Wondering how to Install Wazuh Server on Ubuntu? We can help you.

We have customers who use the Wazuh server to monitor security events at an application and OS level.

It helps to get information about threat detection, incident response, and integrity monitoring.

As part of our Server Management Services, we assist our customers with several Ubuntu queries.

Today, let us see how to deploy the Wazuh server on a single-node Ubuntu 20.04 host.

Wazuh server

We can use Wazuh for the following applications:

• Security analysis
• Log analysis
• Vulnerability detection
• Container security
• Cloud security

In order to begin, our Support Techs suggest installing the packages below to run Wazuh Manager.

$ sudo apt update
$ sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Then we install Java:

$ sudo apt install default-jre

Install Wazuh Server on Ubuntu 20.04

To set up the Wazuh server on Ubuntu 20.04, our Support Techs suggest the below steps:

1. Initially, we add the GPG key:

   $ curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add –

2. Then we add the Wazuh repository:

   $ echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | sudo tee /etc/apt/sources.list.d/wazuh.list

3. To update the system, we run:

   $ sudo apt update

4. Eventually, we install the Wazuh Manager:

   $ sudo apt install wazuh-manager

5. We then start and enable service:

   $ sudo systemctl daemon-reload
   $ sudo systemctl enable –now wazuh-manager

At this point, we check the status of the Wazuh manager and confirm it is up and running.

$ systemctl status wazuh-manager

To check the service status, we run:

$ systemctl status wazuh-manager
● wazuh-manager.service – Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-04-26 09:13:56 UTC; 22s ago
Process: 252739 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
Tasks: 121 (limit: 4580)
Memory: 472.5M
CGroup: /system.slice/wazuh-manager.service
├─252805 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─252844 /var/ossec/bin/ossec-authd
├─252860 /var/ossec/bin/wazuh-db
├─252883 /var/ossec/bin/ossec-execd
├─252897 /var/ossec/bin/ossec-analysisd
├─252958 /var/ossec/bin/ossec-syscheckd
├─252975 /var/ossec/bin/ossec-remoted
├─253006 /var/ossec/bin/ossec-logcollector
├─253024 /var/ossec/bin/ossec-monitord
└─253047 /var/ossec/bin/wazuh-modulesd

Apr 26 09:13:47 node3 env[252739]: Started wazuh-db…
Apr 26 09:13:48 node3 env[252739]: Started ossec-execd…
Apr 26 09:13:49 node3 env[252739]: Started ossec-analysisd…
Apr 26 09:13:50 node3 env[252739]: Started ossec-syscheckd…
Apr 26 09:13:51 node3 env[252739]: Started ossec-remoted…
Apr 26 09:13:52 node3 env[252739]: Started ossec-logcollector…
Apr 26 09:13:53 node3 env[252739]: Started ossec-monitord…
Apr 26 09:13:54 node3 env[252739]: Started wazuh-modulesd…
Apr 26 09:13:56 node3 env[252739]: Completed.
Apr 26 09:13:56 node3 systemd[1]: Started Wazuh manager.

Install ELK Stack on Ubuntu 20.04

We install Elasticsearch from Open Distro. It offers advanced security, alerting, deep performance analysis, index management, etc.

$ sudo apt install elasticsearch-oss opendistroforelasticsearch

Then we download a custom configuration file for /etc/elasticsearch/elasticsearch.yml as below:

$ curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Eventually, we configure Kibana roles and users with the templates below:

$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles.yml

$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles_mapping.yml

$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/internal_users.yml

Install Certificates

We can set up certificates to use for TLS communication between Elasticsearch and Wazuh.

1. Initially, we remove demo certs:

   $ sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}

2. Then we generate new certificates:

   $ sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs
   $ sudo curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip

3. To extract the downloaded file, we run:

   $ sudo unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard

4. Then we download the pre-configured search-guard.yml file:

   $ sudo curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/searchguard/search-guard-aio.yml

5. We run the search guard script to create the certificates:

   $ sudo ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/

6. Later, we remove the unnecessary files once we create the certs:

   $ sudo rm /etc/elasticsearch/certs/client-certificates.readme

7. Enable and start Elasticsearch service:

   $ sudo systemctl enable –now elasticsearch

8. Load the new certificates by running Elasticsearch’s securityadmin script:

   $ sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key

Our output will be similar to this:

WARNING: JAVA_HOME not set, will use /usr/bin/java
Open Distro Security Admin v7
Will connect to localhost:9300 … done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.0
Open Distro Security Version: 1.12.0.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it … done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘_doc/roles’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for ‘whitelist’ created or updated
Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for ‘audit’ created or updated
Done with success

Then we run the command below to confirm that the installation is successful:

$ curl -XGET https://localhost:9200 -u admin:admin -k

{
“name” : “node-1”,
“cluster_name” : “elasticsearch”,
“cluster_uuid” : “9JuWWZBHSX65WNZioHQcMg”,
“version” : {
“number” : “7.10.0”,
“build_flavor” : “oss”,
“build_type” : “deb”,
“build_hash” : “51e9d6f22758d0374a0f3f5c6e8f3a7997850f96”,
“build_date” : “2020-11-09T21:30:33.964949Z”,
“build_snapshot” : false,
“lucene_version” : “8.7.0”,
“minimum_wire_compatibility_version” : “6.8.0”,
“minimum_index_compatibility_version” : “6.0.0-beta1”
},
“tagline” : “You Know, for Search”
}

We can remove the Open Distro for the Elasticsearch performance analyzer plugin. It installs by default and can be resource-hungry.

