Bobcares

WeSupport

Call Us! 1-800-383-5193
Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

Need Help?

Emergency Response Time custom

Our experts have had an average response time of 11.06 minutes in March 2021 to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

Install Wazuh Server on Ubuntu 20.04 – Here’s how to do it

by | May 6, 2021

Wondering how to Install Wazuh Server on Ubuntu? We can help you.

We have customers who use the Wazuh server to monitor security events at an application and OS level.

It helps to get information about threat detection, incident response, and integrity monitoring.

As part of our Server Management Services, we assist our customers with several Ubuntu queries.

Today, let us see how to deploy the Wazuh server on a single-node Ubuntu 20.04 host.

 

Wazuh server

We can use Wazuh for the following applications:

  • Security analysis
  • Log analysis
  • Vulnerability detection
  • Container security
  • Cloud security

In order to begin, our Support Techs suggest installing the packages below to run Wazuh Manager.

$ sudo apt update
$ sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Then we install Java:

$ sudo apt install default-jre

 

Install Wazuh Server on Ubuntu 20.04

To set up the Wazuh server on Ubuntu 20.04, our Support Techs suggest the below steps:

  1. Initially, we add the GPG key:
    $ curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add –
  2. Then we add the Wazuh repository:
    $ echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | sudo tee /etc/apt/sources.list.d/wazuh.list
  3. To update the system, we run:
    $ sudo apt update
  4. Eventually, we install the Wazuh Manager:
    $ sudo apt install wazuh-manager
  5. We then start and enable service:
    $ sudo systemctl daemon-reload
    $ sudo systemctl enable –now wazuh-manager

At this point, we check the status of the Wazuh manager and confirm it is up and running.

$ systemctl status wazuh-manager

To check the service status, we run:

$ systemctl status wazuh-manager
● wazuh-manager.service – Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-04-26 09:13:56 UTC; 22s ago
Process: 252739 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
Tasks: 121 (limit: 4580)
Memory: 472.5M
CGroup: /system.slice/wazuh-manager.service
├─252805 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─252844 /var/ossec/bin/ossec-authd
├─252860 /var/ossec/bin/wazuh-db
├─252883 /var/ossec/bin/ossec-execd
├─252897 /var/ossec/bin/ossec-analysisd
├─252958 /var/ossec/bin/ossec-syscheckd
├─252975 /var/ossec/bin/ossec-remoted
├─253006 /var/ossec/bin/ossec-logcollector
├─253024 /var/ossec/bin/ossec-monitord
└─253047 /var/ossec/bin/wazuh-modulesd

Apr 26 09:13:47 node3 env[252739]: Started wazuh-db…
Apr 26 09:13:48 node3 env[252739]: Started ossec-execd…
Apr 26 09:13:49 node3 env[252739]: Started ossec-analysisd…
Apr 26 09:13:50 node3 env[252739]: Started ossec-syscheckd…
Apr 26 09:13:51 node3 env[252739]: Started ossec-remoted…
Apr 26 09:13:52 node3 env[252739]: Started ossec-logcollector…
Apr 26 09:13:53 node3 env[252739]: Started ossec-monitord…
Apr 26 09:13:54 node3 env[252739]: Started wazuh-modulesd…
Apr 26 09:13:56 node3 env[252739]: Completed.
Apr 26 09:13:56 node3 systemd[1]: Started Wazuh manager.

 

Install ELK Stack on Ubuntu 20.04

We install Elasticsearch from Open Distro. It offers advanced security, alerting, deep performance analysis, index management, etc.

$ sudo apt install elasticsearch-oss opendistroforelasticsearch

Then we download a custom configuration file for /etc/elasticsearch/elasticsearch.yml as below:

$ curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Eventually, we configure Kibana roles and users with the templates below:

$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles.yml

$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles_mapping.yml

$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/internal_users.yml

Install Certificates

We can set up certificates to use for TLS communication between Elasticsearch and Wazuh.

  1. Initially, we remove demo certs:
    $ sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}
  2. Then we generate new certificates:
    $ sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs
    $ sudo curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip
  3. To extract the downloaded file, we run:
    $ sudo unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard
  4. Then we download the pre-configured search-guard.yml file:
    $ sudo curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/searchguard/search-guard-aio.yml
  5. We run the search guard script to create the certificates:
    $ sudo ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/
  6. Later, we remove the unnecessary files once we create the certs:
    $ sudo rm /etc/elasticsearch/certs/client-certificates.readme
  7. Enable and start Elasticsearch service:
    $ sudo systemctl enable –now elasticsearch
  8. Load the new certificates by running Elasticsearch’s securityadmin script:
    $ sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key

Our output will be similar to this:

WARNING: JAVA_HOME not set, will use /usr/bin/java
Open Distro Security Admin v7
Will connect to localhost:9300 … done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.0
Open Distro Security Version: 1.12.0.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it … done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘_doc/roles’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for ‘whitelist’ created or updated
Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for ‘audit’ created or updated
Done with success

Then we run the command below to confirm that the installation is successful:

