2. Wazuh Server - Fooster171/Wazuh-SEIM-Home-Lab GitHub Wiki
Forward
We will begin with the installation of the Wazuh server. Wazuh is an open source platform that will be built upon an ELK stack to act as an XDR and SIEM platform for this home lab. Once the server is established, Wazuh agents can be deployed which will feed data back to our server. The steps detailed for initial setup have been sourced from Wazuh's official documentation.
Here is a link to the Wazuh documentation used for the creation of this lab:
Wazuh Server - Installation Documentation
The Wazuh Server in this example will be installed on a Raspberry Pi which will be configured as an Ubuntu Server.
Initial Raspberry Pi Setup
I installed Wazuh on a Raspberry Pi 4. In order to setup the raspberry pi you need to use the Pi Imager available here: Raspberry Pi OS – Raspberry Pi
In the options, I setup the Pi with SSH, wifi and and for an OS I installed Ubuntu server 22.04. In order to SSH into the machine you will need to either check with your DHCP server to see which IP address was assigned or connect to the Pi with a keyboard/monitor to run the command below:
ifconfig -a
From this output you should see an IPv4 address you can use to SSH into the device.
SSH into the Raspberry Pi:
ssh username@(Rasp.Pi IPAddress)
Install updates:
apt upgrade && apt update
Sudo reboot
Install the following base requirements:
sudo apt-get install openjdk-11-jdk sudo apt-get install wget(already installed) sudo apt-get install apt-transport-https sudo apt-get install curl(Already installed) sudo apt-get install gnupg2
Ensure Java is installed:
java -version
Wazuh All-in-one installation guide available below. In order to begin using these steps you need to login as root. On a fresh server, the root account is locked until you setup a password with "sudo passwd root".
Install Elastisearch
Login to the ubuntu server as root to begin the installation:
Su root
Execute the following commands as root to create an Elastic Stack Repository:
curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
apt-get update
Install Elasticsearch & config:
apt-get install elasticsearch=7.17.13
Now download the Elasticsearch.yml file as follows:
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml
Next we need to create and deploy certificates so we can communicate with the elasticsearch node through SSL:
curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/instances_aio.yml
This will provide a folder with a certutil that is used to create the certificates:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
Unzip certs.zip:
unzip ~/certs.zip -d ~/certs
Next, we need to create a directory for the CA, certificate and key:
mkdir /etc/elasticsearch/certs/ca -p
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
chown -R elasticsearch: /etc/elasticsearch/certs
chmod -R 500 /etc/elasticsearch/certs
chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
rm -rf ~/certs/ ~/certs.zip
Now, enable and start elasticsearch:
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
Next, auto-generate the passwords for Elastic Stack roles and users.
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
Save these to a notepad, they will be used later. The output will look something like this:
Changed password for user apm_system
PASSWORD apm_system = pSQU9YV7EoEKwwTnCMwz
Changed password for user kibana_system
PASSWORD kibana_system = tdnywgJzlXbkLj6QAUJU
Changed password for user kibana
PASSWORD kibana = tdnywgJzlXbkLj6QAUJU
Changed password for user logstash_system
PASSWORD logstash_system = HkjNLVASaWhMudJlMlPQ
Changed password for user beats_system
PASSWORD beats_system = CHKJZeCIGUE7Tqa4zdPt
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = hfrLZ76FiRC8bAxxXNsl
Changed password for user elastic
PASSWORD elastic = dUHraQfJS04dEJU7wRG9
To make sure this was done correct, you can test the credentials for the elastic user:
curl -XGET [https://localhost:9200](https://localhost:9200](https:/localhost:9200)) -u elastic:<elastic_password> -k
curl -XGET [https://localhost:9200](https://localhost:9200](https:/localhost:9200)) -u elastic:dUHraQfJS04dEJU7wRG9 -k
Install Wazuh Server
Install GPG key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update packages:
Apt-get update
Install Wazuh Manager:
apt-get install wazuh-manager
Start & Enabled the Wazuh Manager service:
systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager
- Run the following command to ensure everything is working:
Systemctl status wazuh-manager
Sample output:
wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-10-19 17:11:34 UTC; 31s ago
Process: 49429 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 136 (limit: 4416)
Memory: 620.3M
CPU: 1min 33.958s
CGroup: /system.slice/wazuh-manager.service
├─49485 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─49524 /var/ossec/bin/wazuh-authd
├─49540 /var/ossec/bin/wazuh-db
├─49564 /var/ossec/bin/wazuh-execd
├─49578 /var/ossec/bin/wazuh-analysisd
├─49587 /var/ossec/bin/wazuh-syscheckd
├─49604 /var/ossec/bin/wazuh-remoted
├─49637 /var/ossec/bin/wazuh-logcollector
├─49655 /var/ossec/bin/wazuh-monitord
├─49677 /var/ossec/bin/wazuh-modulesd
├─50110 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
└─50113 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
Oct 19 17:11:25 Wazuh env[49429]: Started wazuh-db...
