Install Wazuh Server on Rocky Linux

How to install Wazuh server on Rocky Linux? In this tutorial, you will learn how to install Wazuh server on Rocky Linux. Wazuh is a free, open source and enterprise-ready security monitoring solution that helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities:

  • log analysis
  • file integrity monitoring
  • intrusions detection
  • policy and compliance monitoring

Install Wazuh Server on Rocky Linux

There are different deployment architectures for Wazuh server:

  • All-in-one deployment – Wazuh and the ELK stack components are installed on a single server.
  • Multi-node (Distributed) deployment – Wazuh and ELK stack components are installed on separate nodes.

In this setup, we will install both Wazuh server and ELK stack components on the same node.

You can check the requirements page before you can proceed.

Install Wazuh Server on Rocky Linux

In order to install and setup Wazuh server on Rocky Linux, there are two components that needs to be installed.

Install Wazuh Manager on Rocky Linux

Create Wazuh Repository

Rocky Linux do not have Wazuh manager package on its repository list. As such you need to install Wazuh repository as follows;

Install Wazuh repository GPG key;

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Install the Wazuh 4.x repository (current stable release as of this writing is v4.3.10);

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Confirm the available version of Wazuh manager;

dnf info wazuh-manager
Name         : wazuh-manager
Version      : 4.3.10
Release      : 1
Architecture : x86_64
Size         : 115 M
Source       : wazuh-manager-4.3.10-1.src.rpm
Repository   : wazuh

As you can see, Wazuh manager 4.3.10 is the current release as provided by the repos.

Therefore, Install Wazuh Manager on Rocky Linux by running the command below;

dnf install wazuh-manager
Running Wazuh manager

Once the installation is done, run the command below to start and enable it to run on system boot;

systemctl enable --now wazuh-manager

Checking the status;

systemctl status wazuh-manager

Install ELK Stack on Rocky Linux

Since we are using a single node deployment architecture, we will install ELK stack as well on the same node.

Wazuh app requires Kibana to allow you access Wazuh manager dashboard. Elasticsearch is required as it provides a distributed, multitenant-capable full-text search engine.

You will also need Filebeat, that collect Wazuh manager event data and pushes them to Elasticsearch.

As of this writing, Wazuh 4.3.10 supports ELK 7.17.6 as per the compatibility matrix.

Therefore, the installation commands below installs ELK stack 7.17.6 on Rocky Linux.

Install the ELK/Elastic YUM repository

Install the ELK/Elastic repository to enable you install the stack components. Begin by importing the ELK stack repository PGP signing Key;

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

If the above fails with the error;

error: https://artifacts.elastic.co/GPG-KEY-elasticsearch: key 1 import failed.

Run the following;

update-crypto-policies --set DEFAULT:SHA1

Re-import the key;

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Install ELK APT repository on Rocky Linux.

cat > /etc/yum.repos.d/wazuh.repo << 'EOF'
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

Installing Elasticsearch

Note, since the installation is done from the ELK YUM repositories, you will get the current latest and stable versions installed. However, we need version 7.17.6. Hence, use the command below to install ES v7.17.6.

dnf install --enablerepo=elasticsearch elasticsearch-7.17.6

You can list available versions of a package using the command;

dnf info --enablerepo=elasticsearch elasticsearch

Sample installation output;

Dependencies resolved.
============================================================================================================================================================================
 Package                                     Architecture                         Version                                 Repository                                   Size
============================================================================================================================================================================
Installing:
 elasticsearch                               x86_64                               7.17.6-1                                elasticsearch                               294 M

Transaction Summary
============================================================================================================================================================================
Install  1 Package

Total download size: 294 M
Installed size: 488 M
Is this ok [y/N]: y
Downloading Packages:
elasticsearch-7.17.6-x86_64.rpm                                                                                                             2.1 MB/s | 294 MB     02:19    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                       2.1 MB/s | 294 MB     02:19     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                    1/1 
  Running scriptlet: elasticsearch-7.17.6-1.x86_64                                                                                                                      1/1 
Creating elasticsearch group... OK
Creating elasticsearch user... OK

  Installing       : elasticsearch-7.17.6-1.x86_64                                                                                                                      1/1 
  Running scriptlet: elasticsearch-7.17.6-1.x86_64                                                                                                                      1/1 
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore

/usr/lib/tmpfiles.d/elasticsearch.conf:1: Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.

  Verifying        : elasticsearch-7.17.6-1.x86_64                                                                                                                      1/1 

Installed:
  elasticsearch-7.17.6-1.x86_64                                                                                                                                             

Complete!

Configuring Elasticsearch

Once the installation is done, proceed to configure Elasticsearch. The default configuration file for Elasticsearch is /etc/elasticsearch/elasticsearch.yml.

Open the configuration file for editing using your preferred text editor;

vim /etc/elasticsearch/elasticsearch.yml

You can optionally set the name of the cluster or go with the default;

# ---------------------------------- Cluster -----------------------------------
...
cluster.name: wazuh-elk

For the network settings, we will the defaults since by default, it uses the loopback interface and port 9200/tcp, which is fine for our case as we will only be accessing Elasticsearch locally from the Wazuh server.

By default, Elasticsearch tries to discovers other nodes to form a cluster when started. Since we are running a single node cluster, you need to specify the same by inserting the line, discovery.type: single-node, under the Discovery section.

# --------------------------------- Discovery ----------------------------------
...
discovery.type: single-node

Save and exit the file.

Configure the JVM heap size and set it to about half the memory available on the system.

vim /etc/elasticsearch/jvm.options.d/jvm.options
-Xms512m
-Xmx512m

Save and exit the file.

There are other important Elasticsearch configuration settings you should consider, especially if you are taking it to production. Check the Import Elasticsearch Configuration page for more tips.

