In this tutorial, you will learn how to install and setup Wazuh server with ELK stack on Ubuntu 20.04. Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. It helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level.
Wazuh server is integrated with other tools such as ELK stack which provides users with better visualization of the event data as well easily search through the security event data.
Wazuh provides capabilities such as;
- Security Analytics.
- Intrusion Detection.
- Log Data Analysis.
- File Integrity Monitoring.
- Vulnerability Detection.
- Configuration Assessment.
- Incident Response.
- Regulatory Compliance.
- Cloud security
- Containers security.
Read more about these features on Wazuh documentation page.
Want to learn how to build mesmerizing visualizations, analytics, and logs from your data using Elasticsearch, Logstash, and Kibana? Check the link below;
Install and Setup Wazuh Server with ELK Stack on Ubuntu 20.04
There are different deployment architectures for Wazuh server:
All-in-one deployment
– Wazuh and the ELK stack components are installed on a single server.Multi-node (Distributed) deployment
– Wazuh and ELK stack components are installed on separate nodes.
In this setup, just for demo purposes, we will be running Wazuh server on a single node. We will install both Wazuh server and ELK stack components on the same node.
You can check the requirements page before you can proceed.
Install Wazuh Server on Ubuntu 20.04
In order to install and setup Wazuh server on Ubuntu 20.04, there are two components that needs to be instal
Install Wazuh Manager on Ubuntu 20.04
Create Wazuh Repository
Ubuntu 20.04 do not have Wazuh manager package on its repository list. As such you need to install Wazuh repository as follows;
Install some required packages;
apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
Install Wazuh repository GPG key;
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Install the Wazuh 3.x repository (current stable release as of this writing is v4.0.3
);
echo "deb https://packages.wazuh.com/4.x/apt stable main" | tee /etc/apt/sources.list.d/wazuh.list
Update the package information:
apt update
Check the available version of Wazuh manager;
apt-cache policy wazuh-manager
wazuh-manager:
Installed: (none)
Candidate: 4.0.3-1
Version table:
4.0.3-1 500
500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
4.0.2-1 500
500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
4.0.1-1 500
500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
4.0.0-1 500
500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages
As you can see, Wazuh manager 4.0.3-1 is the current release as provided by the repos. Therefore, Install Wazuh Manager on Ubuntu 20.04 by running the command below;
apt install wazuh-manager
Running Wazuh manager
Once the installation is done, run the command below to start and enable it to run on system boot;
systemctl enable --now wazuh-manager
Checking the status;
systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2021-01-11 08:36:04 UTC; 2s ago
Process: 38472 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
Tasks: 91 (limit: 3488)
Memory: 152.8M
CGroup: /system.slice/wazuh-manager.service
├─38542 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─38581 /var/ossec/bin/ossec-authd
├─38594 /var/ossec/bin/wazuh-db
├─38618 /var/ossec/bin/ossec-execd
├─38631 /var/ossec/bin/ossec-analysisd
├─38672 /var/ossec/bin/ossec-syscheckd
├─38686 /var/ossec/bin/ossec-remoted
├─38720 /var/ossec/bin/ossec-logcollector
├─38735 /var/ossec/bin/ossec-monitord
└─38744 /var/ossec/bin/wazuh-modulesd
Jan 11 08:35:57 ubuntu20 env[38472]: Started wazuh-db...
Jan 11 08:35:58 ubuntu20 env[38472]: Started ossec-execd...
Jan 11 08:35:59 ubuntu20 env[38472]: Started ossec-analysisd...
Jan 11 08:36:00 ubuntu20 env[38472]: Started ossec-syscheckd...
Jan 11 08:36:01 ubuntu20 env[38472]: Started ossec-remoted...
Jan 11 08:36:01 ubuntu20 env[38472]: Started ossec-logcollector...
Jan 11 08:36:01 ubuntu20 env[38472]: Started ossec-monitord...
Jan 11 08:36:02 ubuntu20 env[38472]: Started wazuh-modulesd...
Jan 11 08:36:04 ubuntu20 env[38472]: Completed.
Jan 11 08:36:04 ubuntu20 systemd[1]: Started Wazuh manager
Install ELK Stack on Ubuntu 20.04
Since we are using a single node deployment architecture, we will install ELK stack as well on the same node.
