Install and Setup Wazuh Server with ELK Stack on Ubuntu 20.04

by

In this tutorial, you will learn how to install and setup Wazuh server with ELK stack on Ubuntu 20.04. Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. It helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level.

Wazuh server is integrated with other tools such as ELK stack which provides users with better visualization of the event data as well easily search through the security event data.

Wazuh provides capabilities such as;

  • Security Analytics.
  • Intrusion Detection.
  • Log Data Analysis.
  • File Integrity Monitoring.
  • Vulnerability Detection.
  • Configuration Assessment.
  • Incident Response.
  • Regulatory Compliance.
  • Cloud security
  • Containers security.

Read more about these features on Wazuh documentation page.

Want to learn how to build mesmerizing visualizations, analytics, and logs from your data using Elasticsearch, Logstash, and Kibana? Check the link below;

Learning ELK Stack: Build mesmerizing visualizations, analytics, and logs from your data using Elasticsearch, Logstash, and Kibana

Install and Setup Wazuh Server with ELK Stack on Ubuntu 20.04

There are different deployment architectures for Wazuh server:

  • All-in-one deployment – Wazuh and the ELK stack components are installed on a single server.
  • Multi-node (Distributed) deployment – Wazuh and ELK stack components are installed on separate nodes.

In this setup, just for demo purposes, we will be running Wazuh server on a single node. We will install both Wazuh server and ELK stack components on the same node.

You can check the requirements page before you can proceed.

Install Wazuh Server on Ubuntu 20.04

In order to install and setup Wazuh server on Ubuntu 20.04, there are two components that needs to be instal

Install Wazuh Manager on Ubuntu 20.04

Create Wazuh Repository

Ubuntu 20.04 do not have Wazuh manager package on its repository list. As such you need to install Wazuh repository as follows;

Install some required packages;

apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Install Wazuh repository GPG key;

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

Install the Wazuh 3.x repository (current stable release as of this writing is v4.0.3);

echo "deb https://packages.wazuh.com/4.x/apt stable main" | tee /etc/apt/sources.list.d/wazuh.list

Update the package information:

apt update

Check the available version of Wazuh manager;

apt-cache policy wazuh-manager
wazuh-manager:
  Installed: (none)
  Candidate: 4.0.3-1
  Version table:
     4.0.3-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     4.0.2-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     4.0.1-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
     4.0.0-1 500
        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages

As you can see, Wazuh manager 4.0.3-1 is the current release as provided by the repos. Therefore, Install Wazuh Manager on Ubuntu 20.04 by running the command below;

apt install wazuh-manager
Running Wazuh manager

Once the installation is done, run the command below to start and enable it to run on system boot;

systemctl enable --now wazuh-manager

Checking the status;

systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-01-11 08:36:04 UTC; 2s ago
    Process: 38472 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
      Tasks: 91 (limit: 3488)
     Memory: 152.8M
     CGroup: /system.slice/wazuh-manager.service
             ├─38542 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─38581 /var/ossec/bin/ossec-authd
             ├─38594 /var/ossec/bin/wazuh-db
             ├─38618 /var/ossec/bin/ossec-execd
             ├─38631 /var/ossec/bin/ossec-analysisd
             ├─38672 /var/ossec/bin/ossec-syscheckd
             ├─38686 /var/ossec/bin/ossec-remoted
             ├─38720 /var/ossec/bin/ossec-logcollector
             ├─38735 /var/ossec/bin/ossec-monitord
             └─38744 /var/ossec/bin/wazuh-modulesd

Jan 11 08:35:57 ubuntu20 env[38472]: Started wazuh-db...
Jan 11 08:35:58 ubuntu20 env[38472]: Started ossec-execd...
Jan 11 08:35:59 ubuntu20 env[38472]: Started ossec-analysisd...
Jan 11 08:36:00 ubuntu20 env[38472]: Started ossec-syscheckd...
Jan 11 08:36:01 ubuntu20 env[38472]: Started ossec-remoted...
Jan 11 08:36:01 ubuntu20 env[38472]: Started ossec-logcollector...
Jan 11 08:36:01 ubuntu20 env[38472]: Started ossec-monitord...
Jan 11 08:36:02 ubuntu20 env[38472]: Started wazuh-modulesd...
Jan 11 08:36:04 ubuntu20 env[38472]: Completed.
Jan 11 08:36:04 ubuntu20 systemd[1]: Started Wazuh manager

Install ELK Stack on Ubuntu 20.04

Since we are using a single node deployment architecture, we will install ELK stack as well on the same node.

