Install Wazuh Open Source Security Analytics

Introduction

Wazuh OpenSource Security Analytics provides a production-ready setup to analyze your IT environment. It packs with a lot of features which intently need for critical business. Wazuh was born as a fork of OSSEC HIDS with rich web applications.

Wazuh is available for most operating systems like Linux, OpenBSD, macOS, Solaris, Windows and FreeBSD. In our guide, we will take you through how to guide on CentOS Linux server.

What are the features available in Wazuh?

  • Intrusion Detection
  • File Integrity Monitoring
  • Security Analytics
  • Log Data Analysis
  • Configuration Assessment
  • Vulnerability Detection
  • Incident Response
  • Cloud Security
  • Regulatory Compliance
  • Container Security

Operating System and Hostname

In our setup, we are using two servers. One will be installed with Wazuh Manager and another one will be used for elastic and Kibana.

192.168.0.130  | wazuh.linuxsysadmins.local      # Wazuh Manager  
192.168.0.131  | elastic.linuxsysadmins.local    # Elastic server

We have a host entry in our DNS server.

[root@wazuh ~]# hostnamectl status
    Static hostname: localhost.localdomain
 Transient hostname: wazuh.linuxsysadmins.local
          Icon name: computer-vm
            Chassis: vm
         Machine ID: 36618758588646fb9bd7e5ceb0e73a70
            Boot ID: 39ebd50cc4fb4fdead23201f727910a9
     Virtualization: kvm
   Operating System: CentOS Linux 7 (Core)
        CPE OS Name: cpe:/o:centos:centos:7
             Kernel: Linux 3.10.0-1062.el7.x86_64
       Architecture: x86-64
[root@wazuh ~]#

To set up our Wazuh we are using CentOS 7.7

[root@wazuh ~]# cat /etc/redhat-release 
 CentOS Linux release 7.7.1908 (Core)
[root@wazuh ~]# 

Required ports for Wazuh Manager

Let’s list out all required ports for Wazuh.

514/UDP/tcp     -  Syslog
1514/UDP/tcp    -  To get events from the agent.
1515/tcp        -  Port Used for agent Registration.
1516/tcp        -  Wazuh Cluster communications.
55000/tcp       -  Wazuh API port for incoming requests. 

Let’s add the firewall using the firewall-cmd command.

# firewall-cmd --permanent --add-port={514,1514,1515,1516,55000}/tcp
# firewall-cmd --permanent --add-port={514,1514}/udp
# firewall-cmd --reload
# firewall-cmd --list-all

Add both TCP and UDP ports.

SELinux Configuration

We are not going to disable SELinux at all.

[root@wazuh ~]# sestatus 
 SELinux status:                 enabled
 SELinuxfs mount:                /sys/fs/selinux
 SELinux root directory:         /etc/selinux
 Loaded policy name:             targeted
 Current mode:                   enforcing
 Mode from config file:          enforcing
 Policy MLS status:              enabled
 Policy deny_unknown status:     allowed
 Max kernel policy version:      31
[root@wazuh ~]#

Resolving dependencies

First of all, install the required development tools using Yum.

# yum -y install gcc gcc-c++ make policycoreutils-python automake autoconf libtool

We required more dependencies for CPython. Enable EPEL repo and install the required packages.

# yum install epel-release yum-utils -y
# yum-builddep python34 -y

We are good with the required dependencies.

Installed:
   bluez-libs-devel.x86_64 0:5.44-5.el7           bzip2.x86_64 0:1.0.6-13.el7                       bzip2-devel.x86_64 0:1.0.6-13.el7               
   expat-devel.x86_64 0:2.1.0-10.el7_3            gcc-c++.x86_64 0:4.8.5-39.el7                     gdbm-devel.x86_64 0:1.10-8.el7                  
   gmp-devel.x86_64 1:6.0.0-15.el7                libX11-devel.x86_64 0:1.6.7-2.el7                 libffi-devel.x86_64 0:3.0.13-18.el7             
   mesa-libGL-devel.x86_64 0:18.3.4-6.el7_7       ncurses-devel.x86_64 0:5.9-14.20130511.el7_4      net-tools.x86_64 0:2.0-0.25.20131004git.el7     
   openssl-devel.x86_64 1:1.0.2k-19.el7           readline-devel.x86_64 0:6.2-11.el7                sqlite-devel.x86_64 0:3.7.17-8.el7_7.1          
   systemtap-sdt-devel.x86_64 0:4.0-10.el7_7      tcl-devel.x86_64 1:8.5.13-8.el7                   tix-devel.x86_64 1:8.4.3-12.el7                 
   tk-devel.x86_64 1:8.5.13-6.el7                 valgrind-devel.x86_64 1:3.14.0-16.el7             xz-devel.x86_64 0:5.2.2-1.el7                   
   zlib-devel.x86_64 0:1.2.7-18.el7              

Download and Install Wazuh

Download the latest packages of Wazuh from the Github repo.

