Wazuh is used to collect, aggregate, index and analyze security data, helping organizations detect intrusions, threats and behavioral anomalies. As cyber threats are becoming more sophisticated, real-time monitoring and security analysis are needed for fast threat detection and remediation.
We have customers who use the Wazuh server to monitor security events at an application and OS level.
Basically, Wazuh helps to get information about threat detection, incident response, and integrity monitoring.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Ubuntu Linux queries.
In this context, we shall look into how to deploy the Wazuh server on a single-node Ubuntu 20.04 host.
Wazuh is a free and open source platform used for threat prevention, detection and response. It is based on a lightweight agent, capable of protecting workloads across on-premise, virtualized, containerized and cloud-based environments.
We can use Wazuh for the following applications:
To begin with this installation procedure, we need to install the packages below to run Wazuh Manager:
$ sudo apt update
$ sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
Then we install Java:
$ sudo apt install default-jre
Then follow the steps given below.
1. Initially, we add the GPG key:
$ curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add –
2. Then we add the Wazuh repository:
$ echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | sudo tee /etc/apt/sources.list.d/wazuh.list
3. To update the system, we run:
$ sudo apt update
4. Eventually, we install the Wazuh Manager:
$ sudo apt install wazuh-manager
5. We then start and enable service:
$ sudo systemctl daemon-reload
$ sudo systemctl enable –now wazuh-manager
At this point, we check the status of the Wazuh manager and confirm it is up and running:
$ systemctl status wazuh-manager
To check the service status, we run:
$ systemctl status wazuh-manager
● wazuh-manager.service – Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-04-26 09:13:56 UTC; 22s ago
Process: 252739 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
Tasks: 121 (limit: 4580)
Memory: 472.5M
CGroup: /system.slice/wazuh-manager.service
├─252805 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─252844 /var/ossec/bin/ossec-authd
├─252860 /var/ossec/bin/wazuh-db
├─252883 /var/ossec/bin/ossec-execd
├─252897 /var/ossec/bin/ossec-analysisd
├─252958 /var/ossec/bin/ossec-syscheckd
├─252975 /var/ossec/bin/ossec-remoted
├─253006 /var/ossec/bin/ossec-logcollector
├─253024 /var/ossec/bin/ossec-monitord
└─253047 /var/ossec/bin/wazuh-modulesd
Apr 26 09:13:47 node3 env[252739]: Started wazuh-db…
Apr 26 09:13:48 node3 env[252739]: Started ossec-execd…
Apr 26 09:13:49 node3 env[252739]: Started ossec-analysisd…
Apr 26 09:13:50 node3 env[252739]: Started ossec-syscheckd…
Apr 26 09:13:51 node3 env[252739]: Started ossec-remoted…
Apr 26 09:13:52 node3 env[252739]: Started ossec-logcollector…
Apr 26 09:13:53 node3 env[252739]: Started ossec-monitord…
Apr 26 09:13:54 node3 env[252739]: Started wazuh-modulesd…
Apr 26 09:13:56 node3 env[252739]: Completed.
Apr 26 09:13:56 node3 systemd[1]: Started Wazuh manager.
We install Elasticsearch from Open Distro. It offers advanced security, alerting, deep performance analysis, index management, etc:
$ sudo apt install elasticsearch-oss opendistroforelasticsearch
Then we download a custom configuration file for /etc/elasticsearch/elasticsearch.yml as below:
$ curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
Eventually, we configure Kibana roles and users with the templates below:
$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles.yml
$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles_mapping.yml
$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/internal_users.yml
Install Certificates
We can set up certificates to use for TLS communication between Elasticsearch and Wazuh.
i. Initially, we remove demo certs:
$ sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}
ii. Then we generate new certificates:
$ sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs
$ sudo curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip
iii. To extract the downloaded file, we run:
$ sudo unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard
iv. Then we download the pre-configured search-guard.yml file:
$ sudo curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/searchguard/search-guard-aio.yml
v. We run the search guard script to create the certificates:
$ sudo ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/
vi. Later, we remove the unnecessary files once we create the certs:
$ sudo rm /etc/elasticsearch/certs/client-certificates.readme
vii. Enable and start Elasticsearch service:
$ sudo systemctl enable –now elasticsearch
viii. Load the new certificates by running Elasticsearch’s securityadmin script:
$ sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key
Our output will be similar to this:
WARNING: JAVA_HOME not set, will use /usr/bin/java
Open Distro Security Admin v7
Will connect to localhost:9300 … done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.0
Open Distro Security Version: 1.12.0.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it … done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘_doc/roles’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for ‘whitelist’ created or updated
Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for ‘audit’ created or updated
Done with success
ix. Then we run the command below to confirm that the installation is successful:
$ curl -XGET https://localhost:9200 -u admin:admin -k
{
“name” : “node-1”,
“cluster_name” : “elasticsearch”,
“cluster_uuid” : “9JuWWZBHSX65WNZioHQcMg”,
“version” : {
“number” : “7.10.0”,
“build_flavor” : “oss”,
“build_type” : “deb”,
“build_hash” : “51e9d6f22758d0374a0f3f5c6e8f3a7997850f96”,
“build_date” : “2020-11-09T21:30:33.964949Z”,
“build_snapshot” : false,
“lucene_version” : “8.7.0”,
“minimum_wire_compatibility_version” : “6.8.0”,
“minimum_index_compatibility_version” : “6.0.0-beta1”
},
“tagline” : “You Know, for Search”
}
x. We can remove the Open Distro for the Elasticsearch performance analyzer plugin. It installs by default and can be resource-hungry.
