Install Wazuh Server and Wazuh Agent

Install Wazuh Server 4.5 dan Wazuh Agent 4.5

Wazuh Server: 10.9.200.207
Wazuh Agent alma: 10.9.200.10
Wazuh Agent rocky: 10.9.200.73
Wazuh Agent ubuntu: 10.9.200.46

Enable basic authentication Elastic stack


Wazuh Server


Install Wazuh Manager 4.5 (AlmaLinux / RockyLinux)

  • Update sistem Alma linux / Rocky linux
yum update -y && yum install nano wget curl net-tools epel-release -y
  • Tambahkan repository Wazuh
cat > /etc/yum.repos.d/wazuh.repo << 'EOL'
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOL
  • Import GPG key repository wazuh
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
  • Inststall Wazuh Manager 4.5.4 (latest 30 oct 2023)
yum install wazuh-manager-4.5.4 -y
  • Aktifkan service wazuh manager
systemctl enable --now wazuh-manager
systemctl status wazuh-manager
  • Disable repository wazuh
sed -i "s/enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
  • Cek versi Wazuh Manager
rpm -qa wazuh-manager
---<output>---
wazuh-manager-4.5.4-1.x86_64

Elastic Stack


Install Elastic Stack 7.17.13 (AlmaLinux / RockyLinux)

  • Tambahkan repository Elastic
cat > /etc/yum.repos.d/elasticstack.repo << EOL
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOL
  • Install Elasticsearch, Kibana, Filebeat 7.17.13
yum install -y elasticsearch-7.17.13 kibana-7.17.13 filebeat-7.17.13

Konfigurasi Elasticsearch

  • Ganti name cluster Elastic
sed -i 's/#cluster.name: my-application/cluster.name: wazuh-elastic/' /etc/elasticsearch/elasticsearch.yml
  • Jika server wazuh mempunya kapasitas ram yang kecil dibawah 8GB, silahkan batasi JVM heap agar penggunaan ram tidak sampai penuh. Penggunaan ram untuk JVM heap akan di limit ke 2GB
nano /etc/elasticsearch/jvm.options.d/jvm-memory.options
---<isi file>---
-Xms2048m
-Xmx2048m
  • Aktifkan service elasticsearch
systemctl daemon-reload
systemctl enable --now elasticsearch
  • Verifikasi elasticsearch
curl -XGET localhost:9200
---<output>---
{
  "name" : "almalinux-8-container",
  "cluster_name" : "wazuh-elastic",
  "cluster_uuid" : "m9LjprjbREiDqPYmFb3D3A",
  "version" : {
    "number" : "7.17.14",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "774e3bfa4d52e2834e4d9d8d669d77e4e5c1017f",
    "build_date" : "2023-10-05T22:17:33.780167078Z",
    "build_snapshot" : false,
    "lucene_version" : "8.11.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Konfigurasi Filebeat

  • Backup file konfigurasi filebeat
mv /etc/filebeat/filebeat.yml{,.original}
  • Edit file konfigurasi filebeat
cat > /etc/filebeat/filebeat.yml << 'EOL'
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["localhost:9200"]
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
      
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
EOL
  • Download template alerts
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.5.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
  • Test koneksi filebeat dengan elasticsearch
filebeat test output
---<output>---
elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: ::1, 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.17.13
  • Install module wazuh pada filebeat
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xz -C /usr/share/filebeat/module
  • Aktifkan service filebeat
systemctl daemon-reload
systemctl enable --now filebeat
systemctl status filebeat