We use the command below to remove it:

$ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer

Install Filebeat on Ubuntu 20.04

Filebeat is to ship alerts and events from the Wazuh server to Elasticsearch.

$ sudo apt install filebeat

We download the Filebeat configuration file to forward Wazuh alerts to Elasticsearch:

$ curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml

Download the alerts template for Elasticsearch:

$ curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json

$ chmod go+r /etc/filebeat/wazuh-template.json

Then we dwnload the Wazuh FIlebeat module:

$ sudo curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy the Elasticsearch certificates to /etc/filebeat/certs:

$ sudo mkdir /etc/filebeat/certs && cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/
$ sudo mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/

Eventually, start and enable Filebeat service

$ sudo systemctl enable –now filebeat

To confirm Filebeat configuration, we run:

$ sudo filebeat test output

elasticsearch: https://127.0.0.1:9200…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: 127.0.0.1
dial up… OK
TLS…
security: server’s certificate chain verification is enabled
handshake… OK
TLS version: TLSv1.3
dial up… OK
talk to server… OK
version: 7.10.0

Install Kibana on Ubuntu 20.04

A web interface, Kibana helps us visualize and analyze the events stored in Elasticsearch.

Initially, we install Kibana on Ubuntu 20.04:

$ sudo apt-get install opendistroforelasticsearch-kibana

Then we download the Configuration file for Kibana:

$ curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.yml

Eventually, we have to assign the right permissions to the following files:

$ sudo chown -R kibana:kibana /usr/share/kibana/optimize
$ sudo chown -R kibana:kibana /usr/share/kibana/plugins

Then we need to install the Kibana plugin for Wazuh from the Kibana home directory:

$ cd /usr/share/kibana
$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.0-1.zip

Copy the Elasticsearch certificates to /etc/kibana/certs:

$ sudo mkdir /etc/kibana/certs
$ sudo cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/
$ sudo mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key
$ sudo mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem

Bind Kibana’s socket to privileged port 443:

$ sudo setcap ‘cap_net_bind_service=+ep’ /usr/share/kibana/node/bin/node

Eventually, we start and enable Kibana service:

$ sudo systemctl enable –now kibana

In addition, we allow Kibana through the firewall:

$ sudo ufw allow 443/tcp

Finally, we can access our Wazuh Kibana interface via:

URL: https://<wazuh_server_ip>
user: admin
password: admin

We can log in and proceed to see the available metrics from Wazuh.

Common errors

• No template found for the selected index pattern

Elasticsearch needs a specific template to store Wazuh alerts. Otherwise, visualizations will not load properly.

To insert the correct template, we use the following command:

# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.1.5/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT “https://localhost:9200/_template/wazuh” -H ‘Content-Type: application/json’ -d @- -u <elasticsearch_user>:<elasticsearch_password> -k

{“acknowledged”:true}

If this error occurs after an upgrade from a 3.x version, the solution is to remove the wazuh-alerts-3.x-* index pattern.

# curl ‘https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*’ -X DELETE -H ‘Content-Type: application/json’ -H ‘kbn-version: 7.10.0’ -k -u <elasticsearch_user>:<elasticsearch_password>

Eventually, clean the browser’s cache and cookies.

• Unable to see alerts in the Wazuh Kibana plugin

First and foremost, we need to check if there are alerts in Elasticsearch:

# curl https://<ELASTICSEARCH_IP>:9200/_cat/indices/wazuh-alerts-* -u <elasticsearch_user>:<elasticsearch_password> -k

green open wazuh-alerts-4.x-2021.03.03 xwFPX7nFQxGy-O5aBA3LFQ 3 0 340 0 672.6kb 672.6kb

No Wazuh related index means we have no alerts.

To ensure the correct configuration of Filebeat, we run:

# filebeat test output

elasticsearch: https://127.0.0.1:9200…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: 127.0.0.1
dial up… OK
TLS…
security: server’s certificate chain verification is enabled
handshake… OK
TLS version: TLSv1.3
dial up… OK
talk to server… OK
version: 7.10.0

[Need help with the procedures? We are here for you]

Conclusion

In short, we saw how our Support Techs go about to install Wazuh Server on Ubuntu 20.04.