2. Wazuh Server - Fooster171/Wazuh-SEIM-Home-Lab GitHub Wiki

Forward

We will begin with the installation of the Wazuh server. Wazuh is an open source platform that will be built upon an ELK stack to act as an XDR and SIEM platform for this home lab. Once the server is established, Wazuh agents can be deployed which will feed data back to our server. The steps detailed for initial setup have been sourced from Wazuh's official documentation.

Here is a link to the Wazuh documentation used for the creation of this lab:

Wazuh Server - Installation Documentation

The Wazuh Server in this example will be installed on a Raspberry Pi which will be configured as an Ubuntu Server.

Initial Raspberry Pi Setup

I installed Wazuh on a Raspberry Pi 4. In order to setup the raspberry pi you need to use the Pi Imager available here: Raspberry Pi OS – Raspberry Pi

In the options, I setup the Pi with SSH, wifi and and for an OS I installed Ubuntu server 22.04. In order to SSH into the machine you will need to either check with your DHCP server to see which IP address was assigned or connect to the Pi with a keyboard/monitor to run the command below:

ifconfig -a

From this output you should see an IPv4 address you can use to SSH into the device.

SSH into the Raspberry Pi:

ssh username@(Rasp.Pi IPAddress)

Install updates:

apt upgrade && apt update

Sudo reboot

Install the following base requirements:

sudo apt-get install openjdk-11-jdk sudo apt-get install wget(already installed) sudo apt-get install apt-transport-https sudo apt-get install curl(Already installed) sudo apt-get install gnupg2

Ensure Java is installed:

java -version

Wazuh All-in-one installation guide available below. In order to begin using these steps you need to login as root. On a fresh server, the root account is locked until you setup a password with "sudo passwd root".

Install Elastisearch

Login to the ubuntu server as root to begin the installation:

Su root

Execute the following commands as root to create an Elastic Stack Repository:

curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg

echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

apt-get update

Install Elasticsearch & config:

apt-get install elasticsearch=7.17.13

Now download the Elasticsearch.yml file as follows:

curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml

Next we need to create and deploy certificates so we can communicate with the elasticsearch node through SSL:

curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/instances_aio.yml

This will provide a folder with a certutil that is used to create the certificates:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip

Unzip certs.zip:

unzip ~/certs.zip -d ~/certs

Next, we need to create a directory for the CA, certificate and key:

mkdir /etc/elasticsearch/certs/ca -p

cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/

chown -R elasticsearch: /etc/elasticsearch/certs

chmod -R 500 /etc/elasticsearch/certs

chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*

rm -rf ~/certs/ ~/certs.zip

Now, enable and start elasticsearch:

systemctl daemon-reload

systemctl enable elasticsearch

systemctl start elasticsearch

Next, auto-generate the passwords for Elastic Stack roles and users.

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

Save these to a notepad, they will be used later. The output will look something like this:

Changed password for user apm_system
PASSWORD apm_system = pSQU9YV7EoEKwwTnCMwz
Changed password for user kibana_system
PASSWORD kibana_system = tdnywgJzlXbkLj6QAUJU
Changed password for user kibana
PASSWORD kibana = tdnywgJzlXbkLj6QAUJU
Changed password for user logstash_system
PASSWORD logstash_system = HkjNLVASaWhMudJlMlPQ
Changed password for user beats_system
PASSWORD beats_system = CHKJZeCIGUE7Tqa4zdPt
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = hfrLZ76FiRC8bAxxXNsl
Changed password for user elastic
PASSWORD elastic = dUHraQfJS04dEJU7wRG9

To make sure this was done correct, you can test the credentials for the elastic user:

curl -XGET [https://localhost:9200](https://localhost:9200](https:/localhost:9200)) -u elastic:<elastic_password> -k

curl -XGET [https://localhost:9200](https://localhost:9200](https:/localhost:9200)) -u elastic:dUHraQfJS04dEJU7wRG9 -k

Install Wazuh Server

Install GPG key:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository:

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update packages:

Apt-get update

Install Wazuh Manager:

apt-get install wazuh-manager

Start & Enabled the Wazuh Manager service:

systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager

  1. Run the following command to ensure everything is working:

Systemctl status wazuh-manager

Sample output:


wazuh-manager.service - Wazuh manager

Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)

Active: active (running) since Thu 2023-10-19 17:11:34 UTC; 31s ago

Process: 49429 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

Tasks: 136 (limit: 4416)