Konfigurasi Kibana

  • Setting kibana listen ip address
sed -i -e '/server.host:/s/^#//' -e '/server.host:/s/localhost/0.0.0.0/' /etc/kibana/kibana.yml
  • Install plugin wazuh pada kibana
mkdir /usr/share/kibana/data
chown -R kibana: /usr/share/kibana/data
chown -R kibana: /usr/share/kibana/plugins
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.4_7.17.13-1.zip
---<output>---
Transferring 36404504 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete
  • Verifikasi plugin wazuh pada kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin list
---<output>---
[email protected]
  • Aktifkan service kibana
systemctl enable --now kibana
systemctl status kibana
  • Restart service Elasticsearch dan Wazuh manager
systemctl restart elasticsearch wazuh-manager
  • Cek status service listen port
netstat -tulpn
---<output>---
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:55000           0.0.0.0:*               LISTEN      9297/python3        
tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      8845/node           
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      9495/wazuh-remoted  
tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      9338/wazuh-authd    
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      8957/java           
tcp6       0      0 ::1:9300                :::*                    LISTEN      8957/java           
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      8957/java           
tcp6       0      0 ::1:9200                :::*                    LISTEN      8957/java           
udp        0      0 0.0.0.0:68              0.0.0.0:*                           695/dhclient        

Akses Wazuh Manager

  • Akses wazuh manager dengan url: http://server-IP-or-hostname:5601
  • Tampilan Dashboard Wazuh

Wazuh Agent


Install Wazuh Agent 4.5 Manual Install (AlmaLinux)

  • Update sistem
yum update -y && yum install nano net-tools wget curl -y
  • Tambahkan repository wazuh
cat > /etc/yum.repos.d/wazuh.repo << 'EOL'
[wazuh_repo] 
gpgcheck=1 
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH 
enabled=1 
name=Wazuh repository 
baseurl=https://packages.wazuh.com/4.x/yum/ 
protect=1 
EOL
  • Import GPG key repository wazuh
rpm --import http://packages.wazuh.com/key/GPG-KEY-WAZUH
  • Install Wazuh Agent 4.5.4
  • Versi wazuh agent tidak boleh melebihi dari versi wazuh server, harus sama atau dibawahnya
yum install wazuh-agent-4.5.4
  • Disable repository wazuh
sed -i "s/enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

  • Tambahkan wazuh agent pada wazuh server
  • Pilih A, untuk add an agent
  • Masukan nama agent dan masukan ip address agent
/var/ossec/bin/manage_agents
---<output>---
****************************************
* Wazuh v4.5.4 Agent manager.          *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: alma8
   * The IP Address of the new agent: 10.9.200.10
Confirm adding it?(y/n): y
Agent added with ID 001.
  • Atau bisa juga menggunakan perintah berikut yang lebih simple
/var/ossec/bin/manage_agents -a 10.9.200.10 -n alma8
  • Cek list agent pada wazuh server
  • Wazuh agent berhasil di tambahkan pada wazuh server dengan id: 001
/var/ossec/bin/manage_agents -l
---<output>---
Available agents: 
   ID: 001, Name: alma8, IP: 10.9.200.10
  • Register wazuh agent pada wazuh server
  • Copy agent key dan simpan pada notepad
/var/ossec/bin/manage_agents -e 001
---<output>---
Agent key information for '001' is: 
MDAxIGFsbWE4IDEwLjkuMjAwLjEwIDQzNDRkMTI0NzkwODRhMDU4M2VhMGQ0MGFkMDg0ZGM1MWUwMjU3YTExNGY1ZjU4MTY5ZGM5ZjliMDU3ZTE2YmI=

  • Seting address wazuh server pada wazuh agent
nano /var/ossec/etc/ossec.conf
---<edit bagian address>---
<ossec_config>
  <client>
    <server>
      <address>10.9.200.207</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <config-profile>almalinux, almalinux8, almalinux8.8</config-profile>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
    <crypto_method>aes</crypto_method>
  </client>
  • Import agent key pada wazuh agent
  • Pilih I, untuk import key
  • Paste agent key yang sebelumnya sudah di copy lalu confirmasi
/var/ossec/bin/manage_agents
---<output>---
****************************************
* Wazuh v4.5.4 Agent manager.          *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIGFsbWE4IDEwLjkuMjAwLjEwIDQzNDRkMTI0NzkwODRhMDU4M2VhMGQ0MGFkMDg0ZGM1MWUwMjU3YTExNGY1ZjU4MTY5ZGM5ZjliMDU3ZTE2YmI=

