Step-by-step setup of Wazuh SIEM on Ubuntu 22.04.3 LTS. (2024)

Welcome to our comprehensive guide on installing Wazuh, a powerful open-source security information and event management (SIEM) solution. In today’s complex digital landscape, safeguarding your systems and data is more critical than ever. Wazuh provides a robust platform for threat detection, incident response, and compliance management. Whether you’re a seasoned cybersecurity professional or a curious enthusiast, this step-by-step installation tutorial will walk you through the process, making it accessible for all skill levels. Let’s dive in and empower you to fortify your digital defenses with Wazuh SIEM.

Download Ubuntu 22.04.3 LTS from here. Once your server is set up and ready follow the instructions below.

Before we begin the installation process, it’s essential to ensure that your APT (Advanced Package Tool) repository is up-to-date. This step ensures that you have access to the latest package information and versions.

Open your terminal and run the following command

sudo apt update

You need to be the root user or a high-privileged user to run all commands described below — sudo su

Download and execute the Wazuh installation assistant script with the following commands. This script simplifies the installation process, guiding you through the setup of Wazuh effortlessly.

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

With this, your Wazuh server is ready. Copy the provided credentials from the terminal, enter the server IP into your browser, and proceed to login. Navigate to https://your_server_ip in your web browser, log in using the provided credentials, and start exploring your Wazuh SIEM dashboard.

Troubleshooting Dashboard Load Issues:

Encountered problems loading the dashboard? If issues persist, it’s likely attributed to the indexer. Resolve this by increasing your system resources and performing a quick reboot. This straightforward step should alleviate any loading hurdles.

If you’re someone like me, inclined to take the scenic route and delve deeper into understanding how things work under the hood, the manual installation process is tailor-made for you. Follow the instructions below to gain a hands-on understanding of each component’s installation and configuration.

Wazuh is structured around three pivotal components, each playing a distinct role in ensuring a robust and comprehensive security information and event management (SIEM) solution:

1. Indexer: The Indexer is the backbone of Wazuh, responsible for efficiently storing and managing vast amounts of security data. It plays a crucial role in facilitating rapid data retrieval and analysis.

2. Server: Acting as the core processing unit, the Server interprets and analyzes the data collected by agents. It executes essential security operations, such as threat detection, incident response, and compliance management.

3. Dashboard: The Dashboard is the user-friendly interface that provides a visual representation of your security data. It offers pre-built dashboards for quick insights into security events, vulnerabilities, file integrity monitoring, configuration assessments, cloud infrastructure monitoring, and compliance standards.

Together, these three components form the foundation of Wazuh, offering a scalable and flexible solution to enhance your organization’s cybersecurity posture.

In an all-in-one installation scenario, all three critical components of Wazuh — Indexer, Server, and Dashboard — are consolidated onto a single server. This streamlined approach simplifies the setup process, making it particularly convenient for users seeking a quick and straightforward deployment.

The all-in-one configuration is well-suited for environments with moderate security needs or those looking for a rapid deployment solution. While it offers simplicity, it’s essential to assess your specific security requirements and infrastructure scalability to determine the most suitable installation approach.

Indexer

The installation process is divided into three stages.

1. Certificate creation.
2. Nodes installation.
3. Cluster initialization.

Don’t forget to switch to root or any high-privileged user and update your apt-get repo before starting.

Let’s create a folder called wazuh-installer for all our setup files.

mkdir wazuh-installer

cd into the specified directory, then follow these steps.

1. Certificate creation.

Generating the SSL certificates.

Download the wazuh-certs-tool.sh script and the config.yml configuration file. This creates the certificates that encrypt communications between the Wazuh central components.

curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh

curl -sO https://packages.wazuh.com/4.7/config.yml

Edit ./config.yml and replace the node names and IP values with the corresponding names and IP addresses. You need to do this for all Wazuh server, Wazuh indexer, and Wazuh dashboard nodes. Add as many node fields as needed.

nodes:
 # Wazuh indexer nodes
 indexer:
 - name: node-1
 ip: "<indexer-node-ip>"
 #- name: node-2
 # ip: "<indexer-node-ip>"
 #- name: node-3
 # ip: "<indexer-node-ip>"
 # Wazuh server nodes
 # If there is more than one Wazuh server
 # node, each one must have a node_type
 server:
 - name: wazuh-1
 ip: "<wazuh-manager-ip>"
 # node_type: master
 #- name: wazuh-2
 # ip: "<wazuh-manager-ip>"
 # node_type: worker
 #- name: wazuh-3
 # ip: "<wazuh-manager-ip>"
 # node_type: worker
 # Wazuh dashboard nodes
 dashboard:
 - name: dashboard
 ip: "<dashboard-node-ip>"

Use the ip a command to retrieve your server's IP. In this example, the server IP is 192.168.251.150.