As of this writing, Wazuh supports upto ELK 7.9.3. Therefore, the installation commands below installs ELK stack v7.9.3 on Ubuntu 20.04.

Install the ELK/Elastic APT repository

Install the ELK/Elastic repository to enable you install the stack components. Begin by importing the ELK stack repository PGP signing Key;

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Install ELK APT repository on Ubuntu.

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

Run system update to update the added repository;

apt update

Installing Elasticsearch

Note, since the installation is done from the ELK APT repositories, you will get the current latest and stable versions installed. However, we need version 7.9.3. Hence, use the command below to install ES v7.9.3.

apt install elasticsearch=7.9.3

You can list available versions of a package using the command;

apt list -a <package-name>

e.g

apt list -a elasticsearch

Configuring Elasticsearch

Once the installation is done, proceed to configure Elasticsearch. The default configuration file for Elasticsearch is /etc/elasticsearch/elasticsearch.yml.

Open the configuration file for editing using your preferred text editor;

vim /etc/elasticsearch/elasticsearch.yml

You can optionally set the name of the cluster or go with the default;

# ---------------------------------- Cluster -----------------------------------
...
cluster.name: wazuh-elk

For the network settings, we will the defaults since by default, it uses the loopback interface and port 9200/tcp, which is fine for our case as we will only be accessing Elasticsearch locally from the Wazuh server.

By default, Elasticsearch tries to discovers other nodes to form a cluster when started. Since we are running a single node cluster, you need to specify the same by inserting the line, discovery.type: single-node, under the Discovery section.

# --------------------------------- Discovery ----------------------------------
...
discovery.type: single-node

Save and exit the file.

Configure the JVM heap size and set it to about half the memory available on the system.

vim /etc/elasticsearch/jvm.options
...
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms512m
-Xmx512m

Save and exit the file.

There are other important Elasticsearch configuration settings you should consider, especially if you are taking it to production. Check the Import Elasticsearch Configuration page for more tips.

Running Elasticsearch

Once you are done with Elasticsearch configurations, start and enable Elasticsearch to run on system boot.

systemctl enable --now elasticsearch

Checking the status;

systemctl status elasticsearch

You can use curl to verify if all is well with Elasticsearch;

curl http://localhost:9200
{
  "name" : "ubuntu20",
  "cluster_name" : "wazuh-elk",
  "cluster_uuid" : "GoVIy20dRVazBWw70u9Vrw",
  "version" : {
    "number" : "7.9.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "c4138e51121ef06a6404866cddc601906fe5c868",
    "build_date" : "2020-10-16T10:36:16.141335Z",
    "build_snapshot" : false,
    "lucene_version" : "8.6.2",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Install and Configure Kibana

Install Kibana 7.9.3 by running the command;

apt install kibana=7.9.3

Once the installation is done, you can configure Kibana. The default configuration file for Kibana is /etc/kibana/kibana.yml. Open the file editing.

vim /etc/kibana/kibana.yml

The default host and port settings configure Kibana to run on localhost:5601. We need to change, the host especially, to enable us to reach Kibana externally.

# Kibana is served by a back end server. This setting specifies the port to use.
# server.port: 5601
server.port: 5601
...
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"
server.host: "192.168.57.3"

Next, you need to configure how Kibana will connect to Elasticsearch. By default, as depicted by the setting below, Kibana can connect to Elasticsearch on loopback address, that is only if Elasticsearch is set to listen on the loopback interface. 

# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]

Be sure to set the IP address if ES is set to listen on a non-loopback IP address.

In it basic setup, that is just enough. Save and exit the file.

Running Kibana

Now start and enable Kibana to run on system boot;

systemctl enable --now kibana

Check the status;

systemctl status kibana

Install Logstash and Filebeat

apt install logstash=1:7.9.3-1 filebeat=7.9.3

Filebeat will be used to ship event data from Wazuh to Elasticsearch. Logstash is just there just in case, you need to further process your event data before sending it to Elasticsearch.