# curl -Ls https://github.com/wazuh/wazuh/archive/v3.11.4.tar.gz | tar zx

While we running the curl command it will extract the tar.gz file under the current location.

[root@wazuh ~]# ls
 anaconda-ks.cfg  wazuh-3.11.4
 [root@wazuh ~]# cd wazuh-3.11.4/
 [root@wazuh wazuh-3.11.4]# 
 [root@wazuh wazuh-3.11.4]# ls -lthr
 total 224K
 drwxrwxr-x.  6 root root   84 Feb 24 17:53 wodles
 -rwxrwxr-x.  1 root root  225 Feb 24 17:53 upgrade.sh
 drwxrwxr-x.  4 root root   53 Feb 24 17:53 tools
 drwxrwxr-x. 37 root root 4.0K Feb 24 17:53 src
 drwxrwxr-x.  2 root root   54 Feb 24 17:53 integrations
 -rwxrwxr-x.  1 root root  28K Feb 24 17:53 install.sh
[root@wazuh wazuh-3.11.4]# 

To start the installation from the source run ./install.sh.

  • Use your prefered language by choosing from the list.
  • Choose the kind of installation. We need a manager so type “manager”.
  • If you need to configure email notifications provide your email server/Relay details.
  • For remaining prompts provide “y” to use the default value.

This will take a few minutes to complete the installation.

[root@wazuh wazuh-3.11.4]# ./install.sh 
 ** Para instalação em português, escolha [br].
   ** 要使用中文进行安装, 请选择 [cn].
   ** Für eine deutsche Installation, wählen Sie [de].
   ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
   ** For installation in English, choose [en].
   ** Para instalar en español, elija [es].
   ** Pour une installation en français, choisissez [fr]
   ** A Magyar nyelvű telepítéshez válassza [hu].
   ** Per l'installazione in Italiano, scegli [it].
   ** 日本語でインストールします.選択して下さい.[jp].
   ** Voor installatie in het Nederlands, kies [nl].
   ** Aby instalować w języku Polskim, wybierz [pl].
   ** Для инструкций по установке на русском ,введите [ru].
   ** Za instalaciju na srpskom, izaberi [sr].
   ** Türkçe kurulum için seçin [tr].
   (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
 Wazuh v3.11.4 (Rev. 31121) Installation Script - http://www.wazuh.com
 You are about to start the installation process of Wazuh.
  You must have a C compiler pre-installed in your system.
 System: Linux wazuh.linuxsysadmins.local 3.10.0-1062.el7.x86_64 (centos 7.7)
 User: root
 Host: wazuh.linuxsysadmins.local
 -- Press ENTER to continue or Ctrl-C to abort. -- 
 1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager
 Manager (server) installation chosen. 
 2- Setting up the installation environment.
 Choose where to install Wazuh [/var/ossec]: 
 Installation will be made at  /var/ossec . 
 3- Configuring Wazuh.
 3.1- Do you want e-mail notification? (y/n) [n]: y
 What's your e-mail address? admin@linuxsysadmins.local
 What's your SMTP server ip/host? 192.168.0.135
 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
 Running syscheck (integrity check daemon).
 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
 Running rootcheck (rootkit detection).
 3.4- Do you want to run policy monitoring checks? (OpenSCAP) (y/n) [y]: y
 Running OpenSCAP (policy monitoring checks).
 3.5- Active response allows you to execute a specific
    command based on the events received.
    By default, no active responses are defined.
 Default white list for the active response:
 192.168.0.21
 192.168.0.1
 Do you want to add more IPs to the white list? (y/n)? [n]: y
 IPs (space separated): 192.168.0.22
 3.6- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
 Remote syslog enabled.
 3.7 - Do you want to run the Auth daemon? (y/n) [y]: y
 Running Auth daemon.
 3.8- Do you want to start Wazuh after the installation? (y/n) [y]: y
 Wazuh will start at the end of installation.
 3.9- Setting the configuration to analyze the following logs:
 -- /var/log/audit/audit.log
 -- /var/ossec/logs/active-responses.log
 -- /var/log/messages
 -- /var/log/secure
 -- /var/log/maillog
 If you want to monitor any other file, just change
 the ossec.conf and add a new localfile entry.
 Any questions about the configuration can be answered
 by visiting us online at https://documentation.wazuh.com/.
 --- Press ENTER to continue --- 
 4- Installing the system
 Running the Makefile 
 curl -so external/cJSON.tar.gz https://packages.wazuh.com/deps/3.11/cJSON.tar.gz
 cd external && gunzip cJSON.tar.gz
 cd external && tar -xf cJSON.tar
 rm external/cJSON.tar
 curl -so external/cpython_amd64.tar.gz https://packages.wazuh.com/deps/3.11/cpython_amd64.tar.gz
 cd external && gunzip cpython_amd64.tar.gz
 cd external && tar -xf cpython_amd64.tar
 rm external/cpython_amd64.tar
 curl -so external/curl.tar.gz https://packages.wazuh.com/deps/3.11/curl.tar.gz
 cd external && gunzip curl.tar.gz
 cd external && tar -xf curl.tar
 rm external/curl.tar
 curl -so external/libdb.tar.gz https://packages.wazuh.com/deps/3.11/libdb.tar.gz
 cd external && gunzip libdb.tar.gz
 cd external && tar -xf libdb.tar
 rm external/libdb.tar
 curl -so external/libffi.tar.gz https://packages.wazuh.com/deps/3.11/libffi.tar.gz
 Installed /var/ossec/framework/python/lib/python3.7/site-packages/wazuh-3.11.4-py3.7.egg
 Processing dependencies for wazuh==3.11.4
 Finished processing dependencies for wazuh==3.11.4
 Installing SCAP security policies…
 Generating self-signed certificate for ossec-authd…
 Building CDB lists…
 Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /etc/systemd/system/wazuh-manager.service.
 Starting Wazuh…
 Configuration finished properly.
 To start Wazuh:
   /var/ossec/bin/ossec-control start
 To stop Wazuh:
   /var/ossec/bin/ossec-control stop
 The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
 Thanks for using Wazuh.
 Please don't hesitate to contact us if you need help or find
 any bugs.
 Use our public Mailing List at:
       https://groups.google.com/forum/#!forum/wazuh
 More information can be found at:
       - http://www.wazuh.com
       - http://www.ossec.net
 ---  Press ENTER to finish (maybe more information below). ---
 In order to connect agent and server, you need to add each agent to the server.
 Run the 'manage_agents' to add or remove them:
 /var/ossec/bin/manage_agents
 More information at: 
 https://documentation.wazuh.com/ 
[root@wazuh wazuh-3.11.4]# 

