This article will cover how to install Wazuh server on CentOS 8. Wazuh server is a free, open-source security monitoring tool that uses Elastic stack (ELK) . It is used to monitor security events at an application and OS level. You can therefore be able to get information about threat detection, incident response and integrity monitoring. In this tutorial, we shall be deploy Wazuh on a single-node CentOS host, with ELK installed on the same host.

You can use Wazuh for the following applications:

  1. Security analysis
  2. Log analysis
  3. Vulnerability detection
  4. Container security
  5. Cloud security

The steps below will guide us on how to setup Wazuh server on a CentOS 8 instance.

Step 1 – Install Wazuh Server on CentOS 8

Make sure your system is updated:

sudo dnf update -y

Add Wazuh GPG key

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add Wazuh repo

sudo tee /etc/yum.repos.d/wazuh.repo <<EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Install Wazuh server:

sudo dnf -y install wazuh-manager

Run Wazuh server

sudo systemctl enable --now wazuh-manager

Disable updates to avoid running into issues with version control.

sudo sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Step 2 – Install Elastic Stack on CentOS 8

We will proceed to install ELK stack on our CentOS 8 instance. Elasticsearch, Logstash and Kibana make up the ELK stack that is used for log analysis. These tools work in collaboration with Wazuh server to provide the security incident analysis and management.

Install Java on CentOS 8

Elasticsearch is a Java application, this means that we need to have JDK installed.

sudo dnf install java-11-openjdk-devel

Confirm that you have it installed

java -version

Sample output:

openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)

Install Elasticsearch on CentOS 8

Add GPG key for Elasticsearch

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Add Elasticsearch repo file

sudo tee /etc/yum.repos.d/elasticsearch.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Install Elasticsearch:

sudo dnf install elasticsearch

Start and enable Elasticsearch

sudo systemctl enable elasticsearch.service --now

Install Kibana on CentOS 8

Kibana is used for the dashboard in ELK.

sudo dnf -y install kibana 

Configure KIbana – The configuration file for kibana is located under /etc/kibana/kibana.yml.

Configure the server host to point to the localhost elasticsearch application.

$ sudo vim /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
# server.port: 5601
server.port: 5601 
... 
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost" 
server.host: "localhost"
# The URL for the elasticsearch instance
elasticsearch.hosts: [http://localhost:9200]

Start and enable Kibana

sudo systemctl enable --now kibana

Install Filebeat on CentOS 8

Filebeat is a log shipper that is used to ship logs to Easticsearch from the designated log directories.

sudo yum install filebeat

Configure Filebeat on CentOS 8

Configure Flebeat to work with Wazuh. Backup the existing Filebeat configuration file then replace it with a downloaded pre-configured file.

sudo mv /etc/filebeat/filebeat.yml{,.bak}
sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/filebeat/7.x/filebeat.yml

Edit the downloaded file to match your setup

$ sudo vim /etc/filebeat/filebeat.yml
#output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
output.elasticsearch.hosts: ['http://localhost:9200']

Also add the following lines to the configuration file if you want to specify the path which filebeat should fetch the logs from.

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

Test the output as below:

$ sudo filebeat test output
 elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.1.83
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.9.3

Step 3 – Install Filebeat Wazuh Module

Download and install wazuh module for Filebeat using the commands below:

wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz -P /tmp/
sudo mkdir /usr/share/filebeat/module/wazuh
sudo tar xzf /tmp/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1

Download the Wazuh Elasticsearch alerts index template and set it up.

$ sudo curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/elasticsearch/7.x/wazuh-template.json

$ sudo filebeat setup --path.config /etc/filebeat --path.home /usr/share/filebeat --path.data /var/lib/filebeat --index-management -E setup.template.json.enabled=false

Restart Filebeat

sudo systemctl restart filebeat

Step 4 – Install Kibana Plugin for Wazuh

Set the ownership to the directories /usr/share/kibana/optimize/ and /usr/share/kibana/plugins to kibana user.

sudo chown -R kibana: /usr/share/kibana/{optimize,plugins}

Install Kibana plugin for wazuh.

$ cd /usr/share/kibana
$ sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip

Upon completion, check the installed plugins

$ sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
[email protected]

Restart the required service to effect the changes.

sudo systemctl restart kibana
sudo systemctl restart elasticsearch
sudo systemctl restart wazuh-manager

Step 5 – Configure Firewalld

Configure firewall to allow access to Kibana from a remote host. You might be required to allow Elasticsearch also if you have Kibana and Elasticsearch installed on different hosts.

sudo firewall-cmd --zone=public --add-port=5601/tcp --permanent
sudo firewall-cmd --reload

You can now access your kibana interface using http://server-IP:5601

elasticsearch

You can then navigate to the left menu and select Wazuh on the list.

install wazuh server on centos 8

With this, you will be able to monitor your systems using Wazuh server by configuring agents on your client systems.

Check out these other interesting articles from this site:

Forward Server logs and metrics to Elasticsearch using Beats

Automate Icinga2 Configurations with Icinga Director on CentOS | RHEL 8

How To Install Netdata on Kubernetes using Helm

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here