Agent information:
   ID:001
   Name:alma8
   IP Address:10.9.200.10

Confirm adding it?(y/n): y
Added.
  • Atau bisa gunakan cara berikut untuk menambahkan agent kedalam wazuh server dengan merequest agent key pada wazuh agent, pastikan port 1515 dapat terhubung dari wazuh agent ke wazuh server
/var/ossec/bin/agent-auth -m 10.9.200.207 -A alma8 -I 10.9.200.10
  • Aktifkan service wazuh agent
systemctl enable --now wazuh-agent
systemctl status wazuh-agent
systemctl restart wazuh-agent
  • Verifikasi wazuh agent pada wazuh server, pastikan status sudah active
/var/ossec/bin/agent_control -l
---<output>---
Wazuh agent_control. List of available agents:
   ID: 000, Name: almalinux-8 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: alma8, IP: 10.9.200.10, Active
  • Verifikasi agent data pada Wazuh Manager
  • Navigasi ke menu Wazuh > Modules > Security Events, untuk melihat terkait event keamanan dan dashboard

Install Wazuh Agent 4.5 Automatic Install (Ubuntu)

  • Update repository
apt update && apt install wget curl net-tools -y
  • Tambahkan repository wazuh
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  • Install wazuh agent
apt update && apt install wazuh-agent
  • Pastikan wazuh agent dapat terhubung dengan wazuh server
telnet 10.9.200.207 1515
---<output>---
Trying 10.9.200.207...
Connected to 10.9.200.207.
Escape character is '^]'.
  • Tambahkan agent ke dalam wazuh server dari wazuh agent
/var/ossec/bin/agent-auth -m 10.9.200.207 -A ubuntu22 
---<output>---
2023/10/30 10:20:33 agent-auth: INFO: Started (pid: 9881).
2023/10/30 10:20:33 agent-auth: INFO: Requesting a key from server: 10.9.200.207
2023/10/30 10:20:33 agent-auth: INFO: No authentication password provided
2023/10/30 10:20:33 agent-auth: INFO: Using agent name as: ubuntu22
2023/10/30 10:20:33 agent-auth: INFO: Waiting for server reply
2023/10/30 10:20:33 agent-auth: INFO: Valid key received
  • Seting address wazuh server pada wazuh agent
sed -i 's/MANAGER_IP/10.9.200.207/' /var/ossec/etc/ossec.conf
  • Aktifkan service wazuh agent
systemctl enable --now wazuh-agent
systemctl restart wazuh-agent
  • Verifikasi wazuh agent pada wazuh server, pastikan status sudah active
/var/ossec/bin/agent_control -l
---<output>---
Wazuh agent_control. List of available agents:
   ID: 000, Name: almalinux-8 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: alma8, IP: 10.9.200.10, Active
   ID: 002, Name: ubuntu22, IP: any, Active

List of agentless devices:
  • Verifikasi agent data pada Wazuh Manager

Install Wazuh Agent 4.5 Web Install (RockyLinux)

  • Update sistem
apt update -y && apt install nano net-tools wget curl -y
  • Masuk ke dalam Wazuh App > Deploy new agent
  • Pilih RedHat Enterprise Linux > versi: RedHat 7+ > Arsitektur: x86_64 > masukan ip address wazuh server: 10.9.200.207 > masukan nama agent: rocky8 > Pilih group: default > Copy script installer wazuh agent > Aktifkan service wazuh agent
sudo WAZUH_MANAGER='10.9.200.207' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='rocky8' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.5.4-1.x86_64.rpm

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
  • Verifikasi wazuh agent pada wazuh server, pastikan status sudah active
/var/ossec/bin/agent_control -l
---<output>---
Wazuh agent_control. List of available agents:
   ID: 000, Name: almalinux-8 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: alma8, IP: 10.9.200.10, Active
   ID: 002, Name: ubuntu22, IP: any, Active
   ID: 003, Name: rocky8, IP: any, Active

List of agentless devices:
  • Verifikasi agent data pada Wazuh Manager

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.