Wazuh部署之单节点部署

1. Wazuh索引器安装

1.1 证书创建

生成SSL证书

下载wazuh-certs-tool.sh脚本和config.yml配置文件。这将创建证书，对Wazuh中心组件之间的通信进行加密。

curl -sO https://packages.wazuh.com/4.5/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.5/config.yml

1.2 编辑配置文件

编辑/config.yml，并将节点名称和IP值替换为相应的名称和IP地址。
注意：需要将下方代码块中[127.0.0.1]替换为自己服务器IP地址。

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: 127.0.0.1
    #- name: node-2
    #  ip: <indexer-node-ip>
    #- name: node-3
    #  ip: <indexer-node-ip>

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: 127.0.0.1
    #  node_type: master
    #- name: wazuh-2
    #  ip: <wazuh-manager-ip>
    #  node_type: worker
    #- name: wazuh-3
    #  ip: <wazuh-manager-ip>
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: 127.0.0.1

1.3 执行命令创建证书

bash ./wazuh-certs-tool.sh -A

1.4 压缩文件

tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates

1.5 安装程序依赖包

选择适合自己服务器的命令进行安装，Centos使用Yum命令，Ubuntu使用Apt命令。 如何判断Linux系统是Centos还是Ubuntu，执行下方命令查看。

root@sq:/usr/local/wazuh# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy

因博主服务器系统为Ubuntu，这里选择使用apt命令安装依赖。

yum install coreutils

apt-get install debconf adduser procps

1.6 添加Wazuh存储库

#Yum
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

#Apt
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

1.7 安装Wazuh索引器

#yum
yum -y install wazuh-indexer

#Apt
apt-get -y install wazuh-indexer

1.7 配置Wazuh索引器

进入/etc/wazuh-indexer/opensearch.yml配置文件并修改以下值：
修改network.host为当前服务器ip
node.name需要与config.yml文件中定义的Wazuh索引器节点名称保持一致

network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
#- "node-2"
#- "node-3"
cluster.name: "wazuh-cluster"
#discovery.seed_hosts:
#  - "node-1-ip"
#  - "node-2-ip"
#  - "node-3-ip"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true

1.8 部署证书

运行以下命令，将＜indexer node name＞替换为您在config.yml中配置的Wazuh索引器节点的名称。例如，node-1。部署SSL证书来加密Wazuh中心组件之间的通信。

NODE_NAME=<indexer-node-name>

mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

1.8 启动服务

systemctl daemon-reload	#加载系统systemd配置
systemctl enable wazuh-indexer	#启动Wazuh索引器自动启动
systemctl start wazuh-indexer	#启动Wazuh索引器

1.9 集群初始化

在任何Wazuh索引器节点上运行Wazuh indexer indexer-security-init.sh脚本，以加载新的证书信息并启动单节点或多节点集群。

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

1.10 测试安装

替换<WAZUH_INDEXER_IP>并运行以下命令以确认安装成功。

curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "uH7_rHioR_CQ07o3mqYNXg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6",
    "build_date" : "2023-02-24T18:57:04.388618985Z",
    "build_snapshot" : false,
    "lucene_version" : "9.5.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

2. Wazuh服务器安装

2.1 安装Wazuh管理器

#Yum
yum -y install wazuh-manager

#Apt
apt-get -y install wazuh-manager

2.2 启动Wazuh管理器服务

systemctl daemon-reload	#加载systemd配置
systemctl enable wazuh-manager	#启用Wazuh管理器服务自动启动
systemctl start wazuh-manager	#启动Wazuh服务

2.3 查看Wazuh状态

systemctl status wazuh-manager

2.4 安装Filebeat

#Yum
yum -y install filebeat

#Apt
apt-get -y install filebeat

2.5 配置Filebeat

1. 下载预配置的Filebeat配置文件。

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/wazuh/filebeat/filebeat.yml

2. 编辑/etc/filebeat/filebeat.yml配置文件并替换hosts：

   将hosts[127.0.0.1]替换为当前服务器ip

# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["127.0.0.1:9200"]
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

3. 创建一个Filebeat密钥库。

filebeat keystore create

4. 将默认用户名和密码admin:admin添加到secrets密钥库中。

echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force

5. 下载Wazuh索引器的警报模板。

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.5/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

6. 为Filebeat安装Wazuh模块。

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

2.6 部署证书

将＜server node name＞替换为您的Wazuh服务器节点证书名称，该名称与创建证书时config.yml中使用的名称相同。然后，将证书移动到相应的位置。

NODE_NAME=<server-node-name>

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

2.7 启动Filebeat服务

1. 启用并启动Filebeat服务。

systemctl daemon-reload	#加载系统systemd配置
systemctl enable filebeat	#设置Filebeat服务自动启动
systemctl start filebeat	#启动Filebeat服务

2. 运行以下命令以验证Filebeat是否已成功安装。

filebeat test output

预期响应如下

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

3. Wazuh仪表盘安装

3.1 安装程序包依赖项

#Yum
yum install libcap

#Apt
apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

3.2 安装Wazuh仪表板

#Yum
yum -y install wazuh-dashboard

#Apt
apt-get -y install wazuh-dashboard

3.3 配置Wazuh面板
编辑/etc/wazuh dashboard/opensearch_dashboards.yml文件,
将opensearch.hosts[127.0.0.1]替换为当前服务器ip。

server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://127.0.0.1:9200
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

server.host：此设置指定Wazuh仪表板服务器的主机。若要允许远程用户进行连接，请将该值设置为Wazuh仪表板服务器的IP地址或DNS名称。值0.0.0.0将接受主机的所有可用IP地址。

opensearch.hosts:Wazuh索引器实例的URL，用于所有查询。Wazuh仪表板可以配置为连接到同一集群中的多个Wazuh索引器节点。节点的地址可以用逗号分隔。

3.4 部署证书
将替换为您的Wazuh dashboard节点名称，该名称与config.yml中用于创建证书的名称相同，并将证书移动到相应的位置。

NODE_NAME=<dashboard-node-name>

mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

3.5 启动Wazuh仪表板服务

systemctl daemon-reload	#加载systemd配置
systemctl enable wazuh-dashboard	#启用Wazuh仪表盘自动启动
systemctl start wazuh-dashboard		#启动Wazuh仪表盘服务

3.6 访问仪表盘

URL: https://<wazuh-dashboard-ip>

Username: admin

Password: admin

4. 踩坑记录

1.访问页面时出现"Wazuh dashboard server is not ready yet"错误

解决方法1：将/etc/wazuh dashboard/opensearch_dashboards.yml文件中[opensearch.hosts]设置为当前服务器IP地址

解决方法2：执行#systemctl-edit-wazuh-indexer并添加以下行：

【Service】

超时起始秒=180

保存文件并执行

#systemctl后台进程重载

#systemctl重新启动wazuh索引器

#systemctl重新启动wazuh面板

2.登录检查出现此错误ERROR: No template found for the selected index-pattern title [wazuh-alerts-*]

解决方法：卸载重装
卸载方法：官网卸载步骤

3.raw.githubusercontent.com无法下载文件
解决方法：编辑/etc/hosts文件增加以下内容

182.43.124.6    raw.githubusercontent.com
185.199.111.133 raw.githubusercontent.com

新增后退出即可