How To Install Wazuh Server on Ubuntu 22.04|20.04|18.04

This article will cover how to install Wazuh server on Ubuntu 22.04, 20.04, 18.04. Wazuh server is a free, open-source security monitoring tool that uses Elastic stack (ELK) . It is used to monitor security events at an application and OS level. You can therefore be able to get information about threat detection, incident response and integrity monitoring. In this tutorial, we shall be deploy Wazuh on a single-node Ubuntu host, with ELK installed on the same host.

You can use Wazuh for the following applications:

1. Security analysis
2. Log analysis
3. Vulnerability detection
4. Container security
5. Cloud security

The minimum hardware requirements are as below:

• 4 GB of RAM
• 2 CPU cores

Recommended specs are:

• 16 GB of RAM
• 8 CPU cores

Step 1: Install Wazuh Server

Install the packages below needed for the running of Wazuh Manager.

sudo apt update
sudo apt install vim curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Option 1: Automated install of Wazuh Server using script

The fastest way to install Wazuh on a single host is by using a script that automatically detects OS type and performs a health check to verify that the available system resources meet the minimal requirements.

Download the script to your Ubuntu system where Wazuh server is installed

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh

Once the script is downloaded run it:

sudo bash ./wazuh-install.sh -a

Installation process should take few minutes to complete:

15/04/2024 11:19:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.3
15/04/2024 11:19:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/04/2024 11:19:53 INFO: Wazuh web interface port will be 443.
15/04/2024 11:19:58 INFO: --- Dependencies ----
15/04/2024 11:19:58 INFO: Installing apt-transport-https.
15/04/2024 11:20:05 INFO: Wazuh repository added.
15/04/2024 11:20:05 INFO: --- Configuration files ---
15/04/2024 11:20:05 INFO: Generating configuration files.
15/04/2024 11:20:07 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
15/04/2024 11:20:07 INFO: --- Wazuh indexer ---
15/04/2024 11:20:07 INFO: Starting Wazuh indexer installation.
15/04/2024 11:21:11 INFO: Wazuh indexer installation finished.
15/04/2024 11:21:11 INFO: Wazuh indexer post-install configuration finished.
15/04/2024 11:21:11 INFO: Starting service wazuh-indexer.
15/04/2024 11:21:29 INFO: wazuh-indexer service started.
15/04/2024 11:21:29 INFO: Initializing Wazuh indexer cluster security settings.
15/04/2024 11:21:39 INFO: Wazuh indexer cluster initialized.
15/04/2024 11:21:39 INFO: --- Wazuh server ---
15/04/2024 11:21:39 INFO: Starting the Wazuh manager installation.
15/04/2024 11:22:40 INFO: Wazuh manager installation finished.
15/04/2024 11:22:40 INFO: Starting service wazuh-manager.
15/04/2024 11:22:56 INFO: wazuh-manager service started.
15/04/2024 11:22:56 INFO: Starting Filebeat installation.
15/04/2024 11:23:04 INFO: Filebeat installation finished.
15/04/2024 11:23:05 INFO: Filebeat post-install configuration finished.
15/04/2024 11:23:05 INFO: Starting service filebeat.
15/04/2024 11:23:06 INFO: filebeat service started.
15/04/2024 11:23:06 INFO: --- Wazuh dashboard ---
15/04/2024 11:23:06 INFO: Starting Wazuh dashboard installation.
15/04/2024 11:24:03 INFO: Wazuh dashboard installation finished.
15/04/2024 11:24:03 INFO: Wazuh dashboard post-install configuration finished.
15/04/2024 11:24:03 INFO: Starting service wazuh-dashboard.
15/04/2024 11:24:04 INFO: wazuh-dashboard service started.
15/04/2024 11:24:33 INFO: Initializing Wazuh dashboard web application.
15/04/2024 11:24:34 INFO: Wazuh dashboard web application initialized.
15/04/2024 11:24:34 INFO: --- Summary ---
15/04/2024 11:24:34 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: i9d96ly0D9*AObwGdJ7eq07OANoxq?0*
15/04/2024 11:24:34 INFO: Installation finished.

Take note of access credentials:

15/04/2024 11:24:34 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: i9d96ly0D9*AObwGdJ7eq07OANoxq?0*

Access the portal at https://<serverip> on your web browser and login

Input username and password

You should now get access to Wazuh Web dashboard.

Option 2: Install Wazuh Server using manual steps (not recommended)

The steps below will guide us on how to setup Wazuh server on Ubuntu. This is long and too manual for ordinary users.