$ curl -XGET https://localhost:9200 -u admin:admin -k
{
“name” : “node-1”,
“cluster_name” : “elasticsearch”,
“cluster_uuid” : “9JuWWZBHSX65WNZioHQcMg”,
“version” : {
“number” : “7.10.0”,
“build_flavor” : “oss”,
“build_type” : “deb”,
“build_hash” : “51e9d6f22758d0374a0f3f5c6e8f3a7997850f96”,
“build_date” : “2020-11-09T21:30:33.964949Z”,
“build_snapshot” : false,
“lucene_version” : “8.7.0”,
“minimum_wire_compatibility_version” : “6.8.0”,
“minimum_index_compatibility_version” : “6.0.0-beta1”
},
“tagline” : “You Know, for Search”
}

We can remove the Open Distro for the Elasticsearch performance analyzer plugin. It installs by default and can be resource-hungry.

We use the command below to remove it:

$ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer

 

Install Filebeat on Ubuntu 20.04

Filebeat is to ship alerts and events from the Wazuh server to Elasticsearch.

$ sudo apt install filebeat

We download the Filebeat configuration file to forward Wazuh alerts to Elasticsearch:

$ curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml

Download the alerts template for Elasticsearch:

$ curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json

$ chmod go+r /etc/filebeat/wazuh-template.json

Then we dwnload the Wazuh FIlebeat module:

$ sudo curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy the Elasticsearch certificates to /etc/filebeat/certs:

$ sudo mkdir /etc/filebeat/certs && cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/
$ sudo mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/

Eventually, start and enable Filebeat service

$ sudo systemctl enable –now filebeat

To confirm Filebeat configuration, we run:

$ sudo filebeat test output
elasticsearch: https://127.0.0.1:9200…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: 127.0.0.1
dial up… OK
TLS…
security: server’s certificate chain verification is enabled
handshake… OK
TLS version: TLSv1.3
dial up… OK
talk to server… OK
version: 7.10.0

 

Install Kibana on Ubuntu 20.04

A web interface, Kibana helps us visualize and analyze the events stored in Elasticsearch.

Initially, we install Kibana on Ubuntu 20.04:

$ sudo apt-get install opendistroforelasticsearch-kibana

Then we download the Configuration file for Kibana:

$ curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.yml

Eventually, we have to assign the right permissions to the following files:

$ sudo chown -R kibana:kibana /usr/share/kibana/optimize
$ sudo chown -R kibana:kibana /usr/share/kibana/plugins

Then we need to install the Kibana plugin for Wazuh from the Kibana home directory:

$ cd /usr/share/kibana
$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.0-1.zip

Copy the Elasticsearch certificates to /etc/kibana/certs:

$ sudo mkdir /etc/kibana/certs
$ sudo cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/
$ sudo mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key
$ sudo mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem

Bind Kibana’s socket to privileged port 443:

$ sudo setcap ‘cap_net_bind_service=+ep’ /usr/share/kibana/node/bin/node

Eventually, we start and enable Kibana service:

$ sudo systemctl enable –now kibana

In addition, we allow Kibana through the firewall:

$ sudo ufw allow 443/tcp

Finally, we can access our Wazuh Kibana interface via:

URL: https://<wazuh_server_ip>
user: admin
password: admin

We can log in and proceed to see the available metrics from Wazuh.

 

Common errors

  • No template found for the selected index pattern

Elasticsearch needs a specific template to store Wazuh alerts. Otherwise, visualizations will not load properly.

To insert the correct template, we use the following command:

# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.1.5/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT “https://localhost:9200/_template/wazuh” -H ‘Content-Type: application/json’ -d @- -u <elasticsearch_user>:<elasticsearch_password> -k
{“acknowledged”:true}

If this error occurs after an upgrade from a 3.x version, the solution is to remove the wazuh-alerts-3.x-* index pattern.

# curl ‘https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*’ -X DELETE -H ‘Content-Type: application/json’ -H ‘kbn-version: 7.10.0’ -k -u <elasticsearch_user>:<elasticsearch_password>

Eventually, clean the browser’s cache and cookies.

  • Unable to see alerts in the Wazuh Kibana plugin

First and foremost, we need to check if there are alerts in Elasticsearch:

# curl https://<ELASTICSEARCH_IP>:9200/_cat/indices/wazuh-alerts-* -u <elasticsearch_user>:<elasticsearch_password> -k
green open wazuh-alerts-4.x-2021.03.03 xwFPX7nFQxGy-O5aBA3LFQ 3 0 340 0 672.6kb 672.6kb

No Wazuh related index means we have no alerts.

To ensure the correct configuration of Filebeat, we run:

# filebeat test output
elasticsearch: https://127.0.0.1:9200…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: 127.0.0.1
dial up… OK
TLS…
security: server’s certificate chain verification is enabled
handshake… OK
TLS version: TLSv1.3
dial up… OK
talk to server… OK
version: 7.10.0

[Need help with the procedures? We are here for you]

 

Conclusion

In short, we saw how our Support Techs go about to install Wazuh Server on Ubuntu 20.04.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF