Wazuh is a free, open-source, powerful threat detection and integrity monitoring tool that helps organizations to detect intrusions, threats, and behavioral anomalies. It collects and analyzes the data gathered by the agent and visualizes event data through a web-based interface. It can be integrated with Kibana for visualization, Elasticsearch for data storage, and Filebeat for collecting Wazuh manager event data. It allows you to monitor hosts at the operating system and application levels to gain security visibility.
In this post, we will show you how to install a Wazuh server on Oracle Linux 8 server.
Step 1 – Install Java
Wazuh is a Java-based application, so Java must be installed on your server. If not installed, you can install it using the following command:
dnf install java-11-openjdk-devel -y
Once Java has been installed, verify the Java version using the following command:
java -version
Sample output:
openjdk version "11.0.16" 2022-07-19 LTS OpenJDK Runtime Environment (Red_Hat-11.0.16.0.8-1.el8_6) (build 11.0.16+8-LTS) OpenJDK 64-Bit Server VM (Red_Hat-11.0.16.0.8-1.el8_6) (build 11.0.16+8-LTS, mixed mode, sharing)
Step 2 – Install Wazuh Server
By default, the Wazuh server package is not included in the Oracle Linux 8 default repository, so you will need to create a repo for Wazuh.
First, import the GPG key with the following command:
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Next, create a Wazuh repo with the following command:
nano /etc/yum.repos.d/wazuh.repo
Add the following lines:
[wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1
Save and close the file, then install the Wazuh server with the following command:
dnf install wazuh-manager -y
Once the Wazuh server is installed, start the Wazuh service and enable it to start at system reboot:
systemctl enable --now wazuh-manager
You can also check the status of Wazuh with the following command:
systemctl status wazuh-manager
You will get the following output:
● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2022-09-01 06:34:14 EDT; 11s ago Process: 11484 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 102 (limit: 11409) Memory: 579.5M CGroup: /system.slice/wazuh-manager.service ├─11540 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─11582 /var/ossec/bin/wazuh-authd ├─11599 /var/ossec/bin/wazuh-db ├─11611 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─11614 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─11629 /var/ossec/bin/wazuh-execd ├─11644 /var/ossec/bin/wazuh-analysisd ├─11658 /var/ossec/bin/wazuh-syscheckd ├─11695 /var/ossec/bin/wazuh-remoted ├─11728 /var/ossec/bin/wazuh-logcollector ├─11752 /var/ossec/bin/wazuh-monitord ├─11773 /var/ossec/bin/wazuh-modulesd └─12421 sysctl net.ipv4.icmp_echo_ignore_broadcasts Sep 01 06:34:04 oraclelinux8 env[11484]: Started wazuh-db... Sep 01 06:34:05 oraclelinux8 env[11484]: Started wazuh-execd... Sep 01 06:34:06 oraclelinux8 env[11484]: Started wazuh-analysisd... Sep 01 06:34:07 oraclelinux8 env[11484]: Started wazuh-syscheckd... Sep 01 06:34:09 oraclelinux8 env[11484]: Started wazuh-remoted... Sep 01 06:34:10 oraclelinux8 env[11484]: Started wazuh-logcollector... Sep 01 06:34:11 oraclelinux8 env[11484]: Started wazuh-monitord... Sep 01 06:34:12 oraclelinux8 env[11484]: Started wazuh-modulesd... Sep 01 06:34:14 oraclelinux8 env[11484]: Completed. Sep 01 06:34:14 oraclelinux8 systemd[1]: Started Wazuh manager.
