How To Install Wazuh Server on Ubuntu 20.04

This article will cover how to install Wazuh server on Ubuntu 20.04. Wazuh server is a free, open-source security monitoring tool that uses Elastic stack (ELK) . It is used to monitor security events at an application and OS level. You can therefore be able to get information about threat detection, incident response and integrity monitoring. In this tutorial, we shall be deploy Wazuh on a single-node Ubuntu 20.04 host, with ELK installed on the same host.

You can use Wazuh for the following applications:

1. Security analysis
2. Log analysis
3. Vulnerability detection
4. Container security
5. Cloud security

Prerequisites

Install the packages below needed for the running of Wazuh Manager.

sudo apt update
sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Install Java:

sudo apt install default-jre

Install Wazuh Server on Ubuntu 20.04

The steps below will guide us on how to setup Wazuh server on Ubuntu 20.04.

1. Add GPG key

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -

2. Add Wazuh repository

echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

3. Update system

sudo apt update

4. Install Wazuh Manager

sudo apt install wazuh-manager

5. Start and enable service

sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-manager

Check status for Wazuh manager and confirm if it is up and running

systemctl status wazuh-manager

Check service status:

$ systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-04-26 09:13:56 UTC; 22s ago
    Process: 252739 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
      Tasks: 121 (limit: 4580)
     Memory: 472.5M
     CGroup: /system.slice/wazuh-manager.service
             ├─252805 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─252844 /var/ossec/bin/ossec-authd
             ├─252860 /var/ossec/bin/wazuh-db
             ├─252883 /var/ossec/bin/ossec-execd
             ├─252897 /var/ossec/bin/ossec-analysisd
             ├─252958 /var/ossec/bin/ossec-syscheckd
             ├─252975 /var/ossec/bin/ossec-remoted
             ├─253006 /var/ossec/bin/ossec-logcollector
             ├─253024 /var/ossec/bin/ossec-monitord
             └─253047 /var/ossec/bin/wazuh-modulesd

Apr 26 09:13:47 node3 env[252739]: Started wazuh-db...
Apr 26 09:13:48 node3 env[252739]: Started ossec-execd...
Apr 26 09:13:49 node3 env[252739]: Started ossec-analysisd...
Apr 26 09:13:50 node3 env[252739]: Started ossec-syscheckd...
Apr 26 09:13:51 node3 env[252739]: Started ossec-remoted...
Apr 26 09:13:52 node3 env[252739]: Started ossec-logcollector...
Apr 26 09:13:53 node3 env[252739]: Started ossec-monitord...
Apr 26 09:13:54 node3 env[252739]: Started wazuh-modulesd...
Apr 26 09:13:56 node3 env[252739]: Completed.
Apr 26 09:13:56 node3 systemd[1]: Started Wazuh manager.

Install ELK Stack on Ubuntu 20.04

Install Elasticsearch from Open Distro, a highly scalable full-text search engine. This package offers advanced security, alerting, deep performance analysis, index management and many more features.

sudo apt install elasticsearch-oss opendistroforelasticsearch

Download a custom configuration file for /etc/elasticsearch/elasticsearch.yml as shown below:

curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Configure Kibana roles and users with the templates below:

curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles.yml

curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/roles_mapping.yml

curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/roles/internal_users.yml

The commands above adds the following users for Kibana:

1. Wazuh_user – Will be used for users who need read-only access to the Wazuh Kibana plugin.
2. Wazuh_admin – For users who need administrative privileges

Two additional roles are also created to give the users appropriate permissions.

• wazuh_ui_user – provides wazuh_user permissions to read the Wazuh’s indices.
• wazuh_ui_admin – allows wazuh_admins to perform read/write, management and indexing on wazuh indices.

Install Certificates

We can setup certificates to be used for TLS communication between Elasticsearch and Wazuh.

1. Remove demo certs

sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}

2. Generate new certificates:

sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs

sudo curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip

3. Extract the downloaded file

sudo unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard

4. Download the pre-configured search-guard.yml file.

sudo curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/searchguard/search-guard-aio.yml

5. Run the search guard script to create the certificates:

sudo ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/

6. Remove the unnecessary files once the certs have been created

sudo rm /etc/elasticsearch/certs/client-certificates.readme

7. Enable and start Elasticsearch service.

sudo systemctl enable --now elasticsearch

8. Load the new certificates by running Elasticsearch’s securityadmin script:

sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key

You should see an output similar to the one below:

WARNING: JAVA_HOME not set, will use /usr/bin/java
Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.0
Open Distro Security Version: 1.12.0.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update '_doc/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Done with success

Run the command below to confirm that the installation was successful:

curl -XGET https://localhost:9200 -u admin:admin -k

The response should be as follows:

{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "9JuWWZBHSX65WNZioHQcMg",
  "version" : {
    "number" : "7.10.0",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
    "build_date" : "2020-11-09T21:30:33.964949Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

You might choose to remove the Open Distro for Elasticsearch performance analyzer plugin, which installs by default and might sometimes be resource hungry. Use the command below remove it:

sudo /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer

Install Filebeat on Ubuntu 20.04

Filebeat is used to ship alerts and events from Wazuh server to Elasticsearch.

sudo apt install filebeat

Download the the filebeat configuration file below that will be used to forward wazuh alerts to Elasticsearch

curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml

Download the alerts template with the command below for Elasticsearch:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json

chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh FIlebeat module:

sudo curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy the Elasticsearch certificates to /etc/filebeat/certs

sudo mkdir /etc/filebeat/certs && cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/
sudo mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/

Start and enable Filebeat service

sudo systemctl enable --now filebeat

Confirm Filebeat configuration by the command below:

sudo filebeat test output

Sample output:

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.0

Install Kibana on Ubuntu 20.04

Kibana is the web interface that helps us visualize and analyze the events stored in Elasticsearch.

Use the command below to install Kibana on Ubuntu 20.04

sudo apt-get install opendistroforelasticsearch-kibana

Download the Configuration file for Kibana

curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.yml

Assign the right permisions to the following files

sudo chown -R kibana:kibana /usr/share/kibana/optimize
sudo chown -R kibana:kibana /usr/share/kibana/plugins

Install the Kibana plugin for Wazuh. This has to be done from the Kibana home directory.

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.0-1.zip

Copy the Elasticsearch certificates to /etc/kibana/certs:

sudo mkdir /etc/kibana/certs
sudo cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/
sudo mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key
sudo mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem

Bind Kibana’s socket to priviledged port 443:

sudo setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Start and enable Kibana service

sudo systemctl enable --now kibana

Allow Kibana through the firewall

sudo ufw allow 443/tcp

You can now access your wazuh kibana interface via

URL: https://<wazuh_server_ip>
user: admin
password: admin

You can login and proceed to see the available metrics from Wazuh:

With the above steps, we have successfully setup Wazuh server on Ubuntu 20.04. Cheers and please check out other interesting articles on the site.

How To Install Wazuh server on CentOS 8

Forward Server logs and metrics to Elasticsearch using Beats