WAZUH (indexer and dashboard) Installation.

Balaji BandiLINUX, SECURITY

Part of this SIEM Build

The Wazuh Security Information and Event Management (SIEM) solution provides monitoring, detection, and alerting of security events and incidents.

Installation of WAZU (I have followed the steps provided in the document and some references in google search)

Follow the installation steps 1 to 5 from the above-mentioned installation document.

Prep Work :

  1. Setup and hostname as FQDN to generate Certs
  2. and prepare the environment for installation.

I have 2 Interface on My Linux ( one is connected to external and another connected to internal for security reasons)

External Facing :

Interface Facing :

setup a hostname so FQDN can resolve the domain name :

edit hosts file and setup and desired name you looking to use. (my case soclab.bb.local)

vi /etc/hosts

10.10.9.1 soclab.bb.local soclab

I am able to ping success :

Step 1 – Download the wazuh-certs-tool.sh script and the config.yml configuration file. This creates the certificates that encrypt communications between the Wazuh central components.

curl -sO https://packages.wazuh.com/4.3/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.3/config.yml

Step 2 – edit the config.yml as per our environment :

My config.yml Look as below :

Step 3 – bash ./wazuh-certs-tool.sh -A

You see the below files in the folder.

Step 4: tar the files and keep them ready for future steps.
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .

Follow the below steps to install packages and Wazuh :

Installing package dependencies

Adding the Wazuh repository

Installing the Wazuh indexer

Below config – Configuring the Wazuh indexer

Deploying certificates

NODE_NAME=soclab.bb.local

mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

My Cert folder have below :

Start the Services :

#systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

Now Wazuh indexer running, later initialize cluster

#/usr/share/wazuh-indexer/bin/indexer-security-init.sh

check the port 9200 and 9300 Listening :

Testing :

#curl -k -u admin:admin https://soclan.bb.local:9200

show the results means the indexer running as expected :

Now Indexer running, now we move to dashboard installation, so it is easy to manage the config using GUI.

Installing the Wazuh dashboard step by step

My config looks as below :

This is straight forward installation. if you have changed the password part of the dashboard installation steps: Securing your Wazuh installation

If so please change the kibanaserver password in the config file.

echo <kibanaserver-password> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore –allow-root add -f –stdin opensearch.password

Restart the dashboard service to take effect of a new password.

systemctl restart wazuh-dashboard (below you see the service is active).

Now time to access GUI :

Use username: admin and password: new password generated by security wazuh.

Now You have Indexer and dashboard running as expected.

My Next step set up a Graylog and configured logging to collect some logs and test them.

Happy Labbbinggggg!