How to Install Wazuh: Step-by-Step Guide
Follow this comprehensive guide to install and configure Wazuh for advanced monitoring and threat detection. Perfect for IT admins and security professionals looking to improve their cybersecurity posture.
Step 1: Update System Packages
Update your system packages:
sudo apt update Switch to the root user:
sudo su Step 2: Quick Install Wazuh
Download and execute the Wazuh installation assistant script:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a Step 3: Access the Wazuh Dashboard
Once the installation is complete, copy the provided credentials from the terminal. Open your browser and go to:
https://your_server_ip Log in using the provided credentials.
Wazuh Manual Installation
Create a Working Directory
Create a folder for all setup files:
mkdir wazuh-installer cd wazuh-installer Certificate Creation
Download the certificate creation script and configuration file:
curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh curl -sO https://packages.wazuh.com/4.7/config.yml Edit config.yml and replace the node names and IP addresses.
Run the certificate creation script:
bash ./wazuh-certs-tool.sh -A Compress the generated certificates:
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . rm -rf ./wazuh-certificates Install Wazuh Indexer
Install necessary packages:
apt-get install debconf adduser procps apt-get install gnupg apt-transport-https Add the GPG key and repository:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list Update package information and install the Wazuh indexer:
apt-get update apt-get -y install wazuh-indexer Edit /etc/wazuh-indexer/opensearch.yml to set network.host, node.name, and cluster.initial_master_nodes.
Deploy certificates:
NODE_NAME=node-1 mkdir /etc/wazuh-indexer/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem chmod 500 /etc/wazuh-indexer/certs chmod 400 /etc/wazuh-indexer/certs/* chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs Start the Wazuh indexer service:
systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer Verify the service status:
systemctl status wazuh-indexer Initialize Cluster
/usr/share/wazuh-indexer/bin/indexer-security-init.sh Verify installation:
curl -k -u admin:admin https://WAZUHINDEXERIP:9200 curl -k -u admin:admin https://WAZUHINDEXERIP:9200/_cat/nodes?v Install Wazuh Server:
apt-get -y install wazuh-manager Start the Wazuh manager service:
systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager systemctl status wazuh-manager Install and Configure Filebeat
apt-get -y install filebeat Download the preconfigured Filebeat configuration file
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml Edit the Filebeat configuration to set your Wazuh indexer address.
Create a Filebeat keystore and add credentials:
filebeat keystore create echo admin | filebeat keystore add username --stdin --force echo admin | filebeat keystore add password --stdin --force Download the alerts template for the Wazuh indexer:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/wazuh-template.json chmod go+r /etc/filebeat/wazuh-template.json Download the alerts template for the Wazuh indexer:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/wazuh-template.json chmod go+r /etc/filebeat/wazuh-template.json Install the Wazuh module for Filebeat:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module
Deploy certificates for Filebeat:
mkdir /etc/filebeat/certs tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs Start the Filebeat service:
systemctl daemon-reload systemctl enable filebeat systemctl start filebeat Verify Filebeat installation:
filebeat test output Install Wazuh Dashboard
Install necessary packages:
apt-get install debhelper tar curl libcap2-bin Install the Wazuh dashboard package:
apt-get -y install wazuh-dashboard Edit /etc/wazuh-dashboard/opensearch_dashboards.yml to set server.host and opensearch.hosts.
nano /etc/wazuh-dashboard/opensearch_dashboards.yml Deploy certificates:
mkdir /etc/wazuh-dashboard/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem chmod 500 /etc/wazuh-dashboard/certs chmod 400 /etc/wazuh-dashboard/certs/* chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs Start the Wazuh dashboard service:
systemctl daemon-reload systemctl enable wazuh-dashboard systemctl start wazuh-dashboard Access the Wazuh dashboard:
https://wazuh-dashboard-ip