Oct 19 17:11:26 Wazuh env[49429]: Started wazuh-execd...
Oct 19 17:11:26 Wazuh env[49429]: Started wazuh-analysisd...
Oct 19 17:11:27 Wazuh env[49429]: Started wazuh-syscheckd...
Oct 19 17:11:29 Wazuh env[49429]: Started wazuh-remoted...
Oct 19 17:11:30 Wazuh env[49429]: Started wazuh-logcollector...
Oct 19 17:11:31 Wazuh env[49429]: Started wazuh-monitord...
Oct 19 17:11:32 Wazuh env[49429]: Started wazuh-modulesd...
Oct 19 17:11:34 Wazuh env[49429]: Completed.
Oct 19 17:11:34 Wazuh systemd[1]: Started Wazuh manager.
Install Filebeat
- Install Filebeat package:
apt-get install filebeat=7.17.13
Download Filebeat config file used to forward wazuh alerts to Elasticsearch:
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat_all_in_one.yml
Next, download the alerts template for Elasticsearch and add permissions:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.5/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
Next edit the filebeat.yml file to include the Elastic user password that was created during a previous step.
Nano /etc/filebeat/filebeat.yml
Edit the following field in the text editor:
output.elasticsearch.password: <elasticsearch_password>
Now copy the certs into the /etc/filebeat/certs folder:
cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/ cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key
Start the Filebeat service:
systemctl daemon-reload systemctl enable filebeat systemctl start filebeat
You can test that filebeat is running using this command:
Filebeat test output
Sample output:
elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.17.13
Kibana Installation
Install the Kibana package:
apt-get install kibana=7.17.13
After this completes, add the Elasticsearch certificates to the necessary folders:
mkdir /etc/kibana/certs/ca -p cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/ cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt chown -R kibana:kibana /etc/kibana/ chmod -R 500 /etc/kibana/certs chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
Download the Kibana config file:
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana_all_in_one.yml 4. Edit the kibana.yml to include the Elastic user password as we did with Filebeat: Nano /etc/kibana/kibana.yml
Edit the following field:
elasticsearch.password: <elasticsearch_password>
Create an additional data directory for kibana:
mkdir /usr/share/kibana/data chown -R kibana:kibana /usr/share/kibana
Install the Wazuh kibana plugin. This must be done through the Kibana directory as follows:
cd /usr/share/kibana sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.3_7.17.13-1.zip
Link Kibana's socket to port 443:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable & Start Kibana:
systemctl daemon-reload systemctl enable kibana systemctl start kibana
Next you can test access through a web interface:
URL: https://<wazuh_server_ip> user: elastic password: <PASSWORD_elastic>
The Wazuh server IP will be the same as the IP address of your Ubuntu server.
Disable Repositories
The last step for the installation process is to disable a few repositories. This is to ensure nothing is update unintentially that might break stuff:
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
apt-get update
Add a user account
After you finish setup, I'd recommend adding a user account for easier access. From a web browser, access the Wazuh installation from IP address of the server.
URL: https://<wazuh_server_ip> user: elastic password: <PASSWORD_elastic>
If you select the Elastic logo in the top left of the screen and scroll down you should see a link for "Stack Management":
Scroll down on the left sidebar and select "Users"
Select "Create a User" in the top right of the screen.
This will allow you to create your own login so you don't have to remember that long randomized Elastic user password.