How to install Wazuh Server on CentOS/Rocky Linux 9

In this Linux tutorial, you will learn how to install Wazuh Server on Rocky Linux 9 or other Red Hat/CentOS based Linux OS.

 

Table of Contents:

 

What is Wazuh?:

Wazuh platform provides XDR and SIEM features to protect your cloud, container, and server workloads. These include log data analysis, intrusion and malware detection, file integrity monitoring, configuration assessment, vulnerability detection, and support for regulatory compliance.

The Wazuh solution is based on the Wazuh agent, which is deployed on the monitored endpoints, and on three central components: the Wazuh manager, the Wazuh indexer, and the Wazuh dashboard.

1. The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.
2. The Wazuh manager analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
3. The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for security events, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.
4. Wazuh agents are installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. They provide threat prevention, detection, and response capabilities. They run on operating systems such as Linux, Windows, macOS, Solaris, AIX, and HP-UX.

In addition to agent-based monitoring capabilities, the Wazuh platform can monitor agent-less devices such as firewalls, switches, routers, or network IDS, among others. For example, a system log data can be collected via Syslog, and its configuration can be monitored through periodic probing of its data, via SSH or through an API.

 

Environment Specification:

We are using a minimal Rocky Linux 9 virtual machine with following specifications.

• CPU - 3.4 Ghz (2 cores)
• Memory - 4 GB
• Storage - 40 GB
• Operating System - Rocky Linux release 9.2 (Blue Onyx)
• Hostname - wazuh-01.centlinux.com
• IP Address - 192.168.18.83/24

 

Prepare your Rocky Linux Server:

Login to your Rocky Linux server as root user with the help of a ssh client.

Set a static password for your Wazuh server by using nmcli command.

# nmcli c m enp0s3 ipv4.method manual ipv4.addresses 192.168.18.83/24 ipv4.gateway 192.168.18.1 ipv4.dns 192.168.18.1
# nmcli c down enp0s3 ; nmcli c up enp0s3

Set a FQDN (Fully Qualified Domain Name) hostname for your Linux machine.

# hostnamectl set-hostname wazuh-01.centlinux.com
# echo "192.168.18.83 wazuh-01 wazuh-01.centlinux.com" >> /etc/hosts

As a best practice, always update installed packages in your Linux OS, before installing a new software.

# dnf update -y

Sometimes, the above command also updates packages related to Linux Kernel. If this happens, then reboot your Linux OS with the new Kernel.

# reboot

Note down the Linux OS and Kernel versions that are being used in this tutorial.

# cat /etc/rocky-release
Rocky Linux release 9.2 (Blue Onyx)

# uname -r
5.14.0-284.25.1.el9_2.x86_64

Install Wazuh software prerequisites by executing dnf command.

# dnf install -y coreutils chkconfig tar libcap

 

Create Security Certificates:

To encrypt communication between Wazuh components, you need to create the necessary security certificates.

Wazuh official website provides a bash script for this pupose. You can download the script and the relevant configuration file with the help of curl command.

# curl -sO https://packages.wazuh.com/4.4/wazuh-certs-tool.sh
# curl -sO https://packages.wazuh.com/4.4/config.yml

Edit config.yml file by using vim text editor.

# vi config.yml

Locate and set following directives in this file.

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: wazuh-01
      ip: 192.168.18.83

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-01
      ip: 192.168.18.83

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: 192.168.18.83

Here, we are installing Wazuh on a single node, therefore, we are only adding one hostname and IP address. However, in case of Multinode setup, you need to add all the nodes of your Wazuh cluster in this file.

Execute the bash script to generate Wazuh security certificates.

# bash ./wazuh-certs-tool.sh -A
04/08/2023 21:15:41 INFO: Admin certificates created.
04/08/2023 21:15:41 INFO: Wazuh indexer certificates created.
04/08/2023 21:15:43 INFO: Wazuh server certificates created.
04/08/2023 21:15:44 INFO: Wazuh dashboard certificates created.

Use tar command to create an archive of security certificates' folder.

# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
./
./root-ca.key
./root-ca.pem
./admin-key.pem
./admin.pem
./wazuh-01-key.pem
./wazuh-01.pem
./dashboard-key.pem
./dashboard.pem

Remove security certificates folder with the help of rm command.

# rm -rf ./wazuh-certificates

 

Installing Wazuh Yum Repository:

Wazuh software components for Red Hat/CentOS based Linux OS are available via their Official yum repository.

To install Wazuh yum repository on your Rocky Linux server, first of all you need to import the GPG Key of that repo.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Execute following Linux command to install Wazuh yum repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

Build yum cache for newly installed yum repositories.

# dnf makecache
Rocky Linux 9 - BaseOS                          1.4 kB/s | 4.1 kB     00:03
Rocky Linux 9 - AppStream                       3.3 kB/s | 4.5 kB     00:01
Rocky Linux 9 - Extras                          1.6 kB/s | 2.9 kB     00:01
EL-9 - Wazuh                                    941 kB/s |  16 MB     00:17
Metadata cache created.

You have successfully setup Wazuh yum repository, now you can easily install your SIEM software.

 

Installing Wazuh Indexer:

Install Wazuh Indexer on your Rocky Linux server with the help of dnf command.