We have truncated the long output.

Start and Enable service

Start and enable the Wazuh by running any one of the below commands.

# /var/ossec/bin/ossec-control start
              or 
# systemctl start wazuh-manager
# systemctl enable wazuh-manager
[root@wazuh ~]# systemctl status wazuh-manager
 ● wazuh-manager.service - Wazuh manager
    Loaded: loaded (/etc/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
    Active: active (running) since Fri 2020-03-13 12:28:21 +04; 32min ago
   Process: 20862 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/wazuh-manager.service
            ├─20927 /var/ossec/bin/ossec-authd
            ├─20936 /var/ossec/bin/wazuh-db
            ├─20953 /var/ossec/bin/ossec-execd
            ├─20961 /var/ossec/bin/ossec-analysisd
            ├─20967 /var/ossec/bin/ossec-syscheckd
            ├─20976 /var/ossec/bin/ossec-remoted
            ├─20981 /var/ossec/bin/ossec-logcollector
            ├─20987 /var/ossec/bin/ossec-monitord
            └─20999 /var/ossec/bin/wazuh-modulesd
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started wazuh-db…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-execd…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-analysisd…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-syscheckd…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-remoted…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-logcollector…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-monitord…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started wazuh-modulesd…
 Mar 13 12:28:21 wazuh.linuxsysadmins.local env[20862]: Completed.
 Mar 13 12:28:21 wazuh.linuxsysadmins.local systemd[1]: Started Wazuh manager.
[root@wazuh ~]#

Let’s follow with installing API for Wazuh.

Installing Wazuh API

Before starting with installing API, we need to resolve the dependencies.

# curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
Installing the NodeSource Node.js 10.x repo…
 Inspecting system…
 rpm -q --whatprovides redhat-release || rpm -q --whatprovides centos-release || rpm -q --whatprovides cloudlinux-release || rpm -q --whatprovides sl-release
 uname -m 
 Confirming "el7-x86_64" is supported…
 curl -sLf -o /dev/null 'https://rpm.nodesource.com/pub_10.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm' 
 Downloading release setup RPM…
 mktemp
 curl -sL -o '/tmp/tmp.UukGHctGkt' 'https://rpm.nodesource.com/pub_10.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm' 
 Installing release setup RPM…
 rpm -i --nosignature --force '/tmp/tmp.UukGHctGkt' 
 Cleaning up…
 rm -f '/tmp/tmp.UukGHctGkt' 
 Checking for existing installations…
 rpm -qa 'node|npm' | grep -v nodesource 
 Run sudo yum install -y nodejs to install Node.js 10.x and npm.
 You may also need development tools to build native addons:
  sudo yum install gcc-c++ make
 To install the Yarn package manager, run:
  curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo  sudo yum install yarn
[root@wazuh ~]# 

Wazhu API required NodeJS greater than the 4.6.1 version.

