Wazuh Manager Install - Ubuntu




  • Pull down latest repository updates


    sudo apt update
    

    Install curl, apt-transport-https, and lsb-release


    sudo apt install curl
    sudo apt install apt-transport-https
    sudo apt install lsb-release
    

    Create symbolic link to python


    if [ ! -f /usr/bin/python ]; then ln -s /usr/bin/python3 /usr/bin/python; fi
    
    

    Install GPG Key


    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    

    Add repository


     echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    

    Pull down latest package information


    apt update
    

    Install wazuh


    apt install wazuh-manager
    

    Confirm Wazuh is running


     systemctl status wazuh-manager
    

    Install Wazuh API



    Add Node JS repository


    curl -sL https://deb.nodesource.com/setup_8.x | bash -
    

    Install Node JS


    sudo apt install nodejs
    

    Install Wazuh API


    sudo apt install wazuh-api
    

    Check status


     sudo systemctl status wazuh-api
    

    Disable Wazuh automatic updates


    sudo sed -i "s/^deb/deb/" /etc/apt/sources.list.d/wazuh.list
    sudo apt update
    

    Install GPG keys and add repository


    curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list
    

    APT Update


    sudo apt update
    

    Install Filebeat


    sudo apt install filebeat=6.7.1
    

    Download Filebeat config file to forward logs


    sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml
    
    

    Edit Filebeat config file to point to Elastic Server IP (In this lab environment I am using 127.0.0.1)


    sed -i 's/YOUR_ELASTIC_SERVER_IP/127.0.0.1/' /etc/filebeat/filebeat.yml
    

    Start Filebeat service and configure it to automatically start at boot


    sudo systemctl daemon-reload
    sudo systemctl enable filebeat.service
    sudo systemctl start filebeat.service
    

    Disable Elasticsearch repository updates


    sudo sed -i "s/^deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
    sudo apt update
    
    


  • A few things:

    The manager label is wrong. It says manger instead of manager.

    @IRJ said in Wazuh Manager Install - Ubuntu:

    Install Filebeat

    There are two entries for "Install Filebeat"

    I tried to install Filebeat going command by command and it can't find it.



  • @wirestyle22 said in Wazuh Manager Install - Ubuntu:

    A few things:

    The manager label is wrong. It says manger instead of manager.

    @IRJ said in Wazuh Manager Install - Ubuntu:

    Install Filebeat

    There are two entries for "Install Filebeat"

    I tried to install Filebeat going command by command and it can't find it.

    Thanks I fixed the guide.

    What you need to do is this:

    #***********************************************************
    #Install GPG keys and add repository
    #***********************************************************
    
    curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list
    
    #***********************************************************
    # APT Update
    #***********************************************************
    
    sudo apt update
    
    #***********************************************************
    #Install Filebeat
    #***********************************************************
    sudo apt install -y filebeat=6.7.1
    
    #***********************************************************
    #Download Filebeat config file to forward logs
    #***********************************************************
    
    sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml
    
    
    #***********************************************************
    #Edit Filebeat config file to point to Elastic Server IP (In this lab environment I am using 127.0.0.1)
    #***********************************************************
    
    sed -i 's/YOUR_ELASTIC_SERVER_IP/192.168.122.181/' /etc/filebeat/filebeat.yml
    
    #***********************************************************
    #Start Filebeat service and configure it to automatically start at boot
    #***********************************************************
    sudo systemctl daemon-reload
    sudo systemctl enable filebeat.service
    sudo systemctl start filebeat.service
    

    make sure to change 192.168.122.181 with your ip or localhost if you are using a single server for wazuh and ELK