# dnf -y install wazuh-indexer

Open configuration file in vim text editor.

# vi /etc/wazuh-indexer/opensearch.yml

Locate and set following directives in this file.

network.host: "192.168.18.83"
node.name: "wazuh-01"
cluster.initial_master_nodes:
- "wazuh-01"
plugins.security.nodes_dn:
- "CN=wazuh-01,OU=Wazuh,O=Wazuh,L=California,C=US"

Deploy Security Certificates on Wazuh Indexer, that you have created in previous step.

# export NODE_NAME=wazuh-01
# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Enable and start Wazuh Indexer service.

# systemctl enable --now wazuh-indexer
Synchronizing state of wazuh-indexer.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable wazuh-indexer
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service.

Wazuh Indexer uses service port 9200/tcp for communication, therefore, you need to allow this port in your Linux firewall.

# firewall-cmd --permanent --add-port=9200/tcp
success

# firewall-cmd --reload
success

Execute the indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and initiate the single-node or multi-node cluster.

# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 192.168.18.83:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.6.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

Run the following command to confirm that the Wazuh installation is successful.

# curl -k -u admin:admin https://wazuh-01.centlinux.com:9200
{
  "name" : "wazuh-01",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "OYd3dDQ5QUmoGfN0QQ1uxQ",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6",
    "build_date" : "2023-02-24T18:57:04.388618985Z",
    "build_snapshot" : false,
    "lucene_version" : "9.5.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

 

Installing Wazuh Manager:

Install Wazuh Manager on your Rocky Linux server with the help of dnf command.

# dnf install -y wazuh-manager

Enable and start Wazuh Manager service.

# systemctl enable --now wazuh-manager
Synchronizing state of wazuh-manager.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable wazuh-manager
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service.

Wazuh Manager uses Port 1514/tcp and 1515/tcp for communication with Wazuh Agents. Therefore, you are required to allow both ports in your Linux firewall.

# firewall-cmd --permanent --add-port={1514,1515}/tcp
success

# firewall-cmd --reload
success

Install Filebeat software with the help of following command.

# dnf install -y filebeat

Download sample configuration file for Filebeat software.

# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.4/tpl/wazuh/filebeat/filebeat.yml

Open Filebeat configuration file in vim text editor.

# vi /etc/filebeat/filebeat.yml

Find and set following directive therein.

  hosts: ["192.168.18.83:9200"]

Create a Filebeat keystore to securely store authentication credentials.

# filebeat keystore create
Created filebeat keystore

Add the default username and password admin/admin to the secrets keystore.

# echo admin | filebeat keystore add username --stdin --force
Successfully updated the keystore

# echo admin | filebeat keystore add password --stdin --force
Successfully updated the keystore

Download the alerts template for the Wazuh indexer.

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.4/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat.

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/modulesd

Deploy Security Certificates on Wazuh Server, that you have created in previous step.

# export NODE_NAME=wazuh-01
# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

Enable and start Filebeat service.

# systemctl enable --now filebeat
Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.

Run the following command to verify that Filebeat is successfully installed.

# filebeat test output
elasticsearch: https://192.168.18.83:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.18.83
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

 

Installing Wazuh Dashboard:

Install Wazuh Dashboard on your Rocky Linux server with the help of dnf command.

# dnf install -y wazuh-dashboard

Open Wazuh Dashboard configurations in vim text editor.

# vi /etc/wazuh-dashboard/opensearch_dashboards.yml

Find and set following directives in this file.

server.host: 192.168.18.83
opensearch.hosts: https://192.168.18.83:9200

Deploy Security Certificates on Wazuh Dashboard, that you have created in previous step.

# export NODE_NAME=wazuh-01
# mkdir /etc/wazuh-dashboard/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Enable and start Wazuh Dashboard service.

# systemctl enable --now wazuh-dashboard.service
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service.

Wazuh Dashboard runs at 443/tcp port. Therefore, allow this service port in your Linux firewall.

# firewall-cmd --permanent --add-service=https
success

# firewall-cmd --reload
success

Open URL https://wazuh-01.centlinux.com in a web browser.

Login with the users that you have created above i.e. admin/admin.

 

You have reached at the Wazuh dashboard.

 

Installing Wazuh Agent:

Currently, you won't see any agent in your Wazuh Dashboard. You need to add one by performing below steps.

Login to your target Linux machine to install Wazuh agent.

Wazuh agent uses SysV type scripts to start/stop it's services. Therefore, you need to install chkconfig package on your Linux machine.

# dnf install -y chkconfig

Execute the following command to download and install Wazuh Agent software.

# sudo WAZUH_MANAGER='192.168.18.83' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.4.5-1.x86_64.rpm

In above command, you can change WAZUH_MANAGER ip address according to your environment.

Enable and start Wazuh Agent.

# systemctl enable --now wazuh-agent
Synchronizing state of wazuh-agent.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service.

Refresh your Wazuh Dashboard.

 

Wazuh Agent has been deployed on your Linux node and it is now submitting relevant metrices to your Wazuh server.

 

Conclusion:

In this Linux tutorial, you have learned how to install Wazuh Server on Rocky Linux 9 or Other Red Hat/CentOS based Linux OS.