# sudo yum install -y nodejs
# npm config set user 0
Installing : 2:nodejs-10.19.0-1nodesource.x86_64           1/1 
   Verifying  : 2:nodejs-10.19.0-1nodesource.x86_64           1/1 
 Installed:
     nodejs.x86_64 2:10.19.0-1nodesource                                                                                                                                                                                                                                           
 Complete!
[root@wazuh ~]#

By following install the yarn as stated from the above output. Yarn is a package manager for codes.

# curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
# yum install yarn -y

Download and start the installation of Wazuh API.

# curl -s -o install_api.sh https://raw.githubusercontent.com/wazuh/wazuh-api/v3.11.4/install_api.sh && bash ./install_api.sh download

Output for reference

[root@wazuh ~]# curl -s -o install_api.sh https://raw.githubusercontent.com/wazuh/wazuh-api/v3.11.4/install_api.sh && bash ./install_api.sh download
 Wazuh API
 Downloading API from https://github.com/wazuh/wazuh-api/archive/v3.11.4.tar.gz
 Installing Wazuh API 3.11.4
 Installing API ['/var/ossec/api'].
 Installing NodeJS modules.
 Installing service.
 Installing for systemd
 Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-api.service to /etc/systemd/system/wazuh-api.service.
 API URL: http://host_ip:55000/
 user: 'foo'
 password: 'bar'
 Configuration: /var/ossec/api/configuration
 Test: curl -u foo:bar -k http://127.0.0.1:55000?pretty
 Note: You can configure the API executing /var/ossec/api/scripts/configure_api.sh
 [API installed successfully]
[root@wazuh ~]#

Check the wazuh-api service by running systemctl command

# systemctl status wazuh-api
[root@wazuh ~]# systemctl status wazuh-api
 ● wazuh-api.service - Wazuh API daemon
    Loaded: loaded (/etc/systemd/system/wazuh-api.service; enabled; vendor preset: disabled)
    Active: active (running) since Fri 2020-03-13 13:57:00 +04; 1min 20s ago
      Docs: https://documentation.wazuh.com/current/user-manual/api/index.html
  Main PID: 22619 (node)
    CGroup: /system.slice/wazuh-api.service
            └─22619 /usr/bin/node /var/ossec/api/app.js
 Mar 13 13:57:00 wazuh.linuxsysadmins.local systemd[1]: Started Wazuh API daemon.
[root@wazuh ~]#

Securing Wazuh API

The installation provides only with HTTP and defaults user “foo” and password as “bar”. Let’s configure to secure the API for secure communication by configuring https.

# /var/ossec/api/scripts/configure_api.sh
[root@wazuh ~]# /var/ossec/api/scripts/configure_api.sh
 Wazuh API Configuration
 TCP port [55000]: 
 Using TCP port 55000.
 Enable HTTPS and generate SSL certificate? [Y/n/s]: Y
 Step 1: Create key [Press Enter]
 Generating RSA private key, 2048 bit long modulus
 ……………………………………………+++
 …………………………………………………………………………………..+++
 e is 65537 (0x10001)
 Enter pass phrase for server.key:
 Verifying - Enter pass phrase for server.key:
 Enter pass phrase for server.key.org:
 writing RSA key
 Step 2: Create self-signed certificate [Press Enter]
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Country Name (2 letter code) [XX]:IN
 State or Province Name (full name) []:TN
 Locality Name (eg, city) [Default City]:Chennai
 Organization Name (eg, company) [Default Company Ltd]:Self
 Organizational Unit Name (eg, section) []:Nix  
 Common Name (eg, your name or your server's hostname) []:linuxsysadmins.local
 Email Address []:admin@linuxsysadmins.local
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:          
 An optional company name []:
 Key: /var/ossec/api/configuration/ssl/server.key.
 Certificate: /var/ossec/api/configuration/ssl/server.crt
 Continue with next section [Press Enter]
 Enable user authentication? [Y/n/s]: Y
 API user: babinlonston
 New password: 
 Re-type new password: 
 Adding password for user babinlonston.
 is the API running behind a proxy server? [y/N/s]: N
 API not running behind proxy server.
 Configuration changed.
 Restarting API.
 [Configuration changed]
[root@wazuh ~]#

Once the script completes it will restart the API, In case, if you need to restart the service use

# systemctl restart wazuh-api

The changed account information will be under

[root@wazuh ~]# cat /var/ossec/api/configuration/auth/user 
 babinlonston:$2a$10$3Ov.Glfvr2p81u3j3anmu.fw6DXZJDq0ZEURCCr1WXxt3EEBdtHs.
[root@wazuh ~]# 

Testing secure API communication

Once configured with HTTPS and default user account, try to test the configuration.

