---
# System prepended metadata

title: ubuntu install wazuh
tags: [linux]

---

# ubuntu install wazuh

要先調整時區 這很重要

```bash=
timedatectl list-timezones
timedatectl list-timezones | grep Tai
timedatectl set-timezone Asia/Taipei
```
<br>

- Wazuh indexer
```bash=
curl -sO https://packages.wazuh.com/4.10/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.10/config.yml
```
<br>

vim  ./config.yml
```bash=

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"
```
<br>

```bash=
bash ./wazuh-certs-tool.sh -A
```

Copy the wazuh-certificates.tar file to all the nodes, including the Wazuh indexer, Wazuh server, and Wazuh dashboard nodes. This can be done by using the scp utility.

```bash=
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates
```

```bash=
apt-get install debconf adduser procps
```

```bash=
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
```
```bash=
apt-get -y install wazuh-indexer
```
```bash=
NODE_NAME=node-1
```
```bash=
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
```
```bash=
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer
```
```bash=
sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt update
```
You only have to initialize the cluster once, there is no need to run this command on every node.
```bash=
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
```
```bash=
curl -k -u admin:admin https://<WAZUH_INDEXER_IP_ADRESS>:9200
curl -k -u admin:admin https://10.16.232.38:9200
```
```bash=
curl -k -u admin:admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v
curl -k -u admin:admin https://10.16.232.38:9200/_cat/nodes?v
```
---
- Wazuh server
```bash=
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
```
```bash=
apt-get -y install wazuh-manager
apt-get -y install filebeat
```
```bash=
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.yml
```
vim /etc/filebeat/filebeat.yml
```bash=
# Wazuh - Filebeat configuration file
 output.elasticsearch:
 hosts: ["<your ip>:9200"]
 protocol: https
 username: ${username}
 password: ${password}
```
```bash=
filebeat keystore create
```
```bash=
echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force
```
```bash=
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
```
```bash=
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
```
```bash=
NODE_NAME=node-1
```
```bash=
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs


```bash=
echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
```

vim /var/ossec/etc/ossec.conf

Replace `0.0.0.0` with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file `/etc/filebeat/filebeat.yml`.

Ensure the Filebeat certificate and key name match the certificate files in `/etc/filebeat/certs`.

If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-nodes configuration:

```
<hosts>
  <host>https://10.0.0.1:9200</host>
  <host>https://10.0.0.2:9200</host>
</hosts>
```
```bash=
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager
```

```bash=
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
```

```bash=
sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt update
```
---
- Wazuh dashboard

```bash=
apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later
```

```bash=
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
```

```bash=
apt-get -y install wazuh-dashboard
```


vim /etc/wazuh-dashboard/opensearch_dashboards.yml

1. `server.host`: This setting specifies the host of the Wazuh dashboard server. To allow remote users to connect, set the value to the IP address or DNS name of the Wazuh dashboard server. The value `0.0.0.0` will accept all the available IP addresses of the host.
2. `opensearch.hosts`: The URLs of the Wazuh indexer instances to use for all your queries. The Wazuh dashboard can be configured to connect to multiple Wazuh indexer nodes in the same cluster. The addresses of the nodes can be separated by commas. For example, `["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]`
    
```
server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://localhost:9200
opensearch.ssl.verificationMode: certificate
```

```bash=
NODE_NAME=node-1
```

```bash=
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
```

```bash=
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard
```

vim /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

```bash=
hosts:
   - default:
      url: https://<WAZUH_SERVER_IP_ADDRESS>
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false
```
```bash=
sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt update
```

Securing your Wazuh installation

```bash=
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all
```

```bash=
curl -sO https://packages.wazuh.com/4.10/wazuh-passwords-tool.sh
bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh
```



On all your Wazuh server nodes, run the following command to update the admin password in the Filebeat keystore. Replace <ADMIN_PASSWORD> with the random password generated in the first step.
```bash=
echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force
```

```bash=
systemctl restart filebeat
```
On your Wazuh dashboard node, run the following command to update the kibanaserver password in the Wazuh dashboard keystore. Replace <KIBANASERVER_PASSWORD> with the random password generated in the first step

```bash=
echo <KIBANASERVER_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
```
Update the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file with the new wazuh-wui password generated in the second step.

```bash=
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
```