Integrations Wazuh and ELK
Elastic Stack integration
Prerequisites
Ubuntu Server 24.04.2 - 192.168.35.133
Wazuh ELK version support: 4.0-4.5
Elasticsearch version 7.17.13
Installing Elasticsearch
Ubuntu’s default package repositories do not include Elasticsearch components. However, you can install them via APT by adding Elastic’s official package source. To enhance security and prevent package spoofing, all packages are signed with a GPG key, enabling the package manager to verify their authenticity. Before proceeding with the installation, let’s import the public GPG key and add the Elastic package source list.
curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
apt-get update
Install the Elasticsearch package with apt:
apt-get install elasticsearch=7.17.13
Next, we need download the configuration file /etc/elasticsearch/elasticsearch.yml as follows:
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.ymlNow, download the configuration file for creating the certificates:
curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/instances_aio.ymlIn the following steps, a file will be generated containing a folder named after the instance specified here. This folder will store the necessary certificates and keys required for secure SSL communication with the Elasticsearch node. To create these certificates, use the elasticsearch-certutil tool with the following command: This command generates a certificate authority (CA) along with SSL certificates and keys based on the details provided in instances.yml, packaging them into a ZIP archive for easy access.
This command generates a certificate authority (CA) along with SSL certificates and keys based on the details provided in instances.yml, packaging them into a ZIP archive for easy access. Extract file /usr/share/elasticsearch/certs.zip
The next step is to create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key there:
mkdir /etc/elasticsearch/certs/ca -p
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
chown -R elasticsearch: /etc/elasticsearch/certs
chmod -R 500 /etc/elasticsearch/certs
chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
rm -rf ~/certs/ ~/certs.zipNow, enable Elasticsearch to start automatically on system boot.
To generate credentials for all pre-built roles and users in the Elastic Stack, run the following command:
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
This command will automatically create and assign passwords for built-in users such as elastic, kibana_system, and logstash_system
Changed password for user apm_system
PASSWORD apm_system = RvO8Bof9goYCKz271iR1
Changed password for user kibana_system
PASSWORD kibana_system = 03qAiRFFq5LCgvU6JkrX
Changed password for user kibana
PASSWORD kibana = 03qAiRFFq5LCgvU6JkrX
Changed password for user logstash_system
PASSWORD logstash_system = MYkLunGQbIM0HPO5w4Y5
Changed password for user beats_system
PASSWORD beats_system = iz4KjmvwQAxtsxhlrxWA
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = 5tgED4CNOcNCrkNF48oF
Changed password for user elastic
PASSWORD elastic = o85WC5Aln3STkLyP4WD3To check that the installation was made successfull, run the following command:
curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
{
"name" : "elasticsearch",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "QdKE2Hh-R1S8fTSoohV4rw",
"version" : {
"number" : "7.17.13",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "2b211dbb8bfdecaf7f5b44d356bdfe54b1050c13",
"build_date" : "2023-08-31T17:33:19.958690787Z",
"build_snapshot" : false,
"lucene_version" : "8.11.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}Installing Wazuh server
The Wazuh server collects and analyzes data from deployed agents, running the Wazuh manager, API, and Filebeat. To set up Wazuh, start by adding the repository:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
Next, we will install the Wazuh manager package
apt-get install wazuh-manager=4.5.4-1
Now, enable Wazuh manager service to start automatically on system boot.
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.
Install the Filebeat package with command:
apt-get install filebeat=7.17.13
Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat_all_in_one.ymlDownload the alerts template for Elasticsearch:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.5.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.jsonDownload the Wazuh module for Filebeat
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
Next, we need to update the /etc/filebeat/filebeat.yml with nano to configure
Copy the certificates into /etc/filebeat/certs/
cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.keyTo enable and start the Filebeat service, run the following commands:
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
systemctl status filebeat
Next, check test the connection to Elasticsearch by running.
filebeat test output
Kibana installation and
configuration
Kibana is a powerful and user-friendly web interface for exploring, analyzing, and visualizing data stored in Elasticsearch.
Now, we need install the Kibana package
apt-get install kibana=7.17.13
Copy the Elasticsearch certificates into the Kibana configuration folder:
mkdir /etc/kibana/certs/ca -p
cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt
chown -R kibana:kibana /etc/kibana/
chmod -R 500 /etc/kibana/certs
chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*Next,download the Kibana configuration file
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana_all_in_one.ymlThe next step is to open the Kibana configuration file /etc/kibana/kibana.yml
nano /etc/kibana/kibana.yml
Create the /usr/share/kibana/data directory
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibanaNext, install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.4_7.17.13-1.zip
Link Kibana's socket to privileged port 443:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/nodeNow, enable and start the Kibana service
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<wazuh_server_ip>
user: elastic
password: <PASSWORD_elastic>
Last updated
Was this helpful?