Bobcares

Install Wazuh Server on CentOS 7 – How to do it

by | May 5, 2021

Wondering how to Install Wazuh Server on CentOS 7? We will help you with it.

Wazuh is a free, open-source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Here at Bobcares, we handle requests from our customers to Install Wazuh Server on CentOS 7 as a part of Server Management Services.

Today, let us see how our Support techs resolve this issue for our customers.

 

Install Wazuh Server on CentOS 7

In this article, let us see Distributed architecture installation.

Wazuh manager and Elastic Stack are managed on the same platform by single-host implementations.

* Wazuh server: Runs the API and Wazuh Manager. The data from deployed agents are collected and analyzed.
* Elastic Stack: Runs Elasticsearch, Filebeat and Kibana (including Wazuh). It reads, parses, indexes and stores Wazuh manager alert data.
* Wazuh agent: Runs on the host monitored, collecting log and configuration data, and detecting intrusions and anomalies.

Today, let us see how our support Techs install Wazuh.

1. Installing Wazuh Server

Let us set the hostname first. Launch Terminal and enter the following command:

# hostnamectl set-hostname wazuh-server

Firstly, update CentOS and packages:

# yum update -y

Next, install NTP and check its service status.

# yum install ntp
# systemctl status ntpd

If the service is not started, start it using below command:

# systemctl start ntpd

Then, enable NTP on system boot:

# systemctl enable ntpd

Next, modify firewall rules to allow NTP service. Run the following commands to enable service.

# firewall-cmd –add-service=ntp –zone=public –permanent
# firewall-cmd –reload

Installing Wazuh Manager

Let us add key:

# rpm –import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Edit the Wazuh repository:

# vim /etc/yum.repos.d/wazuh.repo

Add the following content to the file.

[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1

Save and exit the file.

List the repositories using the repolist command.

# yum repolist

Firstly, install the Wazuh manager using the below command:

# yum install wazuh-manager -y

Then, install Wazuh Manager and check the status of it.

# systemctl status wazuh-manager

Installing the Wazuh API

NodeJS >= 4.6.1 is required to run the Wazuh API.

Then, add the official NodeJS repository:

# curl –silent –location https://rpm.nodesource.com/setup_8.x | bash –
install NodeJS:
# yum install nodejs -y

Install the Wazuh API. It will update NodeJS if it is required:

# yum install wazuh-api

Then, check the status of wazuh-api.

# systemctl status wazuh-api

Change the default credentials manually using the following commands:

# cd /var/ossec/api/configuration/auth

Set a password for the user.

# node htpasswd -Bc -C 10 user bob

Restart API.

# systemctl restart wazuh-api

If we need it, we can change the port manually. The file /var/ossec/api/configuration/config.js contains the parameter:

// TCP Port used by the API.
config.port = “55000”;

We are not changing the default port.

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch. To install it, run the following command:

# rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch

Setup repository:

# vim /etc/yum.repos.d/elastic.repo

Add the following contents to the server:

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install Filebeat:

# yum install filebeat-7.5.1

Download the Filebeat configuration file from the Wazuh repository. This is pre-configured to forward Wazuh alerts to Elasticsearch:

# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/filebeat/7.x/filebeat.yml

Change file Permissions:

# chmod go+r /etc/filebeat/filebeat.yml

Download the alerts template for Elasticsearch:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.0/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Add Elasticsearch server IP. Edit “filebeat.yml.”

# vim /etc/filebeat/filebeat.yml

Then, modify the following line.

output.elasticsearch.hosts: [‘http://ELASTIC_SERVER_IP:9200′]

Next, enable and start the Filebeat service:

# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service

2. Installing Elastic Stack

We can configure second CentOS server with ELK.

Do the configurations on elastic stack server.

Firstly, let us set hostname.

# hostnamectl set-hostname elk

Then, update the system:

# yum update -y

Installing ELK

Install Elastic Stack with RPM packages and then add the Elastic repository and its GPG key:

# rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch

Later, create a repository file:

# vim /etc/yum.repos.d/elastic.repo

Then, add the following content to the file:

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Installing Elasticsearch

Firstly, Install the Elasticsearch package:

# yum install elasticsearch-7.5.1

Elasticsearch listens by default on the loopback interface (localhost). Configure Elasticsearch to listen to a non-loopback address by editing /etc/elasticsearch/elasticsearch.yml and uncommenting network.host configuration. Adjust the IP value we want to connect to:

network.host: 0.0.0.0

Change firewall rules.