We use the command below to remove it:
$ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer
Filebeat is to ship alerts and events from the Wazuh server to Elasticsearch.
i. To install Filebeat, run the command below:
$ sudo apt install filebeat
ii. We download the Filebeat configuration file to forward Wazuh alerts to Elasticsearch:
$ curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml
iii. Download the alerts template for Elasticsearch:
$ curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
$ chmod go+r /etc/filebeat/wazuh-template.json
iv. Then we dwnload the Wazuh FIlebeat module:
$ sudo curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
v. Copy the Elasticsearch certificates to /etc/filebeat/certs:
$ sudo mkdir /etc/filebeat/certs && cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/
$ sudo mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/
vi. Eventually, start and enable Filebeat service
$ sudo systemctl enable –now filebeat
vii. To confirm Filebeat configuration, we run:
$ sudo filebeat test output
elasticsearch: https://127.0.0.1:9200…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: 127.0.0.1
dial up… OK
TLS…
security: server’s certificate chain verification is enabled
handshake… OK
TLS version: TLSv1.3
dial up… OK
talk to server… OK
version: 7.10.0
A web interface, Kibana helps us visualize and analyze the events stored in Elasticsearch.
i. Initially, we install Kibana on Ubuntu 20.04:
$ sudo apt-get install opendistroforelasticsearch-kibana
ii. Then we download the Configuration file for Kibana:
$ curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.yml
iii. Eventually, we have to assign the right permissions to the following files:
$ sudo chown -R kibana:kibana /usr/share/kibana/optimize
$ sudo chown -R kibana:kibana /usr/share/kibana/plugins
iv. Then we need to install the Kibana plugin for Wazuh from the Kibana home directory:
$ cd /usr/share/kibana
$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.0-1.zip
v. Copy the Elasticsearch certificates to /etc/kibana/certs:
$ sudo mkdir /etc/kibana/certs
$ sudo cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/
$ sudo mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key
$ sudo mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem
vi. Bind Kibana's socket to privileged port 443:
$ sudo setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
vii. Eventually, we start and enable Kibana service:
$ sudo systemctl enable –now kibana
viii. In addition, we allow Kibana through the firewall:
$ sudo ufw allow 443/tcp
ix. Finally, we can access our Wazuh Kibana interface via:
URL: https://<wazuh_server_ip>
user: admin
password: admin
x. We can log in and proceed to see the available metrics from Wazuh.
1. No template found for the selected index pattern
Elasticsearch needs a specific template to store Wazuh alerts. Otherwise, visualizations will not load properly.
i. To insert the correct template, we use the following command:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.1.5/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT “https://localhost:9200/_template/wazuh” -H ‘Content-Type: application/json’ -d @- -u <elasticsearch_user>:<elasticsearch_password> -k
{“acknowledged”:true}
ii. If this error occurs after an upgrade from a 3.x version, the solution is to remove the wazuh-alerts-3.x-* index pattern.
# curl ‘https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*’ -X DELETE -H ‘Content-Type: application/json’ -H ‘kbn-version: 7.10.0’ -k -u <elasticsearch_user>:<elasticsearch_password>
iii. Eventually, clean the browser's cache and cookies.
2. Unable to see alerts in the Wazuh Kibana plugin
i. First and foremost, we need to check if there are alerts in Elasticsearch:
# curl https://<ELASTICSEARCH_IP>:9200/_cat/indices/wazuh-alerts-* -u <elasticsearch_user>:<elasticsearch_password> -k
green open wazuh-alerts-4.x-2021.03.03 xwFPX7nFQxGy-O5aBA3LFQ 3 0 340 0 672.6kb 672.6kb
No Wazuh related index means we have no alerts.
ii. To ensure the correct configuration of Filebeat, we run:
# filebeat test output
elasticsearch: https://127.0.0.1:9200…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: 127.0.0.1
dial up… OK
TLS…
security: server's certificate chain verification is enabled
handshake… OK
TLS version: TLSv1.3
dial up… OK
talk to server… OK
version: 7.10.0
This article covers how to go about to install Wazuh Server on Ubuntu 20.04. Wazuh is a free and open source solution for security monitoring.
It monitors hosts at an application and operating system levels and offers threat detection, incident response, integrity monitoring, and compliance.
To restart Kibana, Elasticsearch and Wazuh-manager with the below commands:
$ sudo systemctl restart kibana
$ sudo systemctl restart elasticsearch
$ sudo systemctl restart wazuh-manager