:admin and the localhost to your server IP as
shown in the image below.
Reload the webpage, and the error should be resolved. Welcome to your newly installed Wazuh server
dashboard!
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --
change-all --admin-user wazuh --admin-password wazuh
With this we have come to the end of the setup, but why not take things a step further and add a few agents ?
Adding agents.
Wazuh default page:
Select the agent platform — windows (1) in this case, and enter the wazuh server IP address (2).
Assign a name to the agent.
Start the Wazuh agent on the host using the command provided — execute in Powershell also.
Copy and paste the command in the terminal — the command should be executed as a privileged user:
Startwazuh agent.
Wazuh dashboard should now show that the new agent has been added.
Congratulations on successfully installing and configuring Wazuh SIEM! With the completion of this guide,
your SIEM setup is now fully operational, and equipped to detect and respond to security threats effectively.
Don’t forget to fortify your system’s security by changing the default credentials. This simple yet crucial
step adds an extra layer of protection against potential threats.
Having already added two agents to your SIEM, you’ve extended its reach to monitor additional endpoints.
This proactive approach ensures comprehensive security coverage across your digital environment.
Stay tuned for more insights and best practices as we continue to explore advanced features and
optimizations in upcoming posts.