Setup Wazuh With Agent on Rocky 9 / Alma 9 / CentOS 9

Due to increased cyber attacks, many organisations prefer to perform real-time monitoring to identify and mitigate threats as soon as they occur. This increases the need for security monitoring tools such as SolarWinds Security Event Manager, SecPod SanerNow, Intruder, Wireshark, Webroot e.t.c

Wazuh Security Platform is a free and open-source enterprise-ready tool used to perform real-time integrity monitoring, threat detection, incident response, and compliance analysis of systems. Users can collect, index, aggregate, and analyze the security data that may contain system threats or abnormalities. Wazuh can be used to protect workloads on both private and public clouds as well as on-premise data centres.

The setup consists of the following components:

• Wazuh Server: It is used to analyze the data received from the agents. It processes this data through decoders and rules.
• Wazuh indexer: This is a full-text search and analytics engine with high scalability. Its main function is to index and store alerts from the Wazuh server
• Wazuh dashboard: a web-based UI used to visualize the data analysis.
• Wazuh agents: it is installed on endpoints. These are desktops, laptops, servers, cloud instances, or virtual machines.

The main functions of the Wazuh Security Platform are:

• Cloud Security through posture management, Workload protection, and Container security
• Endpoint Security with Configuration Assessment, Extended Detection and Response, and File Integrity Monitoring
• Threat Intelligence through Threat hunting, IT Hygiene, and Vulnerability Detection
• Security Operations that include; Malware Detection, Log Data Analysis, Audit, Compliance e.t.c

In this guide, we will learn how to set up Wazuh With Agent on Rocky Linux 9 / AlmaLinux 9 / CentOS 9. There are two methods of deploying Wazuh, these are:

• All-in-one deployment: where, both the Wazuh and Open Distro for Elasticsearch are installed on a single host.

• Distributed deployment: In this method, the components are installed on separate hosts as a single/multi-node cluster. This method is preferred since it provides high availability and scalability of the product and is hence convenient for large environments.

Prerequisites

For this guide, you will need a Rocky Linux 9 / AlmaLinux 9 / CentOS 9 system with the below specifications:

• 4 GB of RAM recommended 16GB
• 2 CPU cores recommended 8 CPU cores
• A 64-bit operating system

Once the above requirements have been met, you can proceed as shown below.

Step 1 – Install Wazuh Server

During the Wazuh installation, users can choose between two options:

• Unattended installation– Wazuh is installed using an automated script. It performs health checks to verify that the available system resources meet the minimal requirements.
• Step-by-step installation– Involves the manual installation with a detailed description of each process.

Choose one of the preferred methods below to install the Wazuh Server on Rocky Linux 9 / AlmaLinux 9 / CentOS 9.

Option 1 – The Wazuh Server Unattended installation

This is the quickest method to deploy the Wazuh server. All you need to do is download and run the installer script.

To download the script, use the commands:

cd ~/
curl -so wazuh-installation.sh https://packages.wazuh.com/resources/4.2/open-distro/unattended-installation/unattended-installation.sh

Once the download is complete, launch the installer with the command:

sudo bash ./wazuh-installation.sh

The installation will proceed as shown:

Once complete, you will see the login details for the installed services:

Option 2 – The Wazuh Server Step-by-step installation

This second involves the manual installation of the Wazuh server components. Begin by updating your server and installing packages with the command below

sudo dnf update -y
sudo dnf -y install vim curl unzip wget libcap

Add the GPG keys to the server:

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

The add the Wazuh repository

sudo tee /etc/yum.repos.d/wazuh.repo <<EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

1. Install and configure the Wazuh Manager

After adding the repo, we will begin by installing the Wazuh manager with the command:

sudo dnf -y install wazuh-manager

Once installed, start and enable the service:

sudo systemctl start wazuh-manager
sudo systemctl enable wazuh-manager

Check the status of the service:

$ systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-02-27 19:12:30 CET; 2s ago
    Process: 32776 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 108 (limit: 28956)
     Memory: 630.2M
        CPU: 14.486s
     CGroup: /system.slice/wazuh-manager.service
             ├─32829 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─32869 /var/ossec/bin/wazuh-authd
             ├─32883 /var/ossec/bin/wazuh-db
             ├─32904 /var/ossec/bin/wazuh-execd
             ├─32916 /var/ossec/bin/wazuh-analysisd
             ├─32927 /var/ossec/bin/wazuh-syscheckd
             ├─32973 /var/ossec/bin/wazuh-remoted
             ├─32997 /var/ossec/bin/wazuh-logcollector
             ├─33014 /var/ossec/bin/wazuh-monitord
             ├─33024 /var/ossec/bin/wazuh-modulesd
             ├─33074 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             └─33077 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

2. Install and Configure Elastic Stack

The Elastic stack consists of several tools such as Elasticsearch, Filebeat and Kibana. This will be used to log collection and analysis. These tools work together with the Wazuh manager for security.

