Nowadays, due to increased cyber threats, there is a high need to perform real-time monitoring of systems. This helps one detect threats as soon as they occur and act accordingly.
The Wazuh Security Platform is a free and open-source platform that can be used to perform the real-time monitoring and analysis of systems. It provides lightweight OS-level-based security using multi-platform agents. It helps collect, aggregate, index, and analyze the security data which may contain system intrusions or abnormalities.
The Wazuh Security Platform can be used to protect workloads on public and private clouds as well as on-premise data centers. Its main functions revolve around:
- Endpoint Security with Configuration Assessment, Extended Detection and Response, and File Integrity Monitoring
- Security Operations that include; Malware Detection, Log Data Analysis, Audit, Compliance e.t.c
- Cloud Security by offering posture management, Workload protection, and Container security
- Threat Intelligence through Threat hunting, IT Hygiene, and Vulnerability Detection
The Wazuh solution consists of the following components:
- Wazuh Server – It analyzes the data received from the agents. It processes this data through decoders and rules.
- Wazuh dashboard – a web-based UI for visualizing the data analysis.
- Wazuh indexer – this is a full-text search and analytics engine with high scalability. It is used to index and store alerts from the Wazuh server
- Wazuh agents – installed on endpoints. These are desktops, laptops, servers, cloud instances, or virtual machines.
There are two deployments for the Wazuh Security Platform, i.e:
- All-in-one deployment, where the Wazuh stack components are installed on a single server. This can be best explained using the diagram below
- Distributed deployment where components are installed on separate hosts. This installation method provides high availability and scalability of the Wazuh Security Platform.
This guide provides steps on how to deploy the Wazuh Security Platform on Linux using Puppet.
Step 1 – Install and Configure Puppet on Linux
Puppet is an automation tool developed by Puppet Labs. It can be used to easily configure, manage and deploy the Wazuh Security Platform.
To be able to proceed, you need to have the Puppet server and agent installed and configured to communicate. The guides below can help you achieve this.
- On Debian/Ubuntu
- On RHEL 8/CentOS 8/Rocky Linux 8/Alma Linux 8
- On RHEL 7/CentOS 7
After the installation, verify if the Puppet server and Agent can communicate.
$ sudo /opt/puppetlabs/bin/puppet agent -t
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetnode.example.com
Info: Certificate Request fingerprint (SHA256): FC:ED:2C:5C:5E:45:E9:A3:41:96:84:0C:46:F7:40:D3:E2:BE:1E:B3:04:14:7E:5C:BA:75:64:90:DC:53:2A:DC
Info: Downloaded certificate for puppetnode.example.com from https://puppetmaster.example.com:8140/puppet-ca/v1
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetnode.example.com
Info: Applying configuration version '1653589224'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.03 seconds
Step 2 – Install the Wazuh Puppet module.
Proceed and install the Wazuh Puppet module that will be used for the deployment. The command below can be used to install the Wazuh Puppet module.
$ sudo /opt/puppetlabs/bin/puppet module install wazuh-wazuh
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ wazuh-wazuh (v4.3.1)
├── puppet-nodejs (v7.0.1)
├── puppet-selinux (v3.4.1)
├── puppetlabs-apt (v7.7.1)
├─┬ puppetlabs-concat (v6.4.0)
│ └── puppetlabs-translate (v2.2.0)
├── puppetlabs-firewall (v2.8.1)
├─┬ puppetlabs-powershell (v4.1.0)
│ └── puppetlabs-pwshlib (v0.10.1)
└── puppetlabs-stdlib (v6.6.0)
Step 3 – Install the Wazuh stack via Puppet
The Wazuh stack consisting of the Wazuh manager, Wazuh indexer, Wazuh dashboard, and Filebeat can be deployed using the manifest created as shown.
sudo vim /etc/puppetlabs/code/environments/production/manifests/init.ppThe manifest will contain the below lines:
node "puppetnode.example.com" {
class { 'wazuh::manager':
}
class { 'wazuh::indexer':
}
class { 'wazuh::filebeat_oss':
}
class { 'wazuh::dashboard':
}
}
Replace puppetnode.example.com with the hostname/IP address of the Puppet agent that you want to act as the Wazuh server.
Run the manifest:
sudo /opt/puppetlabs/bin/puppet agent -tExecution output:
On the Wazuh server, allow the below ports through the firewall.
sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --add-port=514/udp --permanent
sudo firewall-cmd --add-port=1514/udp --permanent
sudo firewall-cmd --add-port=1515/udp --permanent
sudo firewall-cmd --add-port=1514/tcp --permanent
sudo firewall-cmd --add-port=1515/tcp --permanent
sudo firewall-cmd --reloadStep 4 – Install the Wazuh agent via Puppet
To install the Wazuh agent, we need to create a manifest. Here, we will have the manifest as created with the command:
sudo vim /etc/puppetlabs/code/environments/production/manifests/wazuh-agent.ppAdd the below lines to the file:
node "puppetnode2.example.com" {
class { "wazuh::agent":
wazuh_register_endpoint => "<MANAGER_IP>",
wazuh_reporting_endpoint => "<MANAGER_IP>"
}
}Remember, puppetnode2.example.com is the IP address/domain name of the node on which you want to run the Wazuh agent service and MANAGER_IP is the IP address of the Wazuh server.
Run the manifest using the command:
sudo /opt/puppetlabs/bin/puppet agent -tSample Output:
Step 5 – Access the Wazuh Dashboard
The Wazuh dashboard can now be accessed using the URL https://wazuh_server_IP.
Log in using the username as admin and a preferred password. On successful login, you will see the below dashboard.
Click on the Wazuh agents to check the status.
Click on the agent to see dashboards.
Voila!
You have successfully deployed the Wazuh Security Platform on Linux using Puppet. Perform the real-time monitoring and analysis of systems using Wazuh. I hope this was helpful.
Related posts:
- Automate Graylog Server installation using Puppet
- Run Wazuh Server in Docker Containers using Docker Compose
- Install Wazuh server on CentOS 8|RHEL 8|AlmaLinux 8