Run ./wazuh-certs-tool.sh to create the certificates. For a multi-node cluster, these certificates need to be later deployed to all Wazuh instances in your cluster.

bash ./wazuh-certs-tool.sh -A

Compress all the necessary files.

tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .

rm -rf ./wazuh-certificates

2. Nodes installation.

Installing package dependencies.

apt-get install debconf adduser procps

Adding Wazuh repository.

Install the following packages if you don’t have them already.

apt-get install gnupg apt-transport-https

Install GPG key.

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Adding the repository.

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the package information.

apt-get update

Installing Wazuh indexer.

Install the Wazuh indexer package.

apt-get -y install wazuh-indexer

Configuring Wazuh indexer.

Edit the /etc/wazuh-indexer/opensearch.yml configuration file and replace the following values:

1. network.host: Sets the address of this node for both HTTP and transport traffic. The node will bind to this address and use it as its publish address. Accepts an IP address or a hostname. Use the same node address set in config.yml to create the SSL certificates.
2. node.name: Name of the Wazuh indexer node as defined in the config.yml file. For example, node-1.
3. cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are defined in the config.yml file. Uncomment the node-2 and node-3 lines, change the names, or add more lines, according to your config.yml definitions.

Deploying certificate.

Ensure you are in the “wazuh-installer” directory created earlier. This is crucial as we will require the “wazuh-certificates.tar” file from the previous steps.

Run the following commands replacing node-1 (<indexer-node-name>) with the name of the Wazuh indexer node you are configuring as defined in config.yml. For example, node-1. This deploys the SSL certificates to encrypt communications between the Wazuh central components.

NODE_NAME=node-1

mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Recommended action: If no other Wazuh components are going to be installed on this node, remove the wazuh-certificates.tar file by running rm -f ./wazuh-certificates.tar to increase security.

Starting the service

Enable and start the Wazuh indexer service.

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

Confirm the status of the Wazuh-Index service with the command below. If it shows “running,” you’re good to go.

systemctl status wazuh-indexer

3. Cluster initialization.

Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and start the single-node.

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

Testing the cluster installation.

Replace <WAZUH_INDEXER_IP> and run the following commands to confirm that the installation is successful. Output should look like the screenshot attached below.

curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200

Replace <WAZUH_INDEXER_IP> and run the following command to check if the single-node is working correctly.

curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v

Mine works perfectly fine :)

Wazuh server.

The Wazuh indexer is now successfully installed on your single-node or multi-node cluster, and you can proceed with installing the Wazuh server.

The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when threats or anomalies are detected. It is also used to remotely manage the agents’ configuration and monitor their status. If you want to learn more about the Wazuh components, check here.

Wazuh server installation process is divided into two stages.

1. Wazuh server node installation
2. Cluster configuration for multi-node deployment

Wazuh server node installation.

Installing the Wazuh manager.

Install the Wazuh manager package.

apt-get -y install wazuh-manager

Enable and start Wazuh manager service.

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Run the following command to verify the Wazuh manager status.

systemctl status wazuh-manager

Installing Filebeat.

Install the Filebeat package.

apt-get -y install filebeat

Configuring Filebeat.

Download the preconfigured Filebeat configuration file.

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value.

1. hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer address accordingly.

This default setting should work for us but let’s change it to our host IP address which we have been using all along. Scroll down and find the Elasticsearch Output section and edit your host IP as shown below.

Remove the comment symbols from the protocol, username, and password. Then, establish variables for the username and password as illustrated below. These variables will be utilized in the upcoming step, utilizing keystore for enhanced security.

# Wazuh - Filebeat configuration file
 output.elasticsearch:
 hosts: ["192.168.251.150:9200"]
 protocol: https
 username: ${username}
 password: ${password}

Create a Filebeat keystore to securely store authentication credentials.

filebeat keystore create

Add the default username and password admin:admin to the secrets keystore.

echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force

Download the alerts template for the Wazuh indexer.