Step 3 – Install Elasticsearch and Kibana
First, import the Elasticsearch GPG key with the following command:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Next, create an Elasticsearch repo with the following command:
nano /etc/yum.repos.d/elasticsearch.repo
Add the following lines:
[elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
Save and close the file, then install Elasticsearch and Kibana with the following command:
dnf install elasticsearch-7.16.3 kibana-7.16.3 -y
Once the installation is completed, start Elasticsearch and enable it to start at system reboot:
systemctl start elasticsearch
Next, edit the Kibana configuration file and define the Elasticsearch host, server port, and server host:
nano /etc/kibana/kibana.yml
Change the following lines:
server.port: 5601 server.host: "your-server-ip" elasticsearch.hosts: [http://localhost:9200]
Save and close the file, then start the Kibana service and enable it to start at system reboot:
systemctl start kibana
To check the statuses of Kibana and Elasticsearch, run the following command:
systemctl status kibana elasticsearch
You will get the following output:
● kibana.service - Kibana Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-09-01 07:01:03 EDT; 22s ago Docs: https://www.elastic.co Main PID: 5283 (node) Tasks: 11 (limit: 49496) Memory: 312.1M CGroup: /system.slice/kibana.service └─5283 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pi> Sep 01 07:01:03 oraclelinux8 systemd[1]: Started Kibana. ● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2022-09-01 06:59:54 EDT; 1min 31s ago Docs: https://www.elastic.co Main PID: 5025 (java) Tasks: 77 (limit: 49496) Memory: 4.2G CGroup: /system.slice/elasticsearch.service ├─5025 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=> └─5215 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Step 4 – Install and Configure Filebeat
First, install Filebeat using the following command:
dnf install filebeat-7.16.3 -y
Once installed, you will need to configure Filebeat to work with Wazuh.
First, backup the Filebeat configuration file:
mv /etc/filebeat/filebeat.yml{,.bak}
Next, download the pre-configured configuration file:
curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/filebeat/7.x/filebeat.yml
Next, edit the downloaded file:
nano /etc/filebeat/filebeat.yml
Add or modify the following lines:
output.elasticsearch.hosts: ['http://localhost:9200'] logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0644
Save and close the file, then verify Filebeat with the following command:
filebeat test output
Sample output:
elasticsearch: http://localhost:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: ::1, 127.0.0.1 dial up... OK TLS... WARN secure connection disabled talk to server... OK version: 7.16.3
Step 5 – Install Filebeat Wazuh Module
Next, you will need to download and install the Wazuh module for Filebeat. You can download it with the following command:
wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz
Next, create a directory for Wazuh and extract the content of the downloaded file to the Wazuh directory:
mkdir /usr/share/filebeat/module/wazuh tar xzf wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1
Next, download the Wazuh Elasticsearch alerts index template with the following command:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
Next, set up it using the following command:
filebeat setup --path.config /etc/filebeat --path.home /usr/share/filebeat --path.data /var/lib/filebeat --index-management -E setup.template.json.enabled=false
Next, restart the Filebeat service to apply the changes:
systemctl restart filebeat
You can check the status of Filebeat with the following command:
systemctl status filebeat
You will get the following output:
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-09-01 07:03:55 EDT; 6s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 5384 (filebeat) Tasks: 9 (limit: 49496) Memory: 26.8M CGroup: /system.slice/filebeat.service └─5384 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path> Sep 01 07:03:55 oraclelinux8 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
Step 6 – Install Wazuh Plugin for Kibana
First, create a data directory for Kibana and set proper ownership to the kibana directory:
mkdir /usr/share/kibana/data chown -R kibana: /usr/share/kibana/
Next, change the directory to Kibana and install the Wazuh plugin:
cd /usr/share/kibana sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.3_7.16.3-1.zip
Once the plugin is installed, verify the installed plugin with the following command:
sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
Sample output:
[email protected]
Finally, restart all services to apply the changes:
systemctl restart kibana systemctl restart elasticsearch systemctl restart wazuh-manager
Step 7 – Access Kibana Dashboard
You can now access the Kibana web interface using the URL http://server-IP:5601. You should see the following page:
Click on Explore on my own. You should see the following screen:
Now, click on the Menu and select Wazuh. You should see the Wazuh dashboard on the following page:
Conclusion
Congratulations! You have successfully installed and configured the Wazuh server with ELK stack on Oracle Linux 8. You can now install and configure the Wazuh agent on the client machine and start monitoring it from the Wazuh dashboard. Try out a Wazuh server on dedicated hosting from Atlantic.Net!