As of this writing, Wazuh supports upto ELK 7.9.3. Therefore, the installation commands below installs ELK stack v7.9.3 on Ubuntu 20.04.
Install the ELK/Elastic APT repository
Install the ELK/Elastic repository to enable you install the stack components. Begin by importing the ELK stack repository PGP signing Key;
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Install ELK APT repository on Ubuntu.
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
Run system update to update the added repository;
apt update
Installing Elasticsearch
Note, since the installation is done from the ELK APT repositories, you will get the current latest and stable versions installed. However, we need version 7.9.3. Hence, use the command below to install ES v7.9.3.
apt install elasticsearch=7.9.3
You can list available versions of a package using the command;
apt list -a <package-name>
e.g
apt list -a elasticsearch
Configuring Elasticsearch
Once the installation is done, proceed to configure Elasticsearch. The default configuration file for Elasticsearch is /etc/elasticsearch/elasticsearch.yml
.
Open the configuration file for editing using your preferred text editor;
vim /etc/elasticsearch/elasticsearch.yml
You can optionally set the name of the cluster or go with the default;
# ---------------------------------- Cluster -----------------------------------
...
cluster.name: wazuh-elk
For the network settings, we will the defaults since by default, it uses the loopback interface and port 9200/tcp, which is fine for our case as we will only be accessing Elasticsearch locally from the Wazuh server.
By default, Elasticsearch tries to discovers other nodes to form a cluster when started. Since we are running a single node cluster, you need to specify the same by inserting the line, discovery.type: single-node
, under the Discovery section.
# --------------------------------- Discovery ----------------------------------
...
discovery.type: single-node
Save and exit the file.
Configure the JVM heap size and set it to about half the memory available on the system.
vim /etc/elasticsearch/jvm.options
...
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms512m
-Xmx512m
Save and exit the file.
There are other important Elasticsearch configuration settings you should consider, especially if you are taking it to production. Check the Import Elasticsearch Configuration page for more tips.
Running Elasticsearch
Once you are done with Elasticsearch configurations, start and enable Elasticsearch to run on system boot.
systemctl enable --now elasticsearch
Checking the status;
systemctl status elasticsearch
You can use curl to verify if all is well with Elasticsearch;
curl http://localhost:9200
{
"name" : "ubuntu20",
"cluster_name" : "wazuh-elk",
"cluster_uuid" : "GoVIy20dRVazBWw70u9Vrw",
"version" : {
"number" : "7.9.3",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "c4138e51121ef06a6404866cddc601906fe5c868",
"build_date" : "2020-10-16T10:36:16.141335Z",
"build_snapshot" : false,
"lucene_version" : "8.6.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Install and Configure Kibana
Install Kibana 7.9.3 by running the command;
apt install kibana=7.9.3
Once the installation is done, you can configure Kibana. The default configuration file for Kibana is /etc/kibana/kibana.yml
. Open the file editing.
vim /etc/kibana/kibana.yml
The default host and port settings configure Kibana to run on localhost:5601
. We need to change, the host especially, to enable us to reach Kibana externally.
# Kibana is served by a back end server. This setting specifies the port to use.
# server.port: 5601
server.port: 5601
...
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"
server.host: "192.168.57.3"
Next, you need to configure how Kibana will connect to Elasticsearch. By default, as depicted by the setting below, Kibana can connect to Elasticsearch on loopback address, that is only if Elasticsearch is set to listen on the loopback interface.
# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]
Be sure to set the IP address if ES is set to listen on a non-loopback IP address.
In it basic setup, that is just enough. Save and exit the file.
Running Kibana
Now start and enable Kibana to run on system boot;
systemctl enable --now kibana
Check the status;
systemctl status kibana
Install Logstash and Filebeat
apt install logstash=1:7.9.3-1 filebeat=7.9.3
Filebeat will be used to ship event data from Wazuh to Elasticsearch. Logstash is just there just in case, you need to further process your event data before sending it to Elasticsearch.
