Query regarding hardware specifications for Wazuh-Elastic
73 views
Skip to first unread message
ocerna0721
Dec 21, 2023, 7:52:23 PM12/21/23
to Wazuh | Mailing List
Good evening, community,
Could you tell me the requirements needed to set up a Wazuh-Elastic all-in-one server?
Stuti Gupta
Dec 21, 2023, 9:36:02 PM12/21/23
to Wazuh | Mailing List
Hi team!
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Regards
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Regards
Stuti Gupta
Dec 21, 2023, 11:19:34 PM12/21/23
to Wazuh | Mailing List
Hi
ocerna0721
Hope you are doing well and thank you for using wazuh.
Hardware requirements highly depend on the number of protected endpoints and cloud workloads. This number can help estimate how much data will be analyzed and how many security alerts will be stored and indexed. You can refer following if you are going for an all-in deployment usually enough for monitoring up to 100 endpoints and for 90 days of queryable/indexed alert data:
Agents CPU RAM Storage (90 days)
1–25 4 vCPU 8 GiB 50 GB
25–50 8 vCPU 8 GiB 100 GB
Install all the necessary packages:
yum: install zip unzip curl
APT: apt-get install apt-transport-https zip unzip lsb-release curl gnupg
Installing Elasticsearch
Adding the Elastic Stack repository
yum
Import the GPG key: rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
APT:
Install the GPG key: curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
Add the repository: echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information: apt-get update
Install elasticsearch:
Yum: yum install elasticsearch-7.17.13
APT: apt-get install elasticsearch=7.17.13
Download the configuration file /etc/elasticsearch/elasticsearch.yml: curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml
Certificates creation and deployment:
curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/instances_aio.yml
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
unzip ~/certs.zip -d ~/certs
Create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key:
mkdir /etc/elasticsearch/certs/ca -p
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
chown -R elasticsearch: /etc/elasticsearch/certs
chmod -R 500 /etc/elasticsearch/certs
chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
rm -rf ~/certs/ ~/certs.zip
Enable and start the Elasticsearch service:
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
Generate credentials: /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
Installing Wazuh server
Yum: yum install wazuh-manager-4.5.4-1
APT: apt-get install wazuh-manager=4.5.4-1
Enable and start the Wazuh manager service:
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager
Installing Filebeat
Yum: yum install filebeat-7.17.13
APT: apt-get install filebeat=7.17.13
Download Filebeat config file
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.5.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat: curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
Edit the file /etc/filebeat/filebeat.yml and add line: output.elasticsearch.password: <elasticsearch_password>
Replace elasticsearch_password with the previously generated password for elastic user.
Copy the certificates into /etc/filebeat/certs/
cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key
Enable and start the Filebeat service:
systemctl enable filebeat
systemctl start filebeat
filebeat test output
Kibana installation and configuration
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Install the Kibana package:
Yum: yum install kibana-7.17.13
Copy the Elasticsearch certificates into the Kibana configuration folder:
mkdir /etc/kibana/certs/ca -p
cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt
chown -R kibana:kibana /etc/kibana/
chmod -R 500 /etc/kibana/certs
chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
Download the Kibana configuration file: curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana_all_in_one.yml
Edit the /etc/kibana/kibana.yml file: elasticsearch.password: <elasticsearch_password>
Values to be replaced: <elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for the elastic user.
Create the /usr/share/kibana/data directory:
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana
Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.4_7.17.13-1.zip
Link kibana's socket to privileged port 443: setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<wazuh_server_ip>
user: elastic
password: <PASSWORD_elastic>
Reference: https://documentation.wazuh.com/4.5/deployment-options/elastic-stack/all-in-one-deployment/index.html
Hope this helps. Let me know if you have any issues related to this.
Regrads
Hope you are doing well and thank you for using wazuh.
