Wondering how to Install Wazuh Server on Ubuntu? We can help you.
We have customers who use the Wazuh server to monitor security events at an application and OS level.
It helps to get information about threat detection, incident response, and integrity monitoring.
As part of our Server Management Services, we assist our customers with several Ubuntu queries.
Today, let us see how to deploy the Wazuh server on a single-node Ubuntu 20.04 host.
Wazuh server
We can use Wazuh for the following applications:
- Security analysis
- Log analysis
- Vulnerability detection
- Container security
- Cloud security
In order to begin, our Support Techs suggest installing the packages below to run Wazuh Manager.
$ sudo apt update $ sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
Then we install Java:
$ sudo apt install default-jre
Install Wazuh Server on Ubuntu 20.04
To set up the Wazuh server on Ubuntu 20.04, our Support Techs suggest the below steps:
- Initially, we add the GPG key:
$ curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add – - Then we add the Wazuh repository:
$ echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | sudo tee /etc/apt/sources.list.d/wazuh.list - To update the system, we run:
$ sudo apt update - Eventually, we install the Wazuh Manager:
$ sudo apt install wazuh-manager - We then start and enable service:
$ sudo systemctl daemon-reload $ sudo systemctl enable –now wazuh-manager
At this point, we check the status of the Wazuh manager and confirm it is up and running.
$ systemctl status wazuh-managerTo check the service status, we run:
$ systemctl status wazuh-manager ● wazuh-manager.service – Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2021-04-26 09:13:56 UTC; 22s ago Process: 252739 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS) Tasks: 121 (limit: 4580) Memory: 472.5M CGroup: /system.slice/wazuh-manager.service ├─252805 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─252844 /var/ossec/bin/ossec-authd ├─252860 /var/ossec/bin/wazuh-db ├─252883 /var/ossec/bin/ossec-execd ├─252897 /var/ossec/bin/ossec-analysisd ├─252958 /var/ossec/bin/ossec-syscheckd ├─252975 /var/ossec/bin/ossec-remoted ├─253006 /var/ossec/bin/ossec-logcollector ├─253024 /var/ossec/bin/ossec-monitord └─253047 /var/ossec/bin/wazuh-modulesd Apr 26 09:13:47 node3 env[252739]: Started wazuh-db… Apr 26 09:13:48 node3 env[252739]: Started ossec-execd… Apr 26 09:13:49 node3 env[252739]: Started ossec-analysisd… Apr 26 09:13:50 node3 env[252739]: Started ossec-syscheckd… Apr 26 09:13:51 node3 env[252739]: Started ossec-remoted… Apr 26 09:13:52 node3 env[252739]: Started ossec-logcollector… Apr 26 09:13:53 node3 env[252739]: Started ossec-monitord… Apr 26 09:13:54 node3 env[252739]: Started wazuh-modulesd… Apr 26 09:13:56 node3 env[252739]: Completed. Apr 26 09:13:56 node3 systemd[1]: Started Wazuh manager.
Install ELK Stack on Ubuntu 20.04
We install Elasticsearch from Open Distro. It offers advanced security, alerting, deep performance analysis, index management, etc.
$ sudo apt install elasticsearch-oss opendistroforelasticsearchThen we download a custom configuration file for /etc/elasticsearch/elasticsearch.yml as below:
$ curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.ymlEventually, we configure Kibana roles and users with the templates below:
$ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles.yml $ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles_mapping.yml $ curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/internal_users.ymlInstall Certificates
We can set up certificates to use for TLS communication between Elasticsearch and Wazuh.
- Initially, we remove demo certs:
$ sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}- Then we generate new certificates:
$ sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs $ sudo curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip- To extract the downloaded file, we run:
$ sudo unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard- Then we download the pre-configured search-guard.yml file:
$ sudo curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/searchguard/search-guard-aio.yml- We run the search guard script to create the certificates:
$ sudo ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/- Later, we remove the unnecessary files once we create the certs:
$ sudo rm /etc/elasticsearch/certs/client-certificates.readme- Enable and start Elasticsearch service:
$ sudo systemctl enable –now elasticsearch- Load the new certificates by running Elasticsearch’s securityadmin script:
$ sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.keyOur output will be similar to this:
WARNING: JAVA_HOME not set, will use /usr/bin/java Open Distro Security Admin v7 Will connect to localhost:9300 … done Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US Elasticsearch Version: 7.10.0 Open Distro Security Version: 1.12.0.0 Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate … Clustername: elasticsearch Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it … done (0-all replicas) Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml SUCC: Configuration for ‘config’ created or updated Will update ‘_doc/roles’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml SUCC: Configuration for ‘roles’ created or updated Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml SUCC: Configuration for ‘rolesmapping’ created or updated Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml SUCC: Configuration for ‘internalusers’ created or updated Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml SUCC: Configuration for ‘actiongroups’ created or updated Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml SUCC: Configuration for ‘tenants’ created or updated Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml SUCC: Configuration for ‘nodesdn’ created or updated Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml SUCC: Configuration for ‘whitelist’ created or updated Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml SUCC: Configuration for ‘audit’ created or updated Done with successThen we run the command below to confirm that the installation is successful:
$ curl -XGET https://localhost:9200 -u admin:admin -k{ “name” : “node-1”, “cluster_name” : “elasticsearch”, “cluster_uuid” : “9JuWWZBHSX65WNZioHQcMg”, “version” : { “number” : “7.10.0”, “build_flavor” : “oss”, “build_type” : “deb”, “build_hash” : “51e9d6f22758d0374a0f3f5c6e8f3a7997850f96”, “build_date” : “2020-11-09T21:30:33.964949Z”, “build_snapshot” : false, “lucene_version” : “8.7.0”, “minimum_wire_compatibility_version” : “6.8.0”, “minimum_index_compatibility_version” : “6.0.0-beta1” }, “tagline” : “You Know, for Search” }We can remove the Open Distro for the Elasticsearch performance analyzer plugin. It installs by default and can be resource-hungry.
