Wazuh is a free, open-source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Linux related Software Packages Installastions.
In this context, we shall look into how to Install Wazuh Server on CentOS 7.
How to Install Wazuh Server on CentOS ?
Wazuh manager and Elastic Stack are managed on the same platform by single-host implementations.
- Wazuh server: Runs the API and Wazuh Manager. The data from deployed agents are collected and analyzed.
- Elastic Stack: Runs Elasticsearch, Filebeat and Kibana (including Wazuh). It reads, parses, indexes and stores Wazuh manager alert data.
- Wazuh agent: Runs on the host monitored, collecting log and configuration data, and detecting intrusions and anomalies.
Now, Let's follow the steps outlined below to install Wazuh.
1. Install Wazuh Server
Let us set the hostname first.
i. Launch Terminal and enter the following command:
# hostnamectl set-hostname wazuh-server
ii. Then, update CentOS and packages:
# yum update -y
iii. Next, install NTP and check its service status.
# yum install ntp
# systemctl status ntpd
iv. If the service is not started, start it using below command:
# systemctl start ntpd
v. Then, enable NTP on system boot:
# systemctl enable ntpd
vi. Next, modify firewall rules to allow NTP service.
Run the following commands to enable service.
# firewall-cmd –add-service=ntp –zone=public –permanent
# firewall-cmd –reload
2. Install Wazuh Manager
i. Let us add key:
# rpm –import https://packages.wazuh.com/key/GPG-KEY-WAZUH
ii. Edit the Wazuh repository:
# vim /etc/yum.repos.d/wazuh.repo
Add the following content to the file.
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
iii. Save and exit the file.
iv. List the repositories using the repolist command.
# yum repolist
v. Now, install the Wazuh manager using the below command:
# yum install wazuh-manager -y
vi. Then, install Wazuh Manager and check the status of it.
# systemctl status wazuh-manager
3. Install the Wazuh API
NodeJS >= 4.6.1 is required to run the Wazuh API.
i. Now, add the official NodeJS repository:
# curl –silent –location https://rpm.nodesource.com/setup_8.x | bash –
ii. Install NodeJS:
# yum install nodejs -y
iii. Install the Wazuh API. It will update NodeJS if it is required:
# yum install wazuh-api
iv. Then, check the status of wazuh-api.
# systemctl status wazuh-api
v. Change the default credentials manually using the following commands:
# cd /var/ossec/api/configuration/auth
vi. Set a password for the user.
# node htpasswd -Bc -C 10 user ibmimedia
vii. Restart API.
# systemctl restart wazuh-api
If we need it, we can change the port manually.
The file /var/ossec/api/configuration/config.js contains the parameter:
// TCP Port used by the API.
config.port = "55000";
We are not changing the default port.
4. Install Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.
i. To install it, run the following command:
# rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
ii. Setup repository:
# vim /etc/yum.repos.d/elastic.repo
Add the following contents to the server:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
iii. Install Filebeat:
# yum install filebeat-7.5.1
iv. Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/filebeat/7.x/filebeat.yml
v. Change file Permissions:
# chmod go+r /etc/filebeat/filebeat.yml
vi. Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json
vii. Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
viii. Add Elasticsearch server IP. Edit "filebeat.yml."
# vim /etc/filebeat/filebeat.yml
ix. Then, modify the following line.
output.elasticsearch.hosts: [‘http://ELASTIC_SERVER_IP:9200′]
x. Next, enable and start the Filebeat service:
# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service
5. Install Elastic Stack
We can configure second CentOS server with ELK.
Do the configurations on elastic stack server.
i. Firstly, let us set hostname.
# hostnamectl set-hostname elk
ii. Then, update the system:
# yum update -y
iii. Install ELK
Install Elastic Stack with RPM packages and then add the Elastic repository and its GPG key:
# rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
iv. Later, create a repository file:
# vim /etc/yum.repos.d/elastic.repo
v. Then, add the following content to the file:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
6. Install Elasticsearch
i. Firstly, Install the Elasticsearch package:
# yum install elasticsearch-7.5.1
Elasticsearch listens by default on the loopback interface (localhost).
ii. Configure Elasticsearch to listen to a non-loopback address by editing /etc/elasticsearch/elasticsearch.yml and uncommenting network.host configuration.
Adjust the IP value we want to connect to:
network.host: 0.0.0.0
iii. Change firewall rules.
# firewall-cmd –permanent –zone=public –add-rich-rule=’
rule family=”ipv4″
source address=”34.232.210.23/32″
port protocol=”tcp” port=”9200″ accept’
iv. Next, reload firewall rules:
# firewall-cmd –reload
The further configuration will be necessary for the elastic search configuration file.
v. Edit the "elasticsearch.yml" file.
# vim /etc/elasticsearch/elasticsearch.yml
vi. Change or edit “node.name” and "cluster.initial_master_nodes".
node.name: <node_name>
cluster.initial_master_nodes: ["<node_name>"]
vii. Enable and start the Elasticsearch service:
# systemctl daemon-reload
viii. Now, enable on system boot.
# systemctl enable elasticsearch.service
ix. Then, start elastic search service.
# systemctl start elasticsearch.service
x. Check the status of the elastic search.
# systemctl status elasticsearch.service
xi. Next, check the log file for any issues.
# tail -f /var/log/elasticsearch/elasticsearch.log
xii. Once Elasticsearch is up and running, we need to load the Filebeat template.
Run the following command on the Wazuh server:
$ filebeat setup –index-management -E setup.template.json.enabled=false
7. Install Kibana
i. Firstly, Install the Kibana package:
# yum install kibana-7.5.1
ii. Install the Wazuh app plugin for Kibana:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.0_7.5.1.zip
Kibana Plugin is needed to modify Kibana configurations to access Kibana from the outside.
iii. Edit the Kibana configuration file.
#vim /etc/kibana/kibana.yml
Change the following line.
server.host: “0.0.0.0”
Configure the URLs of the Elasticsearch instances.
elasticsearch.hosts: [“http://localhost:9200”]
iv. Then, enable and start the Kibana service:
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service
v. Add Wazuh API to Kibana Configurations
Edit "wazuh.yml."
# vim /usr/share/kibana/plugins/wazuh/wazuh.yml
vi. Then, edit hostname, username and password.
vii. Finally, save and exit the file and restart the Kibana service.
# systemctl restart kibana.service
We installed the Wazuh server and the ELK server.
Now we are going to add hosts using an agent.
8. Install Wazuh agent
i. To Adding Ubuntu Server
a. Firstly, install needed packages
# apt-get install curl apt-transport-https lsb-release gnupg2
Install the Wazuh repository GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add –
Add the repository and then update repositories.
# echo “deb https://packages.wazuh.com/3.x/apt/ stable main” | tee /etc/apt/sources.list.d/wazuh.list
# apt-get update
b. Then, installing the Wazuh agent
Below command adds "WAZUH_MANAGER" IP to wazuh-agent configuration automatically when installing it.
WAZUH_MANAGER="52.91.79.65" apt-get install wazuh-agent
ii. Add CentOS host
Add the Wazuh repository.
# rpm –import http://packages.wazuh.com/key/GPG-KEY-WAZUH
Next, edit and add to the repository:
vim /etc/yum.repos.d/wazuh.rep
Then, add the following contents:
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
Then, install the agent.
WAZUH_MANAGER="52.91.79.65" yum install wazuh-agent
9. Access Wazuh Dashboard
i. Firstly, browse Kibana using the IP.
http://IP or hostname:5601/
ii. Then, you will see the interface.
iii. Then, click on "Wazuh" Icon to go to its Dashboard. We will see "Wazuh" Dashboard.
iv. Finally, here we can see connected agents, security information management, etc.
When we click on security events; we can see a graphical view of events.
Common error: Install Wazuh Server on CentOS 7
While compiling Wazuh server, it results in the error given below:
CC libwazuhext.so cc: error: external/libffi/server/.libs/libffi.a: No such file or directory make: *** [libwazuhext.so] Error 1
Cause for Error while Installing Wazuh Server on CentOS 7
The installer is compiling the libffi library, but the Wazuh's Makefile is defining a parameter that conflicts with the libffi's Makefile.
How to fix "No such file or directory make" Wazuh Server Installation error on CentOS 7 ?
To resolve this error, simple, Replace this line:
LIBFFI_LIB = $(EXTERNAL_LIBFFI)server/.libs/libffi.a
With:
LIBFFI_LIB = $(EXTERNAL_LIBFFI)$(TARGET)/.libs/libffi.a
This script should fix the issue and recompile:
cd src
sed -i 's,LIBFFI_LIB = $(EXTERNAL_LIBFFI)server/.libs/libffi.a,LIBFFI_LIB = $(EXTERNAL_LIBFFI)$(TARGET)/.libs/libffi.a,' Makefile
make clean
cd ..
sudo ./install.sh
[ Need urgent assistance in analyzing logs with Nagios Log Server? – We're available 24*7. ]
Conclusion
This article covers the installation procedure of Wazuh Server on CentOS Linux System. Basically, Wazuh is a free, open-source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
You can use Wazuh for the following applications:
- Security analysis
- Log analysis
- Vulnerability detection
- Container security
- Cloud security
To Install Java on CentOS 8.
1. Run the command below to install JDK:
$ sudo dnf install java-11-openjdk-devel
2. Confirm that you have it installed
$ java -version
This article covers the installation procedure of Wazuh Server on CentOS Linux System. Basically, Wazuh is a free, open-source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
You can use Wazuh for the following applications:
- Security analysis
- Log analysis
- Vulnerability detection
- Container security
- Cloud security
To Install Java on CentOS 8.
1. Run the command below to install JDK:
$ sudo dnf install java-11-openjdk-devel
2. Confirm that you have it installed
$ java -version
