In this tutorial we are learning how to install Wazuh server with Elastic stack on Oracle Linux 8. Our deployment is a single-node type where both Wazuh server and Elastic stack are installed on the same server. Wazuh is a free and open source solution for security monitoring. It monitors hosts at an application and operating system levels and offers  threat detection, incident response, integrity monitoring, and compliance. Some of the capabilities of Wazuh security solution are:

  • Intrusion Detection
  • Security Analytics.
  • Regulatory Compliance.
  • Log Data Analysis.
  • Containers security.
  • Vulnerability Detection.
  • Configuration Assessment.
  • Incident Response.
  • File Integrity Monitoring.
  • Cloud security

To install Wazuh server on Oracle Linux 8, follow the steps below:

Step 1: Installing Wazuh Server on Oracle Linux 8

To set up Wazuh server on Oracle Linux 8, we first need to add Wazuh key and repository to our system. Run the below:

Add key

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add repository

sudo tee /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Now proceed to install Wazuh server on Oracle Linux 8

sudo dnf -y install wazuh-manager

Once installed, run wazuh manager with the below command:

sudo systemctl start wazuh-manager

Confirm wazuh-manager status

$ systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-02-10 12:35:04 EAT; 23min ago
  Process: 4984 ExecStop=/usr/bin/env ${DIRECTORY}/bin/ossec-control stop (code=exited, status=0/SUCCESS)
  Process: 6349 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
    Tasks: 88 (limit: 17752)
   Memory: 53.3M
   CGroup: /system.slice/wazuh-manager.service
           ├─6465 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─6509 /var/ossec/bin/ossec-authd
           ├─6527 /var/ossec/bin/wazuh-db
           ├─6566 /var/ossec/bin/ossec-execd
           ├─6593 /var/ossec/bin/ossec-analysisd
           ├─6665 /var/ossec/bin/ossec-syscheckd
           ├─6710 /var/ossec/bin/ossec-remoted
           ├─6753 /var/ossec/bin/ossec-logcollector
           ├─6786 /var/ossec/bin/ossec-monitord
           └─6831 /var/ossec/bin/wazuh-modulesd

And enable wazuh manager

sudo systemctl enable wazuh-manager

You can choose to disable updates to avoid issues with updates and version control

sudo sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Step 2: Install Elastic Stack on Oracle Linux 8

The next step after installing Wazuh server is to install Elastic stack. Elastic stack is an open source collection of software components which work together to enable collection, analyzing and visualizing logs from various sources.

The components include elasticsearch for log centralization, Kibana which is a dashboard for visualizaton, Logstash for collecting logs and beats for shipping data from sources.

Install Elasticsearch on Oracle Linux 8

Run the below command to download and install Elasticsearch on your Oracle Linux 8

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.3-x86_64.rpm
sudo rpm -ivh elasticsearch-7.9.3-x86_64.rpm

Now proceed to configure Elasticsearch from its configuration file located in /etc/elasticsearch/elasticsearch.yml

sudo vim /etc/elasticsearch/elasticsearch.yml

Optionally set cluster name and make other changes as below:

# ---------------------------------- Cluster -----------------------------------
... 
cluster.name: oracle-8

# ---------------------------------- Network ----------------------------------- 
... 
network.host: 192.168.50.2 
... 
http.port: 9200

# --------------------------------- Discovery ---------------------------------- 
... 
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: []
---
discovery.type: single-node
~                                                                                                                                                                                                          
~                            

Save the file then Configure the JVM heap size and set memory to about half that is available on the system.

$ sudo vim /etc/elasticsearch/jvm.options
...
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms512m
-Xmx512m

Start and enable elasticsearch

sudo systemctl enable --now elasticsearch

Install Kibana

Run the below commands to download and install Kibana on Oracle Linux 8

wget https://artifacts.elastic.co/downloads/kibana/kibana-7.9.3-x86_64.rpm
sudo rpm -ivh kibana-7.9.3-x86_64.rpm

Kibana configuration file is located in /etc/kibana/kibana.yml. Open the file to configure server host and port as well as elasticsearch host as below:

$ sudo vim /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
# server.port: 5601
server.port: 5601 
... 
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost" 
server.host: "192.168.50.2"
# The URL for the elasticsearch instance
elasticsearch.hosts: [http://192.168.50.2:9200]

Save the file and run kibana

sudo systemctl enable --now kibana

Install filebeat

Run the below command to install filebeat which will be used to ship data from Wazuh to elasticsearch.

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.3-x86_64.rpm
sudo rpm -ivh filebeat-7.9.3-x86_64.rpm
sudo systemctl daemon-reload
sudo systemctl enable --now filebeat

Configure Filebeat

In this case, we are going to configure filebeat to suit Wazuh. Backup the existing Filebeat configuration and download a pre-configured file with the below commands:

sudo mv /etc/filebeat/filebeat.yml{,.bak}
sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/filebeat/7.x/filebeat.yml

Edit the downloaded file to configure Elasticsearch output

$ sudo vim /etc/filebeat/filebeat.yml
#output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
output.elasticsearch.hosts: ['http://192.168.50.2:9200']

Also add the below settings to the file to enable filebeat log to a specific file

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

You can test filebeat output as below:

$ sudo filebeat test output
 elasticsearch: http://192.168.50.2:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.1.83
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.9.3

Note that you can also install Logstash if you need to send data from filebeat to Logstash first instead of sending directory to Elasticsearch. Our guide on how to install ELK stack on Debian 10 may give some directions but this time you will be installing on Oracle Linux 8. You will just have to use the approprate package manager but the configurations are the same.

Step 3: Install Filebeat Wazuh Module

Use the below commands to download and install filebeat wazuh module

wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz -P /tmp/
sudo mkdir /usr/share/filebeat/module/wazuh
sudo tar xzf /tmp/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1

The below commands should download and load the Wazuh Elasticsearch alerts index template.

sudo curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/elasticsearch/7.x/wazuh-template.json

sudo filebeat setup --path.config /etc/filebeat --path.home /usr/share/filebeat --path.data /var/lib/filebeat --index-management -E setup.template.json.enabled=false

Restart filebeat

sudo systemctl restart filebeat

Step 4: Install Kibana Plugin for Wazuh

First set ownership of the directories /usr/share/kibana/optimize/ and /usr/share/kibana/plugins to kibana.

sudo chown -R kibana: /usr/share/kibana/{optimize,plugins}

Change to Kibana home directory and install Wazuh app plugin

$ cd /usr/share/kibana
$ sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip
Transferring 29967049 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

Check installed plugins

$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
[email protected]

Restart services to activate the changes

sudo systemctl restart kibana
sudo systemctl restart elasticsearch
sudo systemctl restart wazuh-manager

Step 5: Configure Firewall

If you need Kibana to be reachable from the internet you need to enable Kibana port 5601 through the firewall

sudo firewall-cmd --zone=public --add-port=5601/tcp --permanent

Now access Kibana interface from the browser with your server ip or hostname: http://<server-ip/server-hostname>:5601.You should see the page as below:

If you click on the three bars on the left side and scroll down, you should notice Wazuh added to the dashboard

Upon clicking on it, it should open Wazuh dashboard showing the added agents and their statistics once you add agents.

In this guide we have seen how we can install Wazuh server with ELK stack on Oracle Linux 8. Proceed to add agents and enjoy a dashboard of various security statistics. I hope the guide has been helpful. Below are more interesting guides on monitoring