Memory: 620.3M

CPU: 1min 33.958s

CGroup: /system.slice/wazuh-manager.service

├─49485 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─49524 /var/ossec/bin/wazuh-authd

├─49540 /var/ossec/bin/wazuh-db

├─49564 /var/ossec/bin/wazuh-execd

├─49578 /var/ossec/bin/wazuh-analysisd

├─49587 /var/ossec/bin/wazuh-syscheckd

├─49604 /var/ossec/bin/wazuh-remoted

├─49637 /var/ossec/bin/wazuh-logcollector

├─49655 /var/ossec/bin/wazuh-monitord

├─49677 /var/ossec/bin/wazuh-modulesd

├─50110 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

└─50113 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

Oct 19 17:11:25 Wazuh env[49429]: Started wazuh-db...

Oct 19 17:11:26 Wazuh env[49429]: Started wazuh-execd...

Oct 19 17:11:26 Wazuh env[49429]: Started wazuh-analysisd...

Oct 19 17:11:27 Wazuh env[49429]: Started wazuh-syscheckd...

Oct 19 17:11:29 Wazuh env[49429]: Started wazuh-remoted...

Oct 19 17:11:30 Wazuh env[49429]: Started wazuh-logcollector...

Oct 19 17:11:31 Wazuh env[49429]: Started wazuh-monitord...

Oct 19 17:11:32 Wazuh env[49429]: Started wazuh-modulesd...

Oct 19 17:11:34 Wazuh env[49429]: Completed.

Oct 19 17:11:34 Wazuh systemd[1]: Started Wazuh manager.

Install Filebeat

  1. Install Filebeat package:

apt-get install filebeat=7.17.13

Download Filebeat config file used to forward wazuh alerts to Elasticsearch:

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat_all_in_one.yml

Next, download the alerts template for Elasticsearch and add permissions:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.5/extensions/elasticsearch/7.x/wazuh-template.json

chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

Next edit the filebeat.yml file to include the Elastic user password that was created during a previous step.

Nano /etc/filebeat/filebeat.yml

Edit the following field in the text editor:

output.elasticsearch.password: <elasticsearch_password>

Now copy the certs into the /etc/filebeat/certs folder:

cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/ cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key

Start the Filebeat service:

systemctl daemon-reload systemctl enable filebeat systemctl start filebeat

You can test that filebeat is running using this command:

Filebeat test output

Sample output:

elasticsearch: https://127.0.0.1:9200...  parse url... OK  connection...    parse host... OK    dns lookup... OK    addresses: 127.0.0.1    dial up... OK  TLS...    security: server's certificate chain verification is enabled    handshake... OK    TLS version: TLSv1.3    dial up... OK  talk to server... OK  version: 7.17.13

Kibana Installation

Install the Kibana package:

apt-get install kibana=7.17.13

After this completes, add the Elasticsearch certificates to the necessary folders:

mkdir /etc/kibana/certs/ca -p cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/ cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt chown -R kibana:kibana /etc/kibana/ chmod -R 500 /etc/kibana/certs chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*

Download the Kibana config file:

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana_all_in_one.yml 4. Edit the kibana.yml to include the Elastic user password as we did with Filebeat: Nano /etc/kibana/kibana.yml

Edit the following field:

elasticsearch.password: <elasticsearch_password>

Create an additional data directory for kibana:

mkdir /usr/share/kibana/data chown -R kibana:kibana /usr/share/kibana

Install the Wazuh kibana plugin. This must be done through the Kibana directory as follows:

cd /usr/share/kibana sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.3_7.17.13-1.zip

Link Kibana's socket to port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Enable & Start Kibana:

systemctl daemon-reload systemctl enable kibana systemctl start kibana

Next you can test access through a web interface:

URL: https://<wazuh_server_ip> user: elastic password: <PASSWORD_elastic>

The Wazuh server IP will be the same as the IP address of your Ubuntu server.

Disable Repositories

The last step for the installation process is to disable a few repositories. This is to ensure nothing is update unintentially that might break stuff:

sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list

sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list

apt-get update

Add a user account

After you finish setup, I'd recommend adding a user account for easier access. From a web browser, access the Wazuh installation from IP address of the server.

URL: https://<wazuh_server_ip> user: elastic password: <PASSWORD_elastic>

If you select the Elastic logo in the top left of the screen and scroll down you should see a link for "Stack Management":

Scroll down on the left sidebar and select "Users"

Select "Create a User" in the top right of the screen.

This will allow you to create your own login so you don't have to remember that long randomized Elastic user password.