# firewall-cmd –permanent –zone=public –add-rich-rule=’
rule family=”ipv4″
source address=”34.232.210.23/32″
port protocol=”tcp” port=”9200″ accept’

Next, reload firewall rules:

# firewall-cmd –reload

The further configuration will be necessary for the elastic search configuration file.

Edit the “elasticsearch.yml” file.

# vim /etc/elasticsearch/elasticsearch.yml

Change or edit “node.name” and “cluster.initial_master_nodes”.

node.name: <node_name>
cluster.initial_master_nodes: [“<node_name>”]

Enable and start the Elasticsearch service:

# systemctl daemon-reload

Firstly, enable on system boot.

# systemctl enable elasticsearch.service

Then, start elastic search service.

# systemctl start elasticsearch.service
Check the status of the elastic search.

systemctl status elasticsearch.service

Next, check the log file for any issues.

# tail -f /var/log/elasticsearch/elasticsearch.log

Once Elasticsearch is up and running, we need to load the Filebeat template. Run the following command on the Wazuh server:

filebeat setup –index-management -E setup.template.json.enabled=false

Installing Kibana

Firstly, Install the Kibana package:

# yum install kibana-7.5.1

Install the Wazuh app plugin for Kibana:

# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.0_7.5.1.zip

Kibana Plugin is needed to modify Kibana configurations to access Kibana from the outside.

Edit the Kibana configuration file.

#vim /etc/kibana/kibana.yml

Change the following line.

server.host: “0.0.0.0”

Configure the URLs of the Elasticsearch instances.

elasticsearch.hosts: [“http://localhost:9200”]

Then, enable and start the Kibana service:

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Adding Wazuh API to Kibana Configurations

Edit “wazuh.yml.”

# vim /usr/share/kibana/plugins/wazuh/wazuh.yml

Then, edit hostname, username and password.

Finally, save and exit the file and restart the Kibana service.

# systemctl restart kibana.service

We installed the Wazuh server and the ELK server. Now we are going to add hosts using an agent.

3. Installing Wazuh agent

I. Adding Ubuntu Server

a. Firstly, nstalling needed packages

# apt-get install curl apt-transport-https lsb-release gnupg2

Install the Wazuh repository GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add –

Add the repository and then update repositories.

# echo “deb https://packages.wazuh.com/3.x/apt/ stable main” | tee /etc/apt/sources.list.d/wazuh.list
# apt-get update

b. Then, installing the Wazuh agent

Below command adds “WAZUH_MANAGER” IP to wazuh-agent configuration automatically when installing it.

WAZUH_MANAGER=”52.91.79.65″ apt-get install wazuh-agent

II. Adding CentOS host

Add the Wazuh repository.

# rpm –import http://packages.wazuh.com/key/GPG-KEY-WAZUH

Next, edit and add to the repository:

vim /etc/yum.repos.d/wazuh.rep

Then, add the following contents:

[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1

Then, install the agent.

WAZUH_MANAGER=”52.91.79.65″ yum install wazuh-agent

4. Accessing Wazuh Dashboard

Firstly, browse Kibana using the IP.

http://IP or hostname:5601/

Then, you will see the interface.

Then, click on “Wazuh” Icon to go to its Dashboard. We will see “Wazuh” Dashboard.

Finally, here we can see connected agents, security information management, etc. When we click on security events; we can see a graphical view of events.

 

Common error: Install Wazuh Server on CentOS 7

 

While compiling Wazuh server, it results in the error given below:

CC libwazuhext.so cc: error: external/libffi/server/.libs/libffi.a: No such file or directory make: *** [libwazuhext.so] Error 1

 

Cause for Error while Installing Wazuh Server on CentOS 7

The installer is compiling the libffi library, but the Wazuh’s Makefile is defining a parameter that conflicts with the libffi’s Makefile.

 

Solution

Replace this line:

LIBFFI_LIB = $(EXTERNAL_LIBFFI)server/.libs/libffi.a

With:

LIBFFI_LIB = $(EXTERNAL_LIBFFI)$(TARGET)/.libs/libffi.a

This script should fix the issue and recompile:

cd src
sed -i ‘s,LIBFFI_LIB = $(EXTERNAL_LIBFFI)server/.libs/libffi.a,LIBFFI_LIB = $(EXTERNAL_LIBFFI)$(TARGET)/.libs/libffi.a,’ Makefile
make clean
cd ..
sudo ./install.sh

 

[ Need any further assistance in analyzing logs with Nagios Log Server? – We’re available 24*7]

Conclusion

In short, Wazuh is a free, open-source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. Today, we saw how our Support Engineers install it.

 

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF