Situatie
1. Install the Wazuh server The Wazuh server is the central component that collects and analyzes data from Wazuh agents. It consists of the Wazuh manager and Filebeat. The Wazuh manager analyzes data and triggers alerts, while Filebeat forwards alerts and archived events to the Wazuh indexer.
-
-
You’ll need root user privileges to run the commands.
-
Add the Wazuh repository:
-
For RPM-based systems (CentOS, Red Hat, etc.):
bashrpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
-
For Debian-based systems (Ubuntu, Debian, etc.):
bashapt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
-
-
Install the Wazuh manager package using your system’s package manager.
-
Alternatively, use the Wazuh installation assistant:
bashcurl -sO https://packages.wazuh.com/4.11/wazuh-install.sh
bash wazuh-install.sh --wazuh-server <node_name>
Replace
<node_name>with the name used inconfig.yml. -
Disable Wazuh updates to prevent accidental upgrades by executing the following commands:
-
For RPM-based systems:
bashsed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
-
For Debian-based systems:
bashsed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt update
-
-
-
Install the Wazuh indexer The Wazuh indexer is a scalable full-text search engine that provides security, alerting, and performance analysis.
-
First, generate SSL certificates:
bashcurl -sO https://packages.wazuh.com/4.11/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.11/config.yml
-
Edit
./config.ymlto replace node names and IPs. -
Run the certificate tool:
bashbash ./wazuh-certs-tool.sh -A
-
Compress the certificate files:
bashtar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates
-
Copy the
wazuh-certificates.tarfile to all nodes. -
Install any missing package dependencies:
-
For RPM-based systems:
bashyum install coreutils
-
For Debian-based systems:
bashapt-get install debconf adduser procps
-
-
Add the Wazuh repository (see step 1).
-
Install the Wazuh indexer package.
-
Install the Wazuh dashboard The Wazuh dashboard provides a web interface for visualizing and managing your security data.
-
-
Install any missing packages:
bashyum install libcap
-
Install the Wazuh dashboard package:
bashyum -y install wazuh-dashboard
-
Configure the Wazuh dashboard by editing
/etc/wazuh-dashboard/opensearch_dashboards.yml5. -
Deploy the certificates:
bashNODE_NAME=wazuh-demo
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
ll /etc/wazuh-dashboard/certs/
-
Enable and start the Wazuh dashboard service:
bashsystemctl daemon-reload
systemctl enable wazuh-dashboard --now
-
-
Install and configure Wazuh agents Deploy Wazuh agents to the endpoints you want to monitor. These agents collect data and send it to the Wazuh server for analysis.
-
Access the Wazuh web UI Open Kibana in your web browser and navigate to the Wazuh app to view dashboards and alerts.
After installing the Wazuh server and agents, you can monitor and manage your IT environment’s security, customize rules, analyze logs, and configure compliance policies.
Leave A Comment?