To install Open Distro for Elasticsearch, use the command:

sudo dnf -y install opendistroforelasticsearch

Then download the sample configuration file for Elasticsearch:

wget https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Now move this config to the required path:

sudo mv elasticsearch_all_in_one.yml /etc/elasticsearch/elasticsearch.yml 

Now create the below users and roles for Wazuh:

• wazuh_user: This is the read-only user access to the Wazuh Kibana plugin.
• wazuh_admin: It is recommended for users who need administrative privileges.
• wazuh_ui_user: This role provides wazuh_user with the permissions to read the Wazuh indices.
• wazuh_ui_admin: The role that allows wazuh_admin to perform reading, writing, management, and indexing tasks on the Wazuh indices.

The users and roles can be created using the simple code below:

for i in roles.yml roles_mapping.yml internal_users.yml; do
wget https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/$i
sudo mv $i /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
done

Once created, we will generate the certs. First, delete the demo certs with the command:

sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}

We will use the wash-cert-tool.sh to generate the required certs. This tool can be downloaded with the commands:

sudo -i
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml

Now the script can be executed as shown:

bash ~/wazuh-cert-tool.sh

Once the certs have been generated, move them to the required paths:

mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

Modify /etc/profile and add the below line:

$ sudo vim /etc/profile
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

Configure the JVM options for Elasticsearch:

mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

Now start and enable Elasticsearch:

systemctl enable --now elasticsearch

Verify if the service is running:

$ systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-02-27 19:23:06 CET; 3s ago
       Docs: https://www.elastic.co
   Main PID: 35381 (java)
      Tasks: 54 (limit: 28956)
     Memory: 1.2G
        CPU: 19.508s
     CGroup: /system.slice/elasticsearch.service
             └─35381 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.head>

Feb 27 19:22:54 wazuh.geeksforgeeks.org systemd[1]: Starting Elasticsearch...
Feb 27 19:23:06 wazuh.geeksforgeeks.org systemd[1]: Started Elasticsearch.

Source the profile:

source /etc/profile

Check if the certs are working:

# curl -XGET https://localhost:9200 -u admin:admin -k
{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "p3-bnTEgTzKTXcFKJpVlcg",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

3. Install and Configure Kibana

Kibana can be installed on Rocky Linux 9 / AlmaLinux 9 / CentOS 9 using the command:

sudo dnf -y install opendistroforelasticsearch-kibana

Now download the configuration file:

wget https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
sudo mv kibana_all_in_one.yml /etc/kibana/kibana.yml 

Create a data directory and set the required permissions:

sudo mkdir /usr/share/kibana/data
sudo chown -R kibana:kibana /usr/share/kibana/data

Navigate into the directory and install the Wazuh Kibana plugin

cd /usr/share/kibana/
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.10_7.10.2-1.zip

Copy the generated certs for Kibana as well:

mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

Link the Kibana socket to port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Now reload the system daemon:

systemctl daemon-reload

Start and enable the service:

systemctl enable --now kibana

Verify if the service is running:

$ systemctl status kibana
● kibana.service - Kibana
     Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-02-27 19:27:59 CET; 6s ago
   Main PID: 47691 (node)
      Tasks: 11 (limit: 28956)
     Memory: 180.0M
        CPU: 5.272s
     CGroup: /system.slice/kibana.service
             └─47691 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist -c /etc/kibana/kibana.yml

Feb 27 19:28:04 wazuh.geeksforgeeks.org kibana[47691]: {"type":"log","@timestamp":"2023-02-27T18:28:04Z","tags":["info","savedobjects-service"],"pid":47691,"message":"Pointing alias .ki>
Feb 27 19:28:04 wazuh.geeksforgeeks.org kibana[47691]: {"type":"log","@timestamp":"2023-02-27T18:28:04Z","tags":["info","savedobjects-service"],"pid":47691,"message":"Finished in 355ms.>
Feb 27 19:28:04 wazuh.geeksforgeeks.org kibana[47691]: {"type":"log","@timestamp":"2023-02-27T18:28:04Z","tags":["info","plugins-system"],"pid":47691,"message":"Starting [50] plugins: [>
Feb 27 19:28:04 wazuh.geeksforgeeks.org kibana[47691]: {"type":"log","@timestamp":"2023-02-27T18:28:04Z","tags":["listening","info"],"pid":47691,"message":"Server running at https://0.0>
Feb 27 19:28:04 wazuh.geeksforgeeks.org kibana[47691]: {"type":"log","@timestamp":"2023-02-27T18:28:04Z","tags":["info","http","server","Kibana"],"pid":47691,"message":"http server runn>
Feb 27 19:28:04 wazuh.geeksforgeeks.org kibana[47691]: {"type":"log","@timestamp":"2023-02-27T18:28:04Z","tags":["error","elasticsearch","data"],"pid":47691,"message":"[ResponseError]: >
Feb 27 19:28:04 wazuh.geeksforgeeks.org kibana[47691]: {"type":"log","@timestamp":"2023-02-27T18:28:04Z","tags":["error","elasticsearch","data"],"pid":47691,"message":"[ResponseError]:

Allow the service through the firewall:

sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --reload

Kibana can be accessed on the web using the URL https://IP_Address with the below creds

user: admin
password: admin

4. Install and Configure FileBeat

This is a log shipper. It will ship logs from the set directories to ElasticSearch. It can be installed by executing the command:

sudo dnf install filebeat -y

Now pull the config file:

wget https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
sudo mv filebeat_all_in_one.yml /etc/filebeat/filebeat.yml 

Pull the alert template:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.3.10/extensions/elasticsearch/7.x/wazuh-template.json
sudo chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Copy the generated certs for Filebeat:

sudo mkdir /etc/filebeat/certs
sudo cp ~/certs/root-ca.pem /etc/filebeat/certs/
sudo mv ~/certs/filebeat* /etc/filebeat/certs/

Start and enable the service:

sudo systemctl daemon-reload
sudo systemctl enable --now filebeat

To verify if Filbeat has successfully installed, use the command:

sudo filebeat test output

Output:

Step 2 – Access the Wazuh Web Interface

After following any of the installation methods above, you should be able to load the Wazuh dashboard using the URL https://IP_Adrress or https://domain_name. You should see the below page:

Login using the provided creds. For the second method, use:

user: admin 
password: admin

The health check will be performed as shown.

Once authenticated, you will see the below dashboard.

Currently, we do not have any agent associated with the Wazuh server. So, proceed with the agent installation and configuration as demonstrated below.

Step 3 – Install and Configure Wazuh Agent

Once the Wazuh server has been installed, you can configure several agents to on your endpoint.

Switch to the root user:

sudo -i

Depending on your system, add the repo:

• For APT

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" |  tee -a /etc/apt/sources.list.d/wazuh.list

• For YUM & ZYpp

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Import the GPG key:

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Once the repo has been added, install the Wazuh agent:

##APT
sudo apt update -y
WAZUH_MANAGER="192.168.205.17" apt-get install wazuh-agent

##YUM
WAZUH_MANAGER="192.168.205.17" yum install wazuh-agent

##ZYpp
sudo zypper refresh
WAZUH_MANAGER="192.168.205.17" zypper install wazuh-agent

In the above commands, replace the WAZUH_MANAGER IP address appropriately. There are many other variables you can set when executing the command. These include:

• WAZUH_REGISTRATION_PASSWORD: Sets password used to authenticate during register, stored in etc/authd.pass.
• WAZUH_AGENT_NAME: Designates the agent’s name. By default, it will be the computer name.
• WAZUH_REGISTRATION_KEY: Specifies the key path completing the required variables with WAZUH_REGISTRATION_CERTIFICATE for the SSL agent verification process.
• WAZUH_AGENT_GROUP: Assigns the agent to one or more existing groups (separated by commas).
• WAZUH_REGISTRATION_PORT: Specifies the port used by the Wazuh registration server.
• WAZUH_MANAGER_PORT: Specifies the manager connection port.

These variables can be passed as shown in the below example:

WAZUH_MANAGER="192.168.205.17" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_NAME="yum-agent" yum install wazuh-agent

Once installed, start and enable the service:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Check if the service is running:

$ systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-02-27 23:30:19 EAT; 33s ago
    Process: 154859 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 26 (limit: 4575)
     Memory: 51.5M
     CGroup: /system.slice/wazuh-agent.service
             ├─154882 /var/ossec/bin/wazuh-execd
             ├─154894 /var/ossec/bin/wazuh-agentd
             ├─154907 /var/ossec/bin/wazuh-syscheckd
             ├─154919 /var/ossec/bin/wazuh-logcollector
             └─154936 /var/ossec/bin/wazuh-modulesd

Now the compatibility of the two is guaranteed only when the Wazuh manager version is later than or equal to that of the Wazuh agent. So it is recommended to disable upgrades for the agent as shown:

##For APT
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
apt-get update

##FOR YUM
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

##FOR ZYpp
sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo

Now the agent added can be viewed on the Wazuh dashboard.

Navigate to the Agents tab to see the added agents.

Visualize the dashboards by clicking on the desired agent.

Verdict

We have learned how to set up Wazuh With Agent on Rocky Linux 9 / AlmaLinux 9 / CentOS 9. At this point, you should be able to perform real-time integrity monitoring, threat detection, incident response, and compliance analysis of your systems.

Interested in more?

• Deploy Wazuh Security Platform on Linux using Ansible
• Deploy Wazuh Security Platform on Linux using Puppet
• Run Wazuh Server in Docker Containers using Docker Compose
• How To Install Wazuh Server on Ubuntu