In this guide we are looking at how to install Wazuh server on debian 10 with Elastic stack integration. Wazuh is a free and open source solution for security monitoring. It monitors hosts at an application and operating system levels and offers  threat detection, incident response, integrity monitoring, and compliance. Some of the capabilities of Wazuh security solution are:

  • Intrusion Detection
  • Security Analytics.
  • Regulatory Compliance.
  • Log Data Analysis.
  • Containers security.
  • Vulnerability Detection.
  • Configuration Assessment.
  • Incident Response.
  • File Integrity Monitoring.
  • Cloud security

In this guide, we are installing Wazuh server and Elastic stack on the same server, also called all-in-one deployment. You can opt to have multi-node deployment where Wazuh server and Elastic stack are installed in different servers.

Step 1: Install Required Dependencies

Before Wazuh installation, ensure you have all the required dependencies installed on your server. Run the commands below:

sudo apt-get update
sudo apt-get install curl apt-transport-https lsb-release gnupg2

Step 2: Add Wazuh GPG Key and Repository

Run the below commands to install Wazuh GPG key and Repository on Debian 10

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt-get update

Step 4: Install Wazuh Server on Debian 10

After installing key and repository, proceed to install Wazuh server on Debian 10. You can first check available Wazuh server versions as below:

$ apt-cache policy wazuh-manager
wazuh-manager:
  Installed: (none)
  Candidate: 4.0.4-1
  Version table:
     4.0.4-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     4.0.3-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     4.0.2-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     4.0.1-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     4.0.0-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages

From the above output, the current version of Wazuh is 4.0.4. Next, install and enable Wazuh manager as below:

sudo apt install wazuh-manager
sudo systemctl enable --now wazuh-manager

Then confirm wazuh-manager status as below:

$ systemctl status wazuh-manager
 wazuh-manager.service - Wazuh manager
   Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-02-02 11:57:29 EAT; 1min 16s ago
  Process: 36059 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
    Tasks: 96 (limit: 4662)
   Memory: 294.8M

Step 5: Install Elastic Stack on Debian 10

Elastic stack is an open source collection of software components which work together to enable collection, analyzing and visualizing logs from various sources. The components include elasticsearch for log centralization, Kibana which is a dashboard for visualizaton, Logstash for collecting logs and beats for shipping data from sources.

In our previous guide, we looked at how to install how to install Elastic stack on debian where we installed the latest version. In this guide, we are specifically installing version 7.9.3 of ELK stack components which supports Wazuh integration.

Run the below commands to add ELK stack Key and repository

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update

Now Install Elasticsearch as below:

sudo apt-get install elasticsearch=7.9.3

Now proceed to configure elasticsearch from its configuration file located in /etc/elasticsearch/elasticsearch.yml

sudo vim /etc/elasticsearch/elasticsearch.yml

Optionally set cluster name and make other changes as below:

# ---------------------------------- Cluster -----------------------------------
... 
cluster.name: debian-10

# ---------------------------------- Network ----------------------------------- 
... 
network.host: 192.168.50.2 
... 
http.port: 9200

# --------------------------------- Discovery ---------------------------------- 
... 
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: []
---
discovery.type: single-node
~                              

Save the file then Configure the JVM heap size and set memory to about half that is available on the system.

$ sudo vim /etc/elasticsearch/jvm.options
...
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms512m
-Xmx512m

Start and enable elasticsearch

sudo systemctl enable --now elasticsearch

Confirm elacticsearch status

$ systemctl status elasticsearch
 elasticsearch.service - Elasticsearch
   Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-02-02 13:19:01 EAT; 32s ago
     Docs: https://www.elastic.co
 Main PID: 39629 (java)
    Tasks: 49 (limit: 4662)
   Memory: 1.2G

Now Install and Configure Kibana

sudo apt-get install kibana=7.9.3

Kibana configuration file is located in /etc/kibana/kibana.yml. Open the file to configure server host and port as well as elasticsearch host as below:

$ sudo vim /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
# server.port: 5601
server.port: 5601 
... 
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost" 
server.host: "192.168.50.2"
# The URL for the elasticsearch instance
elasticsearch.hosts: [http://192.168.50.2:9200]

Save the file and run kibana

sudo systemctl enable --now kibana

Confirm kibana status

● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-02-02 13:29:49 EAT; 32s ago
 Main PID: 40363 (node)
    Tasks: 11 (limit: 4662)
   Memory: 233.1M
   CGroup: /system.slice/kibana.service
           └─40363 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist

Next, install filebeat. You can also install Logstash if you wish to send your logs first to logstash. Refer to our guide on how to install ELK stack on Debian 10. Here, I am just going to use filebeat to send data to Elasticsearch.

sudo apt-get install filebeat=7.9.3
sudo systemctl daemon-reload
sudo systemctl enable --now filebeat

Proceed to configure filebeat. In this case, we are going to configure filebeat to suit Wazuh. Backup the existing Filebeat configuration and download a pre-configured file with the below commands:

sudo mv /etc/filebeat/filebeat.yml{,.bak}
sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/filebeat/7.x/filebeat.yml

Edit the downloaded file to configure Elasticsearch output

$ sudo vim /etc/filebeat/filebeat.yml
#output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
output.elasticsearch.hosts: ['http://192.168.50.2:9200']

Also add the below settings to the file to enable filebeat to save logs to a specific file

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

You can test filebeat output as below:

$ filebeat test output
 elasticsearch: http://192.168.50.2:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.50.2
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.10.2

Step 6: Install Filebeat Wazuh Module

Use the below commands to download and install filebeat wazuh module

wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz -P /tmp/
sudo mkdir /usr/share/filebeat/module/wazuh
sudo tar xzf /tmp/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1

Now load Wazuh Elasticsearch Index Template to Elasticsearch. The below commands should download and load the Wazuh Elasticsearch alerts index template.

sudo curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/elasticsearch/7.x/wazuh-template.json
sudo filebeat setup --path.config /etc/filebeat --path.home /usr/share/filebeat --path.data /var/lib/filebeat --index-management -E setup.template.json.enabled=false

We need to restart filebeat

sudo systemctl restart filebeat

Step 7: Install Kibana Plugin for Wazuh

First set ownership of the directories /usr/share/kibana/optimize/ and /usr/share/kibana/plugins to kibana.

sudo chown -R kibana: /usr/share/kibana/{optimize,plugins}

Now change to Kibana home directory and install Wazuh app plugin

$ cd /usr/share/kibana
$ sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip

Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip
Transferring 29967049 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

You can confirm installed plugins

$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
[email protected]

Step 8: Restart Services

After the above changes, restart Kibana, Elasticsearch and Wazuh-manager with the below commands:

sudo systemctl restart kibana
sudo systemctl restart elasticsearch
sudo systemctl restart wazuh-manager

Step 9: Access Kibana Dashboard.

On your browser, enter your server IP address or hostname with port 5601 to access Kibana dashboard; http://<server-ip>:5601 Make sure to open port 5601 in case you are running an active firewall.

sudo ufw allow 5601/tcp

Once you access Kibana dashboard, you should be able to see Wazuh added to the menu as below:

Wazuh Server

On clicking on it, it opens a page as below:

Wazuh Server

To add a new agent, click on ‘add agent’, choose target operating system and follow the provided steps

That’s it. We have successfully installed Wazuh server with Elastic stack on Debian 10. I hope the guide has been helpful. Don’t forget to check more of our interesting guides below:

LEAVE A REPLY

Please enter your comment!
Please enter your name here