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/wazuh-template.json

chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat.

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module

Deploying certificates.

Our wazuh-certificate.tar is still in this folder and our NODE_NAME environment variable is still set so we can proceed.

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Starting the Filebeat service.

Enable and start the Filebeat service.

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Run the following command to verify that Filebeat is successfully installed.

filebeat test output

If you get the handshake … ERROR x509 error just like me, fret not, we are using a self signed certificate, remember? This will be resolved later.

Your Wazuh server node is now successfully installed.

Wazuh dashboard.

This central component serves as a versatile and user-friendly web interface designed for extracting, analyzing, and presenting security data. Offering pre-built dashboards, it enables effortless navigation through the user interface.

The Wazuh dashboard empowers users to visualize a spectrum of security elements, including security events, identified vulnerabilities, data from file integrity monitoring, results of configuration assessments, events from cloud infrastructure monitoring, and adherence to regulatory compliance standards.

Wazuh dashboard installation.

Installing package dependencies.

Install the following packages.

apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

Installing the Wazuh dashboard.

Install the Wazuh dashboard package.

apt-get -y install wazuh-dashboard

Configuring the Wazuh dashboard.

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and replace the following values:

1. server.host: This setting specifies the host of the Wazuh dashboard server. To allow remote users to connect, set the value to the IP address or DNS name of the Wazuh dashboard server. The value 0.0.0.0 will accept all the available IP addresses of the host.
2. opensearch.hosts: The URLs of the Wazuh indexer instances to use for all your queries. The Wazuh dashboard can be configured to connect to multiple Wazuh indexer nodes in the same cluster. The addresses of the nodes can be separated by commas. For example, ["<https://10.0.0.2:9200>", "<https://10.0.0.3:9200>","<https://10.0.0.4:9200>"]

Deploying certificates.

mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Starting the Wazuh dashboard service.

Enable and start the Wazuh dashboard service.

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

Access the Wazuh web interface with your credentials.

URL: https://<wazuh-dashboard-ip>

Username: admin

Password: admin

If you had the Filebeat error ealiar like me, then you will probably get the [Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*] error on logging in (remember the error from the Filebeat above — yeah that’s what is causing this error). To resolve this error use the command below.

curl https://raw.githubusercontent.com/wazuh/wazuh/v4.5.2/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password> -k

Change the elastic search username and password to admin:admin and the localhost to your server IP as shown in the image below.

Reload the webpage, and the error should be resolved. Welcome to your newly installed Wazuh server dashboard!

Securing your Wazuh installation.

Now that you’ve successfully installed and configured all Wazuh central components, it’s highly advisable to modify the default credentials. This step enhances the security of your infrastructure, guarding against potential attacks.

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh

Safely note down these creds in your password manager.

With this we have come to the end of the setup, but why not take things a step further and add a few agents ?

Adding agents.

Wazuh default page:

Add our first agent — Windows Agent.

Click Add agent, highlighted in the image below.

Select the agent platform — windows (1) in this case, and enter the wazuh server IP address (2).

Assign a name to the agent.

Copy the PowerShell command.

Open Powershell as administrator on the intended Windows host, paste the command copied above, and hit enter. This might take a while as the agent is being downloaded to the Windows machine.

Start the Wazuh agent on the host using the command provided — execute in Powershell also.

The agent should show up as connected on the dashboard now.

Adding another agent — Ubuntu desktop:

To add a new agent follow the step.

Follow the steps highlighted in the images above.

Copy and paste the command in the terminal — the command should be executed as a privileged user:

Startwazuh agent.

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Wazuh dashboard should now show that the new agent has been added.

Congratulations on successfully installing and configuring Wazuh SIEM! With the completion of this guide, your SIEM setup is now fully operational, and equipped to detect and respond to security threats effectively.

Don’t forget to fortify your system’s security by changing the default credentials. This simple yet crucial step adds an extra layer of protection against potential threats.

Having already added two agents to your SIEM, you’ve extended its reach to monitor additional endpoints. This proactive approach ensures comprehensive security coverage across your digital environment.

Stay tuned for more insights and best practices as we continue to explore advanced features and optimizations in upcoming posts.