Start and enable Filebeat to run on system boot;

systemctl daemon-reload
systemctl enable --now filebeat

Configuring Filebeat

Download Filebeat Configuration file

Download a pre-configured configuration file for Filebeat;

mv /etc/filebeat/filebeat.yml{,.bak}
curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/filebeat/7.x/filebeat.yml
Configure Filebeat Output

Edit the Filebeat configuration file downloaded above and updated the ES output

vim /etc/filebeat/filebeat.yml
#output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
output.elasticsearch.hosts: ['http://localhost:9200']

Configure Filebeat to log to specific file instead of the default syslog by adding the lines below to filebeat.yml configuration file;

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

Save and exit the configuration file.

Test Filebeat connection to Elasticsearch

filebeat test output
elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.9.3
Install Filebeat Wazuh Module

Download and install Filebeat Wazuh module;

wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz -P /tmp/
mkdir /usr/share/filebeat/module/wazuh
tar xzf /tmp/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1
Load Wazuh Elasticsearch Index Template to Elasticsearch

Download and load the Wazuh Elasticsearch alerts index template.

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/elasticsearch/7.x/wazuh-template.json

Next, load the template;

filebeat setup --path.config /etc/filebeat --path.home /usr/share/filebeat --path.data /var/lib/filebeat --index-management -E setup.template.json.enabled=false

Restart filebeat;

systemctl restart filebeat

Install Wazuh App Kibana Plugin

You can now install Wazuh app Kibana plugin. Before you can proceed, ensure that you set the owner of the directories, /usr/share/kibana/optimize/ and /usr/share/kibana/plugins to kibana.

chown -R kibana: /usr/share/kibana/{optimize,plugins}

Navigate to Kibana home directory;

cd /usr/share/kibana

The install Wazuh App for Kibana 7.9.3;

sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip
Transferring 29967049 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

You can list installed plugins;

sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
[email protected]

Start Kibana;

systemctl enable --now kibana

Restart Elasticsearch and Wazuh-manager;

systemctl restart elasticsearch wazuh-manager

Once they are up, if you check the created indices, you should be able to see wazuh-alerts* index created;

curl localhost:9200/_cat/indices?v
health status index                          uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   wazuh-alerts-4.x-2021.01.14    BbaKSWEDQh-MH6flluvYhQ   3   0        146            0    456.7kb        456.7kb
green  open   .kibana-event-log-7.9.3-000001 TjWocDYbQEix9w5FZFuuNQ   1   0          1            0      5.5kb          5.5kb
green  open   .apm-custom-link               BAeDQ5gzSiCQoJw_2GCW4A   1   0          0            0       208b           208b
green  open   .kibana_task_manager_1         5Xu37o8oSV-HfuniR6qT3A   1   0          6            3     59.4kb         59.4kb
green  open   .apm-agent-configuration       DtsbtThzSVeze4pETE6AVQ   1   0          0            0       208b           208b
green  open   wazuh-statistics-2021.3w       RSh_OZ-_S3a1CBo0ot1tkg   2   0          4            0     50.8kb         50.8kb
green  open   .kibana_1                      EF44HFQsQiGUdOppef8Ejw   1   0         14            9     10.4mb         10.4mb
green  open   wazuh-monitoring-2021.01.14    vQQzUF_ESZy_WMhD09tXMQ   2   0          0            0       416b           416b

Accessing the Wazuh App on Kibana

Accessing Kibana Interface

Now that your ELK stack is running, you can access Kibana interface, http://<server-IP-or-resolvable-hostname>:5601.

Ensure that you open Port 5601/TCP on firewall, to allow external access to Kibana.

ufw allow 5601/tcp

When you land on Kibana Interface, navigate to the menu and scroll down to see the Wazuh App. See example screenshot below;

install and setup Wazuh server with ELK Stack on Ubuntu 20.04

Upon clicking the app, it checks a few things like the Wazuh API connection and the version, the availability of the default indices such as wazuh-alerts- (default index).

If all is well, you should land on the dashboard;

install and setup Wazuh server with ELK Stack on Ubuntu 20.04

And that marks the end of our guide on how to install and setup Wazuh server with ELK Stack on Ubuntu 20.04.

In our next guides, we will learn on how to install to and add Wazuh agents on end points being monitored to collect and ship data to Kibana for visualization.

Reference

Wazuh: Step-by-step installation

Other Tutorials

Install Filebeat on Debian 10

How to Install Logstash on Debian

Install ELK/Elastic Stack on Debian 10

Founder of itnixpro.com|Linux Engineer|Author at Itnixpro.com

2 thoughts on “Install and Setup Wazuh Server with ELK Stack on Ubuntu 20.04”

Leave a Comment