Hardware requirements highly depend on the number of protected endpoints and cloud workloads. This number can help estimate how much data will be analyzed and how many security alerts will be stored and indexed. You can refer following if you are going for an all-in deployment usually enough for monitoring up to 100 endpoints and for 90 days of queryable/indexed alert data:
Agents CPU RAM Storage (90 days)
1–25 4 vCPU 8 GiB 50 GB
25–50 8 vCPU 8 GiB 100 GB
50–100 8 vCPU 8 GiB 200 GB
Refer: https://documentation.wazuh.com/4.5/quickstart.html#installation-requirements
However Starting from Wazuh version 4.6, integrated applications for third-party platforms like Splunk and Elastic will no longer be developed. Instead, new methods for integration are provided. For Wazuh integration with Elastic you can refer to https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html. And recommend the intrgation methid only but in case you want to go with a Wazuh-Elastic all-in-one server you follow these steps:
Refer: https://documentation.wazuh.com/4.5/quickstart.html#installation-requirements
However Starting from Wazuh version 4.6, integrated applications for third-party platforms like Splunk and Elastic will no longer be developed. Instead, new methods for integration are provided. For Wazuh integration with Elastic you can refer to https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html. And recommend the intrgation methid only but in case you want to go with a Wazuh-Elastic all-in-one server you follow these steps:
Install all the necessary packages:
yum: install zip unzip curl
APT: apt-get install apt-transport-https zip unzip lsb-release curl gnupg
Installing Elasticsearch
Adding the Elastic Stack repository
yum
Import the GPG key: rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
APT:
Install the GPG key: curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
Add the repository: echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information: apt-get update
Install elasticsearch:
Yum: yum install elasticsearch-7.17.13
APT: apt-get install elasticsearch=7.17.13
Download the configuration file /etc/elasticsearch/elasticsearch.yml: curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml
Certificates creation and deployment:
curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/instances_aio.yml
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
unzip ~/certs.zip -d ~/certs
Create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key:
mkdir /etc/elasticsearch/certs/ca -p
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
chown -R elasticsearch: /etc/elasticsearch/certs
chmod -R 500 /etc/elasticsearch/certs
chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
rm -rf ~/certs/ ~/certs.zip
Enable and start the Elasticsearch service:
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
Generate credentials: /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
Installing Wazuh server
Yum: yum install wazuh-manager-4.5.4-1
APT: apt-get install wazuh-manager=4.5.4-1
Enable and start the Wazuh manager service:
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager
Installing Filebeat
Yum: yum install filebeat-7.17.13
APT: apt-get install filebeat=7.17.13
Download Filebeat config file
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.5.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat: curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
Edit the file /etc/filebeat/filebeat.yml and add line: output.elasticsearch.password: <elasticsearch_password>
Replace elasticsearch_password with the previously generated password for elastic user.
Copy the certificates into /etc/filebeat/certs/
cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key
Enable and start the Filebeat service:
systemctl enable filebeat
systemctl start filebeat
filebeat test output
Kibana installation and configuration
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Install the Kibana package:
Yum: yum install kibana-7.17.13
Copy the Elasticsearch certificates into the Kibana configuration folder:
mkdir /etc/kibana/certs/ca -p
cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt
chown -R kibana:kibana /etc/kibana/
chmod -R 500 /etc/kibana/certs
chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
Download the Kibana configuration file: curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana_all_in_one.yml
Edit the /etc/kibana/kibana.yml file: elasticsearch.password: <elasticsearch_password>
Values to be replaced: <elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for the elastic user.
Create the /usr/share/kibana/data directory:
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana
Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.4_7.17.13-1.zip
Link kibana's socket to privileged port 443: setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<wazuh_server_ip>
user: elastic
password: <PASSWORD_elastic>
Reference: https://documentation.wazuh.com/4.5/deployment-options/elastic-stack/all-in-one-deployment/index.html
Hope this helps. Let me know if you have any issues related to this.
Regrads
ocerna0721
Dec 26, 2023, 3:29:02 PM12/26/23
to Wazuh | Mailing List
Thank you Stuti for the information.
Reply all
Reply to author
Forward
0 new messages