[root@wazuh ~]# curl -u babinlonston:xxxxxxxx -k https://127.0.0.1:55000?pretty -v
* About to connect() to 127.0.0.1 port 55000 (#0)
* Trying 127.0.0.1…
* Connected to 127.0.0.1 (127.0.0.1) port 55000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: E=admin@linuxsysadmins.local,CN=linuxsysadmins.local,OU=Nix,O=Self,L=Chennai,ST=TN,C=IN
* start date: Mar 13 10:18:08 2020 GMT
* expire date: Oct 21 10:18:08 2025 GMT
* common name: linuxsysadmins.local
* issuer: E=admin@linuxsysadmins.local,CN=linuxsysadmins.local,OU=Nix,O=Self,L=Chennai,ST=TN,C=IN
* Server auth using Basic with user 'babinlonston' 
   > GET /?pretty HTTP/1.1
   > Authorization: Basic YmFiaW5sb25zdG9uOlJlZGhhdEAxMjM=
   > User-Agent: curl/7.29.0
   > Host: 127.0.0.1:55000
   > Accept: /
   < HTTP/1.1 200 OK
   < X-Powered-By: Express
   < Access-Control-Allow-Origin: *
   < Content-Type: text/html; charset=utf-8
   < Content-Length: 235
   < ETag: W/"eb-TPfP9bhXx8EStmyRVAbjKXdy40c"
   < Date: Fri, 13 Mar 2020 10:23:04 GMT
   < Connection: keep-alive
   < 
   {
      "error": 0,
      "data": {
         "msg": "Welcome to Wazuh HIDS API",
         "api_version": "v3.11.4",
         "hostname": "wazuh.linuxsysadmins.local",
         "timestamp": "Fri Mar 13 2020 14:23:04 GMT+0400 (Gulf Standard Time)"
      }
   }
      Connection #0 to host 127.0.0.1 left intact
[root@wazuh ~]#    

Installing Filebeat

To securely forward the alerts from filebeat to the elastic server we are about to use the Filebeat.

Let’s import the GPG key and add the repository.

# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
# cat > /etc/yum.repos.d/elastic.repo << EOF
 [elasticsearch-7.x]
 name=Elasticsearch repository for 7.x packages
 baseurl=https://artifacts.elastic.co/packages/7.x/yum
 gpgcheck=1
 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
 enabled=1
 autorefresh=1
 type=rpm-md
 EOF

Install the filebeat with the required version.

# yum install filebeat-7.3.0 -y

Download the Filebeat configuration file from the Wazuh repository and save it under the /etc/filebeat/, By following add the permissions.

# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/filebeat/7.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml

Download the alerts template for Elasticsearch

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Download the wazuh module for filebeat. Extract and save under /usr/share/filebeat/module

# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Configure filebeat

Once the above steps are resolved, Let’s start to configure the filebeat. As we mentioned before, the IP of the Elastic server is 192.168.0.131 | elastic.linuxsysadmins.local

# vim /etc/filebeat/filebeat.yml

The only change we need to do in this file is just replaced http://ELASTIC_SERVER_IP:9200 with http://192.168.0.131:9200

output.elasticsearch.hosts: ['http://ELASTIC_SERVER_IP:9200']
                     to
output.elasticsearch.hosts: ['http://192.168.0.131:9200']

Enable and restart the filebeat service.

# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service

Next, we need to set up the Elastic Search server, Before that, let us prepare to set up the Java. In my setup, I’m using with Java 13.0.2.
To set up the Java follow this guide

[root@elastic ~]# java -version
 java version "13.0.2" 2020-01-14
 Java(TM) SE Runtime Environment (build 13.0.2+8)
 Java HotSpot(TM) 64-Bit Server VM (build 13.0.2+8, mixed mode, sharing)
[root@elastic ~]#

Setting up Elastic Server

Before starting with any configuration we need to make sure the hostname is set.

[root@elastic ~]# hostnamectl 
    Static hostname: localhost.localdomain
 Transient hostname: elastic.linuxsysadmins.local
          Icon name: computer-vm
            Chassis: vm
         Machine ID: 36618758588646fb9bd7e5ceb0e73a70
            Boot ID: e737fa66fb1148bcaadb142ca2dc39d3
     Virtualization: kvm
   Operating System: CentOS Linux 7 (Core)
        CPE OS Name: cpe:/o:centos:centos:7
             Kernel: Linux 3.10.0-1062.el7.x86_64
       Architecture: x86-64
[root@elastic ~]#

Firewalls for Elastic Server

The required port in the Elastic server is as follows.

