{"id":1770,"date":"2022-11-12T19:41:57","date_gmt":"2022-11-12T19:41:57","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=1770"},"modified":"2023-11-18T19:14:00","modified_gmt":"2023-11-18T19:14:00","slug":"wazuh-indexer-and-dashboard-installation","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=1770","title":{"rendered":"WAZUH (indexer and dashboard) Installation."},"content":{"rendered":"\n

Part of this SIEM Build<\/a><\/p>\n\n\n\n

The Wazuh Security Information and Event Management (SIEM) solution provides monitoring, detection, and alerting of security events and incidents.<\/p>\n\n\n\n

Installation of WAZU<\/a> (I have followed the steps provided in the document and some references in google search)<\/p>\n\n\n\n

Follow the installation steps 1 to 5 from the above-mentioned installation document.<\/p>\n\n\n\n

Prep Work :<\/p>\n\n\n\n

    \n
  1. Setup and hostname as FQDN to generate Certs<\/li>\n\n\n\n
  2. and prepare the environment for installation.<\/li>\n<\/ol>\n\n\n\n

    I have 2 Interface on My Linux ( one is connected to external and another connected to internal for security reasons)<\/p>\n\n\n\n

    External Facing<\/strong> :<\/p>\n\n\n\n

    \"\"
    Interface Facing :<\/strong><\/figcaption><\/figure>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    setup a hostname so FQDN can resolve the domain name :<\/p>\n\n\n\n

    edit hosts file and setup and desired name you looking to use. (my case soclab.bb.local)<\/p>\n\n\n\n

    vi \/etc\/hosts<\/p>\n\n\n\n

    10.10.9.1 soclab.bb.local soclab<\/p>\n\n\n\n

    I am able to ping success :<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Step 1 – Download the wazuh-certs-tool.sh<\/code> script and the config.yml<\/code> configuration file. This creates the certificates that encrypt communications between the Wazuh central components.<\/p>\n\n\n\n

    curl -sO https:\/\/packages.wazuh.com\/4.3\/wazuh-certs-tool.sh\ncurl -sO https:\/\/packages.wazuh.com\/4.3\/config.yml<\/strong>\n<\/code><\/pre>\n\n\n\n
    Step 2 – edit the config.yml as per our environment :<\/p>\n\n\n\n
    My config.yml Look as below : <\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Step 3 – bash .\/wazuh-certs-tool.sh -A<\/p>\n\n\n\n
    You see the below files in the folder.<\/p>\n\n\n\n
    \"\"
    Step 4: tar the files and keep them ready for future steps.<\/figcaption><\/figure>\n\n\n\n
    tar -cvf .\/wazuh-certificates.tar -C .\/wazuh-certificates\/ .<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Follow the below steps to install packages and Wazuh :<\/p>\n\n\n\n
    Installing package dependencies<\/a><\/p>\n\n\n\n
    Adding the Wazuh repository<\/a><\/p>\n\n\n\n
    Installing the Wazuh indexer<\/a><\/p>\n\n\n\n
    Below config  – Configuring the Wazuh indexer<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Deploying certificates<\/strong><\/p>\n\n\n\n
    NODE_NAME=soclab.bb.local\n\nmkdir \/etc\/wazuh-indexer\/certs\ntar -xf .\/wazuh-certificates.tar -C \/etc\/wazuh-indexer\/certs\/ .\/$NODE_NAME.pem .\/$NODE_NAME-key.pem .\/admin.pem .\/admin-key.pem .\/root-ca.pem\nchmod 500 \/etc\/wazuh-indexer\/certs\nchmod 400 \/etc\/wazuh-indexer\/certs\/*\nchown -R wazuh-indexer:wazuh-indexer \/etc\/wazuh-indexer\/certs\n\nMy Cert folder have below :<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Start the Services :<\/p>\n\n\n\n
    #systemctl daemon-reload\n# systemctl enable wazuh-indexer\n# systemctl start wazuh-indexer<\/strong>\n<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Now Wazuh indexer running, later initialize cluster<\/p>\n\n\n\n
    #\/usr\/share\/wazuh-indexer\/bin\/indexer-security-init.sh\n\ncheck the port 9200 and 9300 Listening :\n<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Testing : <\/p>\n\n\n\n
    #curl -k -u admin:admin https:\/\/soclan.bb.local:9200<\/p>\n\n\n\n
    show the results means the indexer running as expected :<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Now Indexer running, now we move to dashboard installation, so it is easy to manage the config using GUI.<\/p>\n\n\n\n
    Installing the Wazuh dashboard step by step<\/a><\/p>\n\n\n\n
    My config looks as below :<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    This is straight forward installation. if you have changed the password part of the dashboard installation steps: Securing your Wazuh installation<\/strong><\/p>\n\n\n\n
    If so please change the kibanaserver<\/strong> password in the config file.<\/p>\n\n\n\n
    echo <kibanaserver-password<\/strong>> | \/usr\/share\/wazuh-dashboard\/bin\/opensearch-dashboards-keystore –allow-root add -f –stdin opensearch.password<\/p>\n\n\n\n
    Restart the dashboard service to take effect of a new password.<\/p>\n\n\n\n
    systemctl restart wazuh-dashboard (below you see the service is active).<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Now time to access GUI :<\/p>\n\n\n\n
    \"\"
    Use username: admin and password: new password generated by security wazuh.<\/figcaption><\/figure>\n\n\n\n
    Now You have Indexer and dashboard running as expected.<\/p>\n\n\n\n
    My Next step set up a Graylog and configured logging to collect some logs and test them.<\/p>\n\n\n\n
    Happy Labbbinggggg!<\/p>\n","protected":false},"excerpt":{"rendered":"
    Part of this SIEM Build The Wazuh Security Information and Event Management (SIEM) solution provides monitoring, detection, and alerting of security events and incidents. Installation of WAZU (I have followed the steps provided in the document and some references in google search) Follow the installation steps 1 to 5 from the above-mentioned installation document. Prep […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,6],"tags":[],"class_list":["post-1770","post","type-post","status-publish","format-standard","hentry","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/1770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1770"}],"version-history":[{"count":4,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/1770\/revisions"}],"predecessor-version":[{"id":1939,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/1770\/revisions\/1939"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}