How to install Wazuh server on CentOS 8

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

This article will introduce how to install Wazuh server on CentOS 8. Wazuh server is a free and open source security monitoring tool using Elastic Stack (ELK). It is used to monitor security events at the application and operating system level. Therefore, you can obtain information about threat detection, incident response, and integrity monitoring. In this tutorial, we will deploy Wazuh on a single-node CentOS host and install ELK on the same host.

You can use Wazuh for the following applications:

  1. Safety analysis
  2. Log analysis
  3. Vulnerability detection
  4. Container security
  5. Cloud security

The following steps will guide us how to set up a Wazuh server on a CentOS 8 instance.

Step 1-Install Wazuh Server on CentOS 8

Make sure your system is updated:

sudo dnf update -y

Add Wazuh GPG key

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add Wazuh repo

sudo tee /etc/yum.repos.d/wazuh.repo <<EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Install Wazuh server:

sudo dnf -y install wazuh-manager

Run Wazuh server

sudo systemctl enable --now wazuh-manager

Disable updates to avoid encountering version control issues.

sudo sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Step 2-Install Elastic Stack on CentOS 8

We will continue to install the ELK stack on our CentOS 8 instance. Elasticsearch, Logstash and Kibana form the ELK stack for log analysis. These tools work in conjunction with Wazuh servers to provide security incident analysis and management.

Install Java on CentOS 8

Elasticsearch is a Java application, which means we need to install the JDK.

sudo dnf install java-11-openjdk-devel

Confirm that you have installed

java -version

Sample output:

openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)

Install Elasticsearch on CentOS 8

Add GPG key for Elasticsearch

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Add Elasticsearch repo file

sudo tee /etc/yum.repos.d/elasticsearch.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Install Elasticsearch:

sudo dnf install elasticsearch

Start and enable Elasticsearch

sudo systemctl enable elasticsearch.service --now

Install Kibana On CentOS 8

Kibana is used for dashboards in ELK.

sudo dnf -y install kibana 

Configure Kibana – The configuration file for kibana is located at /etc/kibana/kibana.yml.

Configure the server host to point to the localhost elasticsearch application.

$ sudo vim /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
# server.port: 5601
server.port: 5601 
... 
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost" 
server.host: "localhost"
# The URL for the elasticsearch instance
elasticsearch.hosts: [http://localhost:9200]

Start and enable Kibana

sudo systemctl enable --now kibana

Install Filebeat On CentOS 8

Filebeat is a log shipping program used to transfer logs from a specified log directory to Easticsearch.

sudo yum install filebeat

Configure Filebeat on CentOS 8

Configure Flebeat for use with Wazuh. Back up the existing Filebeat configuration file and replace it with the downloaded pre-configuration file.

sudo mv /etc/filebeat/filebeat.yml{,.bak}
sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/filebeat/7.x/filebeat.yml

Edit the downloaded file to match your settings

$ sudo vim /etc/filebeat/filebeat.yml
#output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
output.elasticsearch.hosts: ['http://localhost:9200']

If you want to specify the path from which filebeat should get the logs, please also add the following line to the configuration file.

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

The test output is as follows:

$ sudo filebeat test output
 elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.1.83
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.9.3

Step 3-Install Filebeat Wazuh module

Use the following command to download and install Filebeat’s wazuh module:

wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz -P /tmp/
sudo mkdir /usr/share/filebeat/module/wazuh
sudo tar xzf /tmp/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1

Download the Wazuh Elasticsearch alert index template and set it up.

$ sudo curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/elasticsearch/7.x/wazuh-template.json

$ sudo filebeat setup --path.config /etc/filebeat --path.home /usr/share/filebeat --path.data /var/lib/filebeat --index-management -E setup.template.json.enabled=false

Restart Filebeat

sudo systemctl restart filebeat

Step 4-Install Kibana plugin for Wazuh

Set ownership to directory /usr/share/kibana/optimize/ with /usr/share/kibana/plugins To Kibana user.

sudo chown -R kibana: /usr/share/kibana/{optimize,plugins}

Install Kibana plugin for wazuh.

$ cd /usr/share/kibana
$ sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip

When finished, check the installed plugins

$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
[email protected]

Restart the required services for the changes to take effect.

sudo systemctl restart kibana
sudo systemctl restart elasticsearch
sudo systemctl restart wazuh-manager

Step 5-Configure the firewall

Configure the firewall to allow access to Kibana from remote hosts. If Kibana and Elasticsearch are installed on different hosts, you may also need to allow Elasticsearch.

sudo firewall-cmd --zone=public --add-port=5601/tcp --permanent
sudo firewall-cmd --reload

You can now access your kibana interface using http: // Server IP: 5601

You can then navigate to the left menu and select Wazuh on the list.Install wazuh server on centos 8

In this way, you can use the Wazuh server to monitor the system by configuring an agent on the client system.

Check out other interesting articles on this website:

Use Beats to forward server logs and metrics to Elasticsearch

Automate Icinga2 configuration with Icinga Director on CentOS | RHEL 8

How to install Netdata on Kubernetes using Helm

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

Sidebar