# firewall-cmd --add-port=9200/tcp --permanent
# firewall-cmd --add-port=5601/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all

Right after that, Import the GPG key for the new repository and create the repo file.

# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# cat > /etc/yum.repos.d/elastic.repo << EOF
 [elasticsearch-7.x]
 name=Elasticsearch repository for 7.x packages
 baseurl=https://artifacts.elastic.co/packages/7.x/yum
 gpgcheck=1
 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
 enabled=1
 autorefresh=1
 type=rpm-md
 EOF

Installing Elastic

Once after adding the repo install Elastic Search. The package size will be around 475 MB.

# yum install elasticsearch-7.6.1 -y

Output for reference

Installing : elasticsearch-7.6.1-1.x86_64                                                                                                                                      1/1 
 NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
  sudo systemctl enable elasticsearch.service
 You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
 Created elasticsearch keystore in /etc/elasticsearch
   Verifying  : elasticsearch-7.6.1-1.x86_64                                                                                                                                      1/1 
 Installed:
   elasticsearch.x86_64 0:7.6.1-1                                                                                                                                                     
 Complete!
[root@elastic ~]#

By default, Elastic search will listen on loopback (127.0.0.1) localhost interface.

# vim /etc/elasticsearch/elasticsearch.yml
network.host: 192.168.0.131
node.name: elastic
cluster.initial_master_nodes: ["elastic"]

Start and enable the Elasticsearch service

# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service
[root@elastic ~]# systemctl status elasticsearch.service 
 ● elasticsearch.service - Elasticsearch
    Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
    Active: active (running) since Sat 2020-03-14 12:13:23 +04; 2min 13s ago
      Docs: http://www.elastic.co
  Main PID: 1342 (java)
    CGroup: /system.slice/elasticsearch.service
            ├─1342 /usr/java/jdk-13.0.2/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Df…
            └─1934 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
 Mar 14 12:13:12 elastic.linuxsysadmins.local systemd[1]: Starting Elasticsearch…
 Mar 14 12:13:12 elastic.linuxsysadmins.local elasticsearch[1342]: Java HotSpot(TM) 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and … release.
 Mar 14 12:13:23 elastic.linuxsysadmins.local systemd[1]: Started Elasticsearch.
 Hint: Some lines were ellipsized, use -l to show in full.
[root@elastic ~]#

Let’s verify the cluster health, It should show the status as “green”.

[root@elastic ~]# curl 192.168.0.131:9200/_cat/health?v
 epoch      timestamp cluster       status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
 1584126047 19:00:47  elasticsearch green           1         1      6   6    0    0        0             0                  -                100.0%
[root@elastic ~]#

Few Tweaks for ElasticSearch

Configure Java path and Heap memory for elastic search.

# vim /etc/sysconfig/elasticsearch
JAVA_HOME=/usr/java/jdk-13.0.2
ES_HEAP_SIZE=4g
MAX_OPEN_FILES=65535

Adding Filebeat Template

Once the Elasticsearch server is up and running switch back to wazuh server where filebeat is installed and run the below command to add the filebeat template.

# filebeat setup --index-management -E setup.template.json.enabled=false

[root@wazuh ~]# filebeat setup --index-management -E setup.template.json.enabled=false
 ILM policy and write alias loading not enabled.
 Index setup finished.
[root@wazuh ~]#

Once we run the above command we should get the output on the elastic search server log /var/log/elasticsearch/elasticsearch.log as shown below.

[2020-03-13T16:41:19,832][INFO ][o.e.c.m.MetaDataIndexTemplateService] [elastic] adding template [filebeat-7.6.1] for index patterns [filebeat-7.6.1-*]

Let’s verify the same by running curl from filebeat server.

[root@wazuh ~]# curl http://192.168.0.131:9200
 {
   "name" : "elastic",
   "cluster_name" : "elasticsearch",
   "cluster_uuid" : "hivhkmBPRXq5ihLx0KLRgg",
   "version" : {
     "number" : "7.6.1",
     "build_flavor" : "default",
     "build_type" : "rpm",
     "build_hash" : "aa751e09be0a5072e8570670309b1f12348f023b",
     "build_date" : "2020-02-29T00:15:25.529771Z",
     "build_snapshot" : false,
     "lucene_version" : "8.4.0",
     "minimum_wire_compatibility_version" : "6.8.0",
     "minimum_index_compatibility_version" : "6.0.0-beta1"
   },
   "tagline" : "You Know, for Search"
 }
[root@wazuh ~]#

Look’s good as of now. Let’s move forward.

Setting up Kibana

To visualize the events and archived store in elastic search let us use Kibana. Install with the latest version of Kibana by running

# yum install kibana -y

Right after, install the wazuh plugin for kibana by downloading the zip file.

