Integrations Wazuh and ELK

Elastic Stack integration

Prerequisites

Ubuntu Server 24.04.2 - 192.168.35.133

Wazuh ELK version support: 4.0-4.5

Elasticsearch version 7.17.13

Installing Elasticsearch

Ubuntu’s default package repositories do not include Elasticsearch components. However, you can install them via APT by adding Elastic’s official package source. To enhance security and prevent package spoofing, all packages are signed with a GPG key, enabling the package manager to verify their authenticity. Before proceeding with the installation, let’s import the public GPG key and add the Elastic package source list.

curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
apt-get update

image.png

Install the Elasticsearch package with apt:

apt-get install elasticsearch=7.17.13

Next, we need download the configuration file /etc/elasticsearch/elasticsearch.yml as follows:

curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml

Now, download the configuration file for creating the certificates:

curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/instances_aio.yml

In the following steps, a file will be generated containing a folder named after the instance specified here. This folder will store the necessary certificates and keys required for secure SSL communication with the Elasticsearch node. To create these certificates, use the elasticsearch-certutil tool with the following command: This command generates a certificate authority (CA) along with SSL certificates and keys based on the details provided in instances.yml, packaging them into a ZIP archive for easy access.

This command generates a certificate authority (CA) along with SSL certificates and keys based on the details provided in instances.yml, packaging them into a ZIP archive for easy access. Extract file /usr/share/elasticsearch/certs.zip

The next step is to create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key there:

mkdir /etc/elasticsearch/certs/ca -p
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
chown -R elasticsearch: /etc/elasticsearch/certs
chmod -R 500 /etc/elasticsearch/certs
chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
rm -rf ~/certs/ ~/certs.zip

Now, enable Elasticsearch to start automatically on system boot.

To generate credentials for all pre-built roles and users in the Elastic Stack, run the following command:

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

This command will automatically create and assign passwords for built-in users such as elastic, kibana_system, and logstash_system

Changed password for user apm_system
PASSWORD apm_system = RvO8Bof9goYCKz271iR1

Changed password for user kibana_system
PASSWORD kibana_system = 03qAiRFFq5LCgvU6JkrX

Changed password for user kibana
PASSWORD kibana = 03qAiRFFq5LCgvU6JkrX

Changed password for user logstash_system
PASSWORD logstash_system = MYkLunGQbIM0HPO5w4Y5

Changed password for user beats_system
PASSWORD beats_system = iz4KjmvwQAxtsxhlrxWA

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = 5tgED4CNOcNCrkNF48oF

Changed password for user elastic
PASSWORD elastic = o85WC5Aln3STkLyP4WD3

To check that the installation was made successfull, run the following command:

curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k

{
  "name" : "elasticsearch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "QdKE2Hh-R1S8fTSoohV4rw",
  "version" : {
    "number" : "7.17.13",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "2b211dbb8bfdecaf7f5b44d356bdfe54b1050c13",
    "build_date" : "2023-08-31T17:33:19.958690787Z",
    "build_snapshot" : false,
    "lucene_version" : "8.11.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Installing Wazuh server

The Wazuh server collects and analyzes data from deployed agents, running the Wazuh manager, API, and Filebeat. To set up Wazuh, start by adding the repository:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

Next, we will install the Wazuh manager package

apt-get install wazuh-manager=4.5.4-1

Now, enable Wazuh manager service to start automatically on system boot.

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager

Installing Filebeat

Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

Install the Filebeat package with command:

apt-get install filebeat=7.17.13

Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat_all_in_one.yml

Download the alerts template for Elasticsearch:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.5.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

Next, we need to update the /etc/filebeat/filebeat.yml with nano to configure

Copy the certificates into /etc/filebeat/certs/

cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key

To enable and start the Filebeat service, run the following commands:

systemctl daemon-reload  
systemctl enable filebeat  
systemctl start filebeat  
systemctl status filebeat

Next, check test the connection to Elasticsearch by running.

filebeat test output

Kibana installation and

configuration

Kibana is a powerful and user-friendly web interface for exploring, analyzing, and visualizing data stored in Elasticsearch.

Now, we need install the Kibana package

apt-get install kibana=7.17.13

Copy the Elasticsearch certificates into the Kibana configuration folder:

mkdir /etc/kibana/certs/ca -p
cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt
chown -R kibana:kibana /etc/kibana/
chmod -R 500 /etc/kibana/certs
chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*

Next,download the Kibana configuration file

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana_all_in_one.yml

The next step is to open the Kibana configuration file /etc/kibana/kibana.yml

nano /etc/kibana/kibana.yml

Create the /usr/share/kibana/data directory

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana

Next, install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.4_7.17.13-1.zip

Link Kibana's socket to privileged port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Now, enable and start the Kibana service

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

Access the web interface using the password generated during the Elasticsearch installation process:

URL: https://<wazuh_server_ip>
user: elastic
password: <PASSWORD_elastic>