Running Elasticsearch

Once you are done with Elasticsearch configurations, start and enable Elasticsearch to run on system boot.

systemctl enable --now elasticsearch

Checking the status;

systemctl status elasticsearch

You can use curl to verify if all is well with Elasticsearch;

curl http://localhost:9200
{
  "name" : "rocky9",
  "cluster_name" : "wazuh-elk",
  "cluster_uuid" : "hpGPgKhYRpetfkWh2oIjzw",
  "version" : {
    "number" : "7.17.6",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "f65e9d338dc1d07b642e14a27f338990148ee5b6",
    "build_date" : "2022-08-23T11:08:48.893373482Z",
    "build_snapshot" : false,
    "lucene_version" : "8.11.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Install and Configure Kibana

Install Kibana 7.17.6 by running the command;

dnf install --enablerepo=elasticsearch kibana-7.17.6

Once the installation is done, you can configure Kibana. The default configuration file for Kibana is /etc/kibana/kibana.yml. Open the file editing.

vim /etc/kibana/kibana.yml

The default host and port settings configure Kibana to run on localhost:5601. We need to change, the host especially, to enable us to reach Kibana externally.

# Kibana is served by a back end server. This setting specifies the port to use.
# server.port: 5601
server.port: 5601
...
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"
server.host: "192.168.56.144"

Next, you need to configure how Kibana will connect to Elasticsearch. By default, as depicted by the setting below, Kibana can connect to Elasticsearch on loopback address, that is only if Elasticsearch is set to listen on the loopback interface.

# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]

Be sure to set the IP address if ES is set to listen on a non-loopback IP address.

In its basic setup, that is just enough for Kibana.

Save and exit the file.

Running Kibana

Now start and enable Kibana to run on system boot;

systemctl enable --now kibana

Check the status;

systemctl status kibana

Install Filebeat

You need to install same version of Filebeat as Elasticsearch and Kibana.

dnf install --enablerepo=elasticsearch filebeat-7.17.6

Filebeat will be used to ship event data from Wazuh to Elasticsearch.

Configuring Filebeat

Setup Filebeat configuration.

mv /etc/filebeat/filebeat.yml{,.bak}
cat > /etc/filebeat/filebeat.yml << EOL
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["127.0.0.1:9200"]
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: auto

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
EOL

Save and exit the configuration file.

Install Filebeat Wazuh Module

Download and install Filebeat Wazuh module;

wget https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz -P /tmp/
mkdir /usr/share/filebeat/module/wazuh
tar xzf /tmp/wazuh-filebeat-0.2.tar.gz -C /usr/share/filebeat/module/wazuh/ --strip-components=1
Load Wazuh Elasticsearch Index Template to Elasticsearch

Download and load the Wazuh Elasticsearch alerts index template.

curl -so /etc/filebeat/wazuh-template.json \
https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Next, load the template;

filebeat setup \
--path.config /etc/filebeat \
--path.home /usr/share/filebeat \
--path.data /var/lib/filebeat \
--index-management -E setup.template.json.enabled=false

Test Filebeat connection to Elasticsearch

filebeat test output
elasticsearch: http://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.17.6

Start and enable Filebeat to run on system boot;

systemctl daemon-reload
systemctl enable --now filebeat

Check status;

systemctl status filebeat

For logs;

tail -f /var/log/filebeat/filebeat

Install Wazuh App Kibana Plugin

You can now install Wazuh app Kibana plugin. Before you can proceed, ensure that you set the owner of the directories, /usr/share/kibana/optimize/ and /usr/share/kibana/plugins to kibana.

[ ! -d "/usr/share/kibana/{optimize,plugins,data}" ] && mkdir /usr/share/kibana/{optimize,plugins,data}
chown -R kibana: /usr/share/kibana/{optimize,plugins,data}

Navigate to Kibana home directory;

cd /usr/share/kibana

The install Wazuh App for Kibana 7.17.6;

sudo -u kibana /usr/share/kibana/bin/kibana-plugin \
install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.10_7.17.6-1.zip
install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.10_7.17.6-1.zip
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.10_7.17.6-1.zip
Transferring 30325453 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

You can list installed plugins;

sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
[email protected]

Start Kibana;

systemctl enable --now kibana

Restart Elasticsearch and Wazuh-manager;

systemctl restart elasticsearch wazuh-manager

Once they are up, if you check the created indices, you should be able to see wazuh-alerts* index created;

curl -s localhost:9200/_cat/indices?v | grep wazuh

Accessing the Wazuh App on Kibana

Accessing Kibana Interface

Now that your ELK stack is running, you can access Kibana interface, http://<server-IP-or-resolvable-hostname>:5601.

Ensure that you open Port 5601/TCP on firewall, to allow external access to Kibana.

firewall-cmd --add-port=5601/tcp --permanent
firewall-cmd --reload

When you land on Kibana Interface, navigate to the menu and scroll down to see the Wazuh App. See example screenshot below;

Install Wazuh Server on Rocky Linux

Upon clicking the app, it checks a few things like the Wazuh API connection and the version, the availability of the default indices such as wazuh-alerts-* (default index).

If all is well, you should land on the Wazuh dashboard;

Install Wazuh Server on Rocky Linux

And that marks the end of our guide on how to install Wazuh server with ELK stack on Rocky Linux.

In our next guides, we will learn on how to install to and add Wazuh agents on end points being monitored to collect and ship data to Kibana for visualization.

Other Tutorials

Configure Elastic Endpoint Security Malware Detection and Prevention

How to Setup ELK Stack Fleet Server

Founder of itnixpro.com|Linux Engineer|Author at Itnixpro.com

Leave a Comment