Wazuh – Installation and configuration

Let’s see how to install and configure the OpenSource security platform Wazuh, which integrates SIEM and XDR into a unique solution.

Wazuh indexer

Preparation tasks

Let’s start by enabling all the ports needed to run Wazuh on the target server. Both those related to the syslog server or agent registration and communication, as well as the web interface port.

Use the commands below to add all these ports to firewall exceptions:

firewall-cmd --permanent --add-port={514,443,1514,1515,1516,55000}/tcp
firewall-cmd --permanent --add-port={514,1514}/udp
firewall-cmd --reload

At this moment, the basic requirements for running the Wazuh indexer are met.

Next download the tool supplied directly by Wazuh. This tool will generate all necessary certificates on the server, which are then used for encrypted communication.

curl -sO https://packages.wazuh.com/4.4/wazuh-certs-tool.sh

Also download the configuration file config.yml, which will serve as a template for creating individual certificates.

curl -sO https://packages.wazuh.com/4.4/config.yml

Certificates and configuration

Open this configuration file and fill in the necessary values according to the requirements of your infrastructure.

nano ./config.yml

For purposes of this demonstration, we use the so-called all-in-one installation. Therefore all Wazuh components are installed on one server.

The content of this example configuration file is in our case following:

nodes:
  indexer:
    - name: wazuh-demo
      ip: 192.168.91.15

  server:
    - name: wazuh-demo
      ip: 192.168.91.15

  dashboard:
    - name: wazuh-demo
      ip: 192.168.91.15

Save the file and run the downloaded script that will generate certificates according to this configuration.

bash ./wazuh-certs-tool.sh -A

Generated certificates will be automatically saved in ./wazuh-certificates folder.

You will of course need these certificates to continue the installation process. So for portability between (possible) individual nodes, let’s compress them into an archive:

tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .

In the next step, verify that you have the coreutils package installed and install it, if necessary.

yum install coreutils

Now import the RPM key for the official Wazuh repository:

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Next, manually create a repository file in the path /etc/yum.repos.d/wazuh.repo and save it with the following content:

[wazuh]
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck=1
enabled=1
protect=1

Installation

So now you can proceed to install the Wazuh indexer package itself.

yum install wazuh-indexer

After the installation of the wazuh-indexer, open the configuration file /etc/wazuh-indexer/opensearch.yml and fill in the information about the layout of our nodes in the Wazuh cluster.

We are using the all-in-one installation here. So we will take this into account when setting up the following configuration directives.

You can leave the other settings untouched, so save the file and close it.

network.host: "192.168.91.15"
node.name: "wazuh-demo"
cluster.initial_master_nodes:
  "wazuh-demo"
cluster.name: "wazuh-custer"

Now you need to deploy your generated certificates on every single node in the cluster. Yet, in this case we only have one.

Create a folder in the standard path where the certificates will be located.

mkdir /etc/wazuh-indexer/certs

And to this location, extract the necessary certificates under the correct names, from the archive in which they are located.

tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./indexer.pem ./indexer-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem

Set the correct ownership and permissions to the certificates, and also to the folder in which certificates are stored.

chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*

To initialize the Wazuh cluster with new certificates, the system service must already be running.

Start the service then and set it to start automatically after system startup.

systemctl daemon-reload
systemctl enable wazuh-indexer --now

In the next step, run the supplied script. This script initializes the cluster using the new certificates, i.e. adds the basic configuration files and starts the cluster.

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

In the last step, test the functionality of the Indexer.

First check, that the indexer API responds correctly:

curl -k -u admin:admin https://wazuh-demo.lab.initmax.cz:9200

The correct result with an API response, which returns basic information about the cluster looks similar to this:

With the following command you can display a list of individual nodes in the cluster (in this case there’s only one):

curl -k -u admin:admin https://wazuh-demo.lab.initmax.cz:9200/_cat/nodes?v

If Wazuh indexer API responds correctly, then you have this part done for now. You can proceed to the installation of Wazuh manager.

Wazuh manager (server)

Since you have already added the repositories in previous steps, just download and install the appropriate package:

yum -y install wazuh-manager

You can now start the service and set it to start automatically on system startup.

systemctl daemon-reload
systemctl enable wazuh-manager --now

Verify that the service started successfully.

systemctl status wazuh-manager

Filebeat

Wazuh manager processes parsed logs based on individual rules and then saves them to a file.

The data is retried from these files by filebeat, so you need to install it as well.

yum -y install filebeat

Download the basic configuration file for filebeat from the official Wazuh repository:

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.4/tpl/wazuh/filebeat/filebeat.yml

In this configuration file, in the path /etc/filebeat/filebeat.yml, in the output.elasticsearch: section, edit the hosts: subsection to reflect the IP address of the source Indexer.

So in our case like this:

output.elasticsearch:
  hosts: ["192.168.91.15:9200"]

Then create a filebeat keystore:

filebeat keystore create

To the created filebeat keystore add the credentials for the admin user.

Attention: This is definitely not a recommended practice from a security point of view and it is used here for demonstration purposes only, as the password you enter is visible in the commands history!

echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force

In the next step, download the filebeat basic template from the official Wazuh repository and set the correct permissions to it.

