how to install Wazuh i need advice

[Madison !]

hello team

Can you help me to install Wazuh manager on my network.

i have 2 CentOS 7 systems when i want to deploy wazuh. 

In one of them im going to install wazuh manager and wazuh api and on the second one im going to install Filebeat, elasticsearch Kibana Wazuh App

Earlier, all of these components i tried to install in one server but i had error connection refused

Can you describe how to install it step by step 

Thank you 

[Daniel Moreno]

Hello Madison,

I’m sorry you were not able to install Wazuh the first time.

By looking at the environment you described I can see you will need to install filebeat in the machine where the Wazuh server is placed.

Filebeat is used to forward the alerts to ElasticSearch so it needs to be along with the Wazuh manager.

I recommend you to follow our documentation where it is explained every step you need to follow to get the components installed.

If you experience any kind of problem don’t hesitate to ask us and we will be glad to help you.

You may find our guide on how to install Wazuh on CentOS systems here.

Regards,

Daniel Moreno.

[Madison !]

Daniel thanks for asking

i did everystep in the documentation, but unfortunately i couldn't. 

I can't understand some things like 

How many servers do i need to deploy to install wazuh? 

Do i need to specify IP address in  "output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']" or left. For example my server ip where im installing Wazuh manager is 192.168.179.38, it means in the field http://YOUR_ELASTIC_SERVER_IP:9200' i have to write http://192.168.179.38:9200, or i have to deploy another one server where i will deploy Kibana, elasticsearch, WazuhApp, filebeat?

Because i can't get access via https to Kibana server

пятница, 27 сентября 2019 г., 11:24:14 UTC+6 пользователь Daniel Moreno написал:

[Daniel Moreno]

You can either install every component in the same server (Single-host architecture) or use several servers (Distributed architecture).

It is important to keep in mind Filebeat has to be installed in the same server where the Wazuh manager is placed.

You may check for further information in our documentation.

Indeed, you have to specify the IP address which your ElasticSearch server is bound to.

If you are deploying a single-host architecture you can set it to localhost.

Relevant configurations are:

/etc/filebeat/filebeat.yml:

output.elasticsearch.hosts: ["http://YOUR_ELASTIC_SERVER_IP:9200"] ( You have to replace “YOUR_ELASTIC_SERVER_IP” to the IP set in the elasticsearch.yml file. In case you are using localhost you can replace it to localhost)

/etc/elasticsearch/elasticsearch.yml:

network.host: YOUR_ELASTIC_SERVER_IP ( In case you are using localhost as you IP address you can keep this field commented) ( There are a few more relevant options to set to get elasticsearch working properly, you can check them here)

/etc/kibana/kibana.yml:

server.host: Kibana_IP (IP address to use to access to kibana, if you set it to “0.0.0.0” it will listen from every interface)

elasticsearch.hosts: ["http://YOUR_ELASTIC_SERVER_IP:9200"] ( IP Address to use to look for the ElasticSearch server, in case you are using localhost you can keep this field commented)

To access to kibana server via https you have to configure X-Pack features, by default you can access to Kibana by using “http://YOUR_ELASTIC_SERVER_IP:5601”

You may look for further information about how to configure X-Pack here.

Regards,

Daniel Moreno.

[Madison !]

Daniel 

im trying to deploy as a small organization on a single host. Server ip address is 192.168.179.38

On Centos firts step i did is:

 1) yum update 

 2) Installed Wazuh manager 

 3) Wazuh API

 4) Filebeat  here i specified output.elasticsearch.hosts: ['http://192.168.179.38:9200'] is it correct?

5) Installed Elasticsearch

6) /etc/elasticsearch/elasticsearch.yml    in the field network.host i set  #network.host: 192.168.179.38 

7) Further configuration will be necessary after changing the network.host option. Add or edit (if commented) the following lines in the file /etc/elasticsearch/elasticsearch.yml  There is i didnt understand 

 filebeat setup --index-management -E setup.template.json.enabled=false

Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch http://192.168.179.38:9200: Get http://192.168.179.38:9200: dial tcp 192.168.179.38:9200: connect: connection refused]

пятница, 27 сентября 2019 г., 13:03:19 UTC+6 пользователь Daniel Moreno написал:

[Daniel Moreno]

The problem may be due to the ElasticSearch setting specified is commented.

Change #network.host: 192.168.179.38 to network.host: 192.168.179.38 ( Just remove the # character )

Keep in mind settings as “node.name” and “cluster.initial_master_nodes” must be configured to get ElasticSearch working properly.

Every step is described in our documentation.

After configuring ElasticSearch you will need to restart it and execute the Filebeat command again.

I hope it helps!

Regards,

Daniel Moreno.

[Madison !]

i removed # from field network.host and network port

cluster.initial_master_nodes i have node-1 and node-2 i have to call it like wazuh-1 and wazuh -2?

пятница, 27 сентября 2019 г., 16:43:26 UTC+6 пользователь Daniel Moreno написал:

[Daniel Moreno]

If you are going to install several ElasticSearch Nodes to create a cluster you have to give a name to each node.

You can use the name you prefer, wazuh-1 and wazuh-2 are fine.

Regards.

[Madison !]

I use only one server where i deployed all the components for wazuh. i use one elasticsearch in wazuh server  Could please check my server configuration . Sorry Daniel, but some things i can't understand) 

пятница, 27 сентября 2019 г., 16:55:22 UTC+6 пользователь Daniel Moreno написал:

[Daniel Moreno]

Those configuration looks nice, you should be able to access to kibana via: http://192.168.179.38:5601

Ask me again if you need further assistance.

Regards,

Daniel Moreno.

[Madison !]

I tried from my local PC its ip add 192.168.179.36 but could not get access to http://192.168.179.38:5601. Maybe i need to run a service like Apache on centos to get access for web console?

пятница, 27 сентября 2019 г., 18:18:06 UTC+6 пользователь Daniel Moreno написал:

[Daniel Moreno]

Hello Madison,

Sorry for the late reply.

It is not necessary to install any web service to access to the Kibana interface.

Check every service is running correctly (elasticsearch, kibana...), you may use:

systemctl status SERVICE

Do you have connection to the server where Kibana is installed?
You may check it out by using: 

ping IPADDRESS

In case you have connection to the server, do you have any firewall installed?
It is important to allow the 5601 port connections to be able to access Kibana from a different machine.

Regards.

[Madison !]

Hello Daniel

They are in the same subnet my PC 192.168.179.36

The Wazuh Manager is 192.168.179.38 

i can ping them.

Daniel i've got an idea to deploy it on two servers

wazuh server and all its components ( Wazuh manager, FileBeat, Wazuh API ) and the second one Elastic Stack (Elasticsearch, Kibana, Wazuh App ). I will locate them in the same subnet. after installing i will let you know.

понедельник, 30 сентября 2019 г., 15:36:48 UTC+6 пользователь Daniel Moreno написал:

[Madison !]

Daniel, can you tell me system requirements for each systems

вторник, 1 октября 2019 г., 9:19:14 UTC+6 пользователь Madison ! написал:

[Daniel Moreno]

Hello Madison,

The requirements are:

 - Wazuh Machine (Manager):

    Memory: 4G

    Disk: 100G

    Cpu cores: 4

 - Elastic Stack Machine:

    Memory: 8G

    Disk: 300G

    Cpu cores: 8

We'll be glad to help you with any question.
Please open a new thread if you need further assistance on a different subject.

Regards.