We use the command below to remove it:
$ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer
Install Filebeat on Ubuntu 20.04
Filebeat is to ship alerts and events from the Wazuh server to Elasticsearch.
$ sudo apt install filebeatWe download the Filebeat configuration file to forward Wazuh alerts to Elasticsearch:
$ curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.ymlDownload the alerts template for Elasticsearch:
$ curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json $ chmod go+r /etc/filebeat/wazuh-template.jsonThen we dwnload the Wazuh FIlebeat module:
$ sudo curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/moduleCopy the Elasticsearch certificates to /etc/filebeat/certs:
$ sudo mkdir /etc/filebeat/certs && cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/ $ sudo mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/Eventually, start and enable Filebeat service
$ sudo systemctl enable –now filebeatTo confirm Filebeat configuration, we run:
$ sudo filebeat test outputelasticsearch: https://127.0.0.1:9200… parse url… OK connection… parse host… OK dns lookup… OK addresses: 127.0.0.1 dial up… OK TLS… security: server’s certificate chain verification is enabled handshake… OK TLS version: TLSv1.3 dial up… OK talk to server… OK version: 7.10.0
Install Kibana on Ubuntu 20.04
A web interface, Kibana helps us visualize and analyze the events stored in Elasticsearch.
Initially, we install Kibana on Ubuntu 20.04:
$ sudo apt-get install opendistroforelasticsearch-kibanaThen we download the Configuration file for Kibana:
$ curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.ymlEventually, we have to assign the right permissions to the following files:
$ sudo chown -R kibana:kibana /usr/share/kibana/optimize $ sudo chown -R kibana:kibana /usr/share/kibana/pluginsThen we need to install the Kibana plugin for Wazuh from the Kibana home directory:
$ cd /usr/share/kibana $ sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.0-1.zipCopy the Elasticsearch certificates to /etc/kibana/certs:
$ sudo mkdir /etc/kibana/certs $ sudo cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/ $ sudo mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key $ sudo mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pemBind Kibana’s socket to privileged port 443:
$ sudo setcap ‘cap_net_bind_service=+ep’ /usr/share/kibana/node/bin/nodeEventually, we start and enable Kibana service:
$ sudo systemctl enable –now kibanaIn addition, we allow Kibana through the firewall:
$ sudo ufw allow 443/tcpFinally, we can access our Wazuh Kibana interface via:
URL: https://<wazuh_server_ip> user: admin password: adminWe can log in and proceed to see the available metrics from Wazuh.
Common errors
- No template found for the selected index pattern
Elasticsearch needs a specific template to store Wazuh alerts. Otherwise, visualizations will not load properly.
To insert the correct template, we use the following command:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.1.5/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT “https://localhost:9200/_template/wazuh” -H ‘Content-Type: application/json’ -d @- -u <elasticsearch_user>:<elasticsearch_password> -k{“acknowledged”:true}If this error occurs after an upgrade from a 3.x version, the solution is to remove the wazuh-alerts-3.x-* index pattern.
# curl ‘https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*’ -X DELETE -H ‘Content-Type: application/json’ -H ‘kbn-version: 7.10.0’ -k -u <elasticsearch_user>:<elasticsearch_password>Eventually, clean the browser’s cache and cookies.
- Unable to see alerts in the Wazuh Kibana plugin
First and foremost, we need to check if there are alerts in Elasticsearch:
# curl https://<ELASTICSEARCH_IP>:9200/_cat/indices/wazuh-alerts-* -u <elasticsearch_user>:<elasticsearch_password> -kgreen open wazuh-alerts-4.x-2021.03.03 xwFPX7nFQxGy-O5aBA3LFQ 3 0 340 0 672.6kb 672.6kbNo Wazuh related index means we have no alerts.
To ensure the correct configuration of Filebeat, we run:
# filebeat test outputelasticsearch: https://127.0.0.1:9200… parse url… OK connection… parse host… OK dns lookup… OK addresses: 127.0.0.1 dial up… OK TLS… security: server’s certificate chain verification is enabled handshake… OK TLS version: TLSv1.3 dial up… OK talk to server… OK version: 7.10.0[Need help with the procedures? We are here for you]
Conclusion
In short, we saw how our Support Techs go about to install Wazuh Server on Ubuntu 20.04.