# cd /tmp/
# wget https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.4_7.6.1.zip
# cd /usr/share/kibana/
# sudo -u kibana bin/kibana-plugin install file:///tmp/wazuhapp-3.11.4_7.6.1.zip
[root@elastic kibana]# sudo -u kibana bin/kibana-plugin install file:///tmp/wazuhapp-3.11.4_7.6.1.zip 
 Attempting to transfer from file:///tmp/wazuhapp-3.11.4_7.6.1.zip
 Transferring 25031565 bytes………………..
 Transfer complete
 Retrieving metadata from plugin archive
 Extracting plugin archive
 Extraction complete
 Plugin installation complete
[root@elastic kibana]#

Make changes to kibana configuration to listen from anywhere outside of the box.

# vim /etc/kibana/kibana.yml

Moreover, we need to set the IP of the elastic search server by editing the same config file.

server.port: 5601
server.host: "192.168.0.131"
server.name: "elastic"
elasticsearch.hosts: ["http://192.168.0.131:9200"]
pid.file: /var/run/kibana.pid
logging.dest: /var/log/kibana/kibana.log
logging.verbose: false

Create the PID file and log file with respective ownership and permissions.

# touch /var/run/kibana.pid
# chown kibana:kibana /var/run/kibana.pid
# mkdir /var/log/kibana/
# touch /var/log/kibana/kibana.log
# chown -R kibana:kibana /var/log/kibana/*

Increase the kibana Heap Memory

# vim /etc/default/kibana
 
NODE_OPTIONS="--max-old-space-size=4096"

Add port 5601 as HTTP service in SELinux.

[root@elastic ~]# semanage port -a -t http_port_t -p tcp 5601

Finally, Enable and restart the kiabana service.

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service
[root@elastic ~]# systemctl status kibana.service 
 ● kibana.service - Kibana
    Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
    Active: active (running) since Sat 2020-03-14 12:13:10 +04; 2min 24s ago
  Main PID: 970 (node)
    CGroup: /system.slice/kibana.service
            └─970 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
 Mar 14 12:13:10 localhost.localdomain systemd[1]: Started Kibana.

Configure the wazuh plugin with credentials and make sure to use HTTPS.

# vim /usr/share/kibana/plugins/wazuh/wazuh.yml
hosts:
 default:
  url: https://192.168.0.130
  port: 55000
  user: babinlonston
  password: xxxxxxxxx 

Access Kibana Graphical Dashboard

Navigate to http://elastic.linuxsysadmins.local:5601 to access the Kibana dashboard.

The status of the API can be checked from the Kibana graphical interface.

API configuration from ELK
API configuration from ELK

Click on the left side Wazuh icon, by following on the right-hand side click on the gear icon to get the API configuration window.

  1. Wazuh Manager server.
  2. The IP address of the Wazuh server.
  3. Port of the API.
  4. User account used for API communication.
  5. Status of the API communication.

Now, Let me add my all physical servers as an agent.

Agent Installation for Debian Based servers

Install the Agent

Few of my physical servers are need to be monitored, let’s add all of those Debian-based physical servers to Wazuh Manager. To start with the agent setup will begin with resolving the required dependencies.

# apt-get install curl apt-transport-https lsb-release gnupg2

root@pve1:~# apt-get install curl apt-transport-https lsb-release gnupg2
 Reading package lists… Done
 Building dependency tree       
 Reading state information… Done
 apt-transport-https is already the newest version (1.8.2).
 gnupg2 is already the newest version (2.2.12-1+deb10u1).
 lsb-release is already the newest version (10.2019051400).
 curl is already the newest version (7.64.0-4+deb10u1).
 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@pve1:~#

Add the GPG key for the Wazuh agent, By following add the repository

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# apt-get update

Start the agent installation by running

# apt-get install wazuh-agent
root@pve1:~# apt-get install wazuh-agent
 Reading package lists… Done
 Building dependency tree       
 Reading state information… Done
 wazuh-agent is already the newest version (3.11.4-1).
 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@pve1:~#

Adding client

To add the client we need to be in Wazhu Manager. While running the mange_agents command, make sure to use -a option with the client IP address or hostname and use -n for what name to be listed in Wazhu Manager.