This template serves as a recipe that filebeat sends to the Indexer, and on which the data is subsequently stored and marked so that filebeat can work with it efficiently and Wazuh can further process it.

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Now, download and install Wazuh module for filebeat:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

As the last step of the filebeat configuration, install the generated certificates again in the correct paths and with the correct permissions:

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./filebeat.pem ./filebeat-key.pem ./root-ca.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

At this moment, you can start the service and set it to start automatically after system startup.

systemctl daemon-reload
systemctl enable filebeat --now

After successfully starting the filebeat service, we can test the basic functionality with the following command:

filebeat test output

If everything is fine, then the correct output of this command looks like this (for this scenario):

elasticsearch: https://192.168.91.15:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    adresses: 192.168.91.15
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
    

These are all the steps needed for successful installation and basic configuration of Wazuh manager.

You can now focus on installing Wazuh dashboard.

Wazuh dashboard

First, install the necessary libraries.

yum install libcap

Due to our sample “all-in-one” installation, you already have the repositories added from previous steps.

So just download and install the correct package:

yum -y install wazuh-dashboard

After the installation is complete, edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml so that it reflects our cluster layout.

For our sample implementation, only values of these two configuration options will need to be changed:

server.host: 192.168.91.15
opensearch.hosts: https://192.168.91.15:9200

After saving the configuration file, proceed again to deployment of your generated certificates. Do not forget to set the correct permissions and ownership.

mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./dashboard.pem ./dashboard-key.pem ./root-ca.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

And all that remains is to start the wazuh-dashboard service and enable the automatic startup.

systemctl daemon-reload
systemctl enable wazuh-dashboard --now

At this moment, you have all components of Wazuh installed and you can then log into its web interface, in our case at the url https://192.168.91.15/.

Wazuh agents

Password authentication

By default, the Wazuh manager is set to register any agent that attempts to do so.

Which is not entirely advisable for either security or operational reasons. You shall then set Wazuh to require a password for authentication of individual agents.

You can do so even in web interface, in section Management -> Configuration.

Tip: You can also edit this configuration file directly on the Wazuh manager file system, in the path /var/ossec/etc/ossec.conf using your favorite text editor.

In here click the Edit configuration link.

This link will allow us to manually edit the configuration XML file ossec.conf, which is the Wazuh manager configuration, directly in the web interface.

In this configuration file, the <use_password> directive in the <auth> section must be set to yes.

Next, you need to create a file on the server’s filesystem. This file will contain a password that the Manager will verify when registering agents.

So create this file in the path /var/ossec/etc/authd.pass, type in the password to it (on a single line and without any other characters) and save it.

nano /var/ossec/etc/authd.pass

Attention: Wazuh is currently working on a more efficient and safer way for storing the authentication password (e.g. keystore). Therefore this may be different in newer versions!

You can now proceed to the server configuration.

Manager configuration

First enable vulnerability detector. To do so edit the same file and in section <vulnerability_detector> change the value of directive <enabled> to yes (see below).

...
<vulnerability_detector>
  <enabled>yes</enabled>
...

And again, in the same section called <vulnerability_detector> enable providers for a specific operating systems, in our case it’s CentOS.

So let’s enable RedHat provider:

...
<vulnerability_detector>
...
  <provider name="redhat">
    <enabled>yes</enabled>
...

Use the Save button to check the validity of the modified file and to save it.

After successfully saving the file, you need to restart the Wazuh manager using the Restart Manager button.

A dialog box will appear asking you to confirm this action, do so by clicking on Confirm button.

Tip: You can also restart the Manager by restarting its system service.

systemctl restart wazuh-manager

As a final step, it is recommended to generate new passwords for Wazuh instead of the default ones. You can do that using the command below.

The output of this command are newly generated and strong passwords.

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh

Adding an agent

We recommend sorting individual agents into groups. For example by server type, or by operating system, as it is in case below.

You can create groups in section Management -> Groups using the Add new group button.

You can then add new agents using the wizard, which can be found in the Agents menu section.

Agent installation

You install the agent itself by copying the command generated by this wizard and running it on the target server.

Attention: Wazuh agent must not be installed on the server where the Manager is running. The installation won’t even be allowed due to package conflicts!

You really don’t want you registration password to be part of the shell’s command history. So leave it defined by asterisks for now.

sudo WAZUH_MANAGER='192.168.91.15' WAZUH_REGISTRATION_PASSWORD='******' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='centos-agent' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent=4.4.1-1.x86_64.rpm

After successfully installing the agent, open the file containing the registration password.

Change the asterisks manually to the correct password and save the file.

nano /var/ossec/etc/authd.pass

And as the last step, start the service and enable it to start automatically after system startup.

systemctl daemon-reload
systemctl enable wazuh-agent --now

As a part of the launching process of this service the agent will perform a basic security audit and vulnerability scan.

All the necessary information about the operating system is sent from the agent to Wazuh manager.

The agent registers itself on the Wazuh server and is subsequently added for further analysis.

You can then add other agents in the very same way.

At this point, you have all Wazuh core components successfully installed and fully functional. That includes basic configuration and the process of adding one sample agent.