1. Add GPG key

curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH|sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/wazuh.gpg

2. Add Wazuh repository

echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

3. Update system

sudo apt update

4. Install Wazuh Manager

sudo apt install wazuh-manager

5. Start and enable service

sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-manager

Check status for Wazuh manager and confirm if it is up and running

systemctl status wazuh-manager

Check service status:

systemctl status wazuh-manager

Install ELK Stack

Install Elasticsearch from Open Distro, a highly scalable full-text search engine. This package offers advanced security, alerting, deep performance analysis, index management and many more features.

sudo apt install elasticsearch-oss opendistroforelasticsearch

Download a custom configuration file for /etc/elasticsearch/elasticsearch.yml as shown below:

sudo curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Configure Kibana roles and users with the templates below:

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml

The commands above adds the following users for Kibana:

1. Wazuh_user – Will be used for users who need read-only access to the Wazuh Kibana plugin.
2. Wazuh_admin – For users who need administrative privileges

Two additional roles are also created to give the users appropriate permissions.

• wazuh_ui_user – provides wazuh_user permissions to read the Wazuh’s indices.
• wazuh_ui_admin – allows wazuh_admins to perform read/write, management and indexing on wazuh indices.

Install Certificates

We can setup certificates to be used for TLS communication between Elasticsearch and Wazuh.

1. Remove demo certs

sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}

2. Download the wazuh-cert-tool.sh:

sudo su -
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml

3. Run the wazuh-cert-tool.sh to create the certificates:

# bash ~/wazuh-cert-tool.sh
02/28/2024 22:43:19 INFO: Configuration file found. Creating certificates...
02/28/2024 22:43:20 INFO: Creating the Elasticsearch certificates...
02/28/2024 22:43:20 INFO: Creating Wazuh server certificates...
02/28/2024 22:43:20 INFO: Creating Kibana certificate...
02/28/2024 22:43:20 INFO: Certificates creation finished. They can be found in ~/certs.

4. Move the Elasticsearch certificates to their corresponding location:

mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

5.  Mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability

Add the following configuration to mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability – CVE-2021-44228 – ESA-2021-31.

mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

6. Enable and start the Elasticsearch service:

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

Check Elasticsearch service status:

systemctl status elasticsearch

Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:

export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

Command execution output:

Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update '_doc/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
   SUCC: Configuration for 'audit' created or updated
Done with success

Run the command below to confirm that the installation was successful:

curl -XGET https://localhost:9200 -u admin:admin -k

The response should be as follows:

{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "42mc1BAjQaOpVo4p3Xz5lA",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Install Filebeat on Ubuntu

Filebeat is used to ship alerts and events from Wazuh server to Elasticsearch.

sudo apt install filebeat

Download the the filebeat configuration file below that will be used to forward wazuh alerts to Elasticsearch

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml

Download the alerts template with the command below for Elasticsearch:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh FIlebeat module:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy the Elasticsearch certificates to /etc/filebeat/certs

mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/

Start and enable Filebeat service

systemctl daemon-reload
systemctl enable --now filebeat

Confirm Filebeat configuration by the command below:

# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Install Kibana on Ubuntu

Kibana is the web interface that helps us visualize and analyze the events stored in Elasticsearch.

Use the command below to install Kibana on Ubuntu

apt install opendistroforelasticsearch-kibana

Download the Configuration file for Kibana

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml

Create data directory for Kibana

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data

Install the Wazuh Kibana plugin.

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip

Sample execution output:

Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip
Transferring 33111704 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

Copy the Elasticsearch certificates to /etc/kibana/certs:

mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

Bind Kibana’s socket to priviledged port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Start and enable Kibana service

systemctl daemon-reload
systemctl enable --now kibana

Allow Kibana through the firewall

sudo ufw allow 443/tcp

You can now access your wazuh kibana interface via

URL: https://<wazuh_server_ip>
user: admin
password: admin

You can login and proceed to see the available metrics from Wazuh:

Step 2: Configure Wazuh Agents

Wazuh agent is deployed on the endpoint systems such as Windows, Linux, and macOS to collect events and all security related data. The agent will then forward collected data to Wazuh server for threat detection and analysis. The agent can also analyze collected logs on the system, and extract valuable information relating to security for more analysis.

You can obtain commands that are to be run on the agent machine under Wazuh –> Agents

Choose “Deploy new agent” option.

In the next section you will choose:

• OS type and CPU architecture for it (Intel or ARM)
• Wazuh server address as deployed in step 1 – Public or private IPv4 address depending on the setup
• Agent name assigned to the agent. Best practice is to pick agent hostname (FQDN)

Next run the commands given to install and configured agent on your endpoint device.

Don’t forget to run the commands to start and enable the service.

Step 3: Analyze events and logs

If you click on Home icon you will get to the default dashboard. Choose the agent to review.

In the next screen you can switch between menu sections to analyze events and filter.

With the above steps, we have successfully setup Wazuh server on Ubuntu. Visit official Wazuh Documentation website to have a deeper understanding on Wazuh components, configurations and customizations that can be done to better secure your infrastructure and services.

Cheers and please check out other interesting articles on the site.

• How To Install Wazuh server on CentOS 8
• Forward Server logs and metrics to Elasticsearch using Beats