# /var/ossec/bin/manage_agents -a 192.168.0.11 -n pve1
[root@wazuh ~]# /var/ossec/bin/manage_agents -a 192.168.0.11 -n pve1
 
 Wazuh v3.11.4 Agent manager.         *
 The following options are available: * 
 
 (A)dd an agent (A).
    (E)xtract key for an agent (E).
    (L)ist already added agents (L).
    (R)emove an agent (R).
    (Q)uit.
 Choose your action: A,E,L,R or Q: 
 Adding a new agent (use '\q' to return to the main menu).
 Please provide the following:
 A name for the new agent:    * The IP Address of the new agent: Confirm adding it?(y/n):
 Agent added with ID 003. 
 manage_agents: Exiting.
[root@wazuh ~]#

List and verify all the added agents

[root@wazuh ~]# /var/ossec/bin/manage_agents -l
 Available agents: 
    ID: 003, Name: pve1, IP: 192.168.0.11
[root@wazuh ~]#

Now, we need to extract the key for an agent using its ID number.

[root@wazuh ~]# /var/ossec/bin/manage_agents -e 003
 Agent key information for '003' is: 
 MDAzIHB2ZTEgMTkyLjE2OC4wLjExIGFhYjBhMGRhYmY4OWFhZjBhMzI5MTk4ZTFkMzg4ODUxODRjOGM0YjQ0NDQ5YTU5N2EyYWYyYTAzNTNhMWExZTY=
[root@wazuh ~]#

Once the key is ready, switch to the client-side and run the command with -i the option to import the authentication key.

root@pve1:~# /var/ossec/bin/manage_agents -i MDAzIHB2ZTEgMTkyLjE2OC4wLjExIGFhYjBhMGRhYmY4OWFhZjBhMzI5MTk4ZTFkMzg4ODUxODRjOGM0YjQ0NDQ5YTU5N2EyYWYyYTAzNTNhMWExZTY=
 Agent information:
    ID:003
    Name:pve1
    IP Address:192.168.0.11
 Confirm adding it?(y/n): y
 Added.
root@pve1:~#

That’s it, let’s restart the agent.

# systemctl restart wazuh-agent

We have added with few agents and they are active.

Wazhu Added Agents
Wazhu Added Agents

That’s it, we have completed with Wazhu client-side setup.

Troubleshooting and fixes.

If Elastic search or Kibana failed to start, troubleshoot with the below commands.

# journalctl _SYSTEMD_UNIT=kibana.service
# journalctl -f _SYSTEMD_UNIT=kibana.service

Solution for JavaScript heap Out of memory for Kibana

If we miss with increasing the heap memory for Java we may encounter with below errors.

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory

Reference URL: https://groups.google.com/forum/#!topic/wazuh/Ji7-l3Y8JK8

  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: <--- JS stacktrace --->
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: ==== JS stack trace =========================================
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 0: ExitFrame [pc: 0x1b22d6a5be1d]
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: Security context: 0x20f68519e6e9 
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 1: add [0x20f685191831](this=0x22d475c05fc9 ,0x11a62cea3299 )
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 2: prepend_comments [0xd64b2eba221] [/usr/share/kibana/node_modules/terser/dist/bundle.min.js:1] [bytecode=0x142c02cb7e9 
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 3: /* anonym…
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 1: 0x8fa090 node::Abort() [/usr/share/kibana/bin/../node/bin/node]
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 2: 0x8fa0dc  [/usr/share/kibana/bin/../node/bin/node]
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 3: 0xb0052e v8::Utils::ReportOOMFailure(v8::internal::Isolate, char const, bool) [/usr/share/kibana/bin/../node/bin/nod
  Mar 13 17:35:45 elastic.linuxsysadmins.local kibana[11128]: 4: 0xb00764 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate, char const, bool) [/usr/share/kibana/bin/.

Solution for Warning to connect the Wazhu API

If your Kibana Dashboard shows a Warning to connect with Wazhu API or with the below error.

3099 - ERROR3099 - Some Wazuh daemons are not ready in node 'node01' (wazuh-db->failed)

Switch to Wazhu Manager server and restart the services.

# systemctl restart wazuh-api
# systemctl restart wazuh-manager

Few more troubleshooting we have gone through are as follows.

[root@elastic ~]# curl -X GET "192.168.0.131:9200/_cat/indices/.kib*?v&s=index"
  health status index                  uuid                   pri rep docs.count docs.deleted store.size pri.store.size
  green  open   .kibana_1              bfgsdC23TWCcdiTCqZsOHg   1   0          0            0       230b           230b
  green  open   .kibana_task_manager_1 47p0T3PjTaKRzmhOv1IWOg   1   0          0            0       283b           283b
[root@elastic ~]#
[root@elastic ~]# curl -XDELETE http://192.168.0.131:9200/.kibana_1
{"acknowledged":true}
[root@elastic ~]# 

We will keep updating these troubleshooting steps while we face similar issues in the future.

Conclusion

The Wazuh OpenSource security tool provides production-ready software for analyzing our logs. Will come up with more articles related to Wazuh. Subscribe to our newsletter and stay with us.

2 thoughts on “Install Wazuh Open Source Security Analytics

Comments are closed.