Start and enable Filebeat to run on system boot;
systemctl daemon-reload systemctl enable --now filebeat
Configuring Filebeat
Download Filebeat Configuration file
Download a pre-configured configuration file for Filebeat;
mv /etc/filebeat/filebeat.yml{,.bak}
curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/filebeat/7.x/filebeat.yml
Configure Filebeat Output
Edit the Filebeat configuration file downloaded above and updated the ES output
vim /etc/filebeat/filebeat.yml
#output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200'] output.elasticsearch.hosts: ['http://localhost:9200']
Configure Filebeat to log to specific file instead of the default syslog by adding the lines below to filebeat.yml
configuration file;
logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0644
Save and exit the configuration file.
Test Filebeat connection to Elasticsearch
filebeat test output
elasticsearch: http://localhost:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS... WARN secure connection disabled
talk to server... OK
version: 7.9.3
Install Filebeat Wazuh Module
Download and install Filebeat Wazuh module;
wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz -P /tmp/
mkdir /usr/share/filebeat/module/wazuh
tar xzf /tmp/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1
Load Wazuh Elasticsearch Index Template to Elasticsearch
Download and load the Wazuh Elasticsearch alerts index template.
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.3/extensions/elasticsearch/7.x/wazuh-template.json
Next, load the template;
filebeat setup --path.config /etc/filebeat --path.home /usr/share/filebeat --path.data /var/lib/filebeat --index-management -E setup.template.json.enabled=false
Restart filebeat;
systemctl restart filebeat
Install Wazuh App Kibana Plugin
You can now install Wazuh app Kibana plugin. Before you can proceed, ensure that you set the owner of the directories, /usr/share/kibana/optimize/
and /usr/share/kibana/plugins
to kibana
.
chown -R kibana: /usr/share/kibana/{optimize,plugins}
Navigate to Kibana home directory;
cd /usr/share/kibana
The install Wazuh App for Kibana 7.9.3;
sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.3_7.9.3-1.zip
Transferring 29967049 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete
You can list installed plugins;
sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
[email protected]
Start Kibana;
systemctl enable --now kibana
Restart Elasticsearch and Wazuh-manager;
systemctl restart elasticsearch wazuh-manager
Once they are up, if you check the created indices, you should be able to see wazuh-alerts* index created;
curl localhost:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open wazuh-alerts-4.x-2021.01.14 BbaKSWEDQh-MH6flluvYhQ 3 0 146 0 456.7kb 456.7kb green open .kibana-event-log-7.9.3-000001 TjWocDYbQEix9w5FZFuuNQ 1 0 1 0 5.5kb 5.5kb green open .apm-custom-link BAeDQ5gzSiCQoJw_2GCW4A 1 0 0 0 208b 208b green open .kibana_task_manager_1 5Xu37o8oSV-HfuniR6qT3A 1 0 6 3 59.4kb 59.4kb green open .apm-agent-configuration DtsbtThzSVeze4pETE6AVQ 1 0 0 0 208b 208b green open wazuh-statistics-2021.3w RSh_OZ-_S3a1CBo0ot1tkg 2 0 4 0 50.8kb 50.8kb green open .kibana_1 EF44HFQsQiGUdOppef8Ejw 1 0 14 9 10.4mb 10.4mb green open wazuh-monitoring-2021.01.14 vQQzUF_ESZy_WMhD09tXMQ 2 0 0 0 416b 416b
Accessing the Wazuh App on Kibana
Accessing Kibana Interface
Now that your ELK stack is running, you can access Kibana interface, http://<server-IP-or-resolvable-hostname>:5601
.
Ensure that you open Port 5601/TCP on firewall, to allow external access to Kibana.
ufw allow 5601/tcp
When you land on Kibana Interface, navigate to the menu and scroll down to see the Wazuh App. See example screenshot below;
Upon clicking the app, it checks a few things like the Wazuh API connection and the version, the availability of the default indices such as wazuh-alerts- (default index).
If all is well, you should land on the dashboard;
And that marks the end of our guide on how to install and setup Wazuh server with ELK Stack on Ubuntu 20.04.
In our next guides, we will learn on how to install to and add Wazuh agents on end points being monitored to collect and ship data to Kibana for visualization.
Reference
Wazuh: Step-by-step installation
No link “Wazuh App”
Hi Bratella, try to reboot your system, if Wazuh app dont show up.