How To Install Wazuh On Ubuntu 22.0.4

How To Install Wazuh On Ubuntu 22.0.4

  • Let’s Upgrade Our Elastic Stack From a Simple SIEM To an EDR with Wazuh

Installing Wazuh on ELK

  • Let’s get the prereqs (prerequisites) for Wazuh
apt install apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
  • We gotta get the keys like we did for ELK, remember ;)
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor > /etc/apt/trusted.gpg.d/wazuh.gpg
  • With that we can get to the Wazuh repo
echo "deb https://packages.wazuh.com/4.x/apt stable main" > /etc/apt/sources.list.d/wazuh.list
  • Let’s update our friend APT so Wazuh can move in and bring its luggage :P
sudo apt update

*Install Wazuh

sudo apt install wazuh-manager
  • Don’t forget to be a good SysAdmin and enable Wazuh to start again if the system shutsdown (think of like during a storm and power gets lost)
sudo systemctl enable --now wazuh-manager
  • We need to allow Wazuh thru the firewall so let’s add those rules now too.
ufw allow 1514/tcp
ufw allow 1515/tcp
  • Aight party people we’re on our way to evolving our security operations. Let’s enable the Wazuh Kibana Plugin so we can see it in our GUI.

*Let’s change access so we can start using plugins we use R for reading.

chown -R kibana: /usr/share/kibana/plugins
  • Remember that we’re putting puzzle pieces together so we need to make sure our versions of different software are compatible with one another. Luckily you have your boi @J3st3rJam3s here so i’ll maek it easy for ya!
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.4_7.17.4-1.zip
  • In the event the blog post gets outdated which it will please refer here for the correct Wazuh package you need for the Kibana version.

  • Let’s Be Good SysAdmins and keep our data organized so we’re gonna make a Wazuh data directory for Kibana.

mkdir /usr/share/kibana/data
chown -R kibana: /usr/share/kibana/data
  • Now that we’ve upgraded and evolved let’s update the folks at the copacabana with Kibana.
systemctl restart kibana
  • Let’s create the Wazuh module for Filebeat so we can make sure we have synergy (cringe hated business term).
sudo nano /etc/filebeat/wazuh.yml
  • Add your Elasticsearch and port
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.hosts: ['localhost:9200']
  • Let’s Install the Filebeat Wazuh Module
wget -qO- https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz \
| tar -xz -C /usr/share/filebeat/module/
  • Let’s also get the Wazuh alerts Elasticsearch template
wget -O /etc/filebeat/wazuh-template.json \
https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-template.json
  • Now that we’ve made some updates to filebeat let’s make sure it’s ok with the upgrades (we don’t want to hurt its feelings now do we)
filebeat test config
  • Next let’s download the Wazuh indexer so the data can get indexed
apt -y install wazuh-indexer
  • Let’s config it
sudo nano /etc/wazuh-indexer/opensearch.yml
  • That’s it, let’s restart everything so the puzzle can come together.
systemctl restart elasticsearch kibana filebeat wazuh-manager
  • You should now be able to see Wazuh all ready to go for you to add agents in Kibana.

Let’s Go Ahead And Add Forensic Data By Adding Velociraptor Server

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.3/velociraptor-v0.6.3-1-linux-amd64
sudo cp velociraptor-v0.6.3-1-linux-amd64 /usr/local/bin/velociraptor
sudo chmod +x /usr/local/bin/velociraptor
  • Now let’s generate a config for Velociraptor
velociraptor config generate -i

  • copy the config to /etc because we’re gonna make velociraptor a service
cp server.config.yaml /etc/velociraptor.config.yaml

*Let’s make velociraptor a service

sudo nano /lib/systemd/system/velociraptor.service
  • Paste below peak the config file and location
[Unit]
Description=Velociraptor linux amd64
After=syslog.target network.target

[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v

[Install]
WantedBy=multi-user.target

*reload systemctl for the update to take effect and enable it for boot

sudo systemctl daemon-reload
sudo systemctl enable --now velociraptor
  • You should now be able to access velociraptor at https://localhost:8889/ and that’s Wazu-h-p :P




comments powered by Disqus