{"id":17669,"date":"2023-07-04T22:55:40","date_gmt":"2023-07-04T19:55:40","guid":{"rendered":"https:\/\/kifarunix.com\/?p=17669"},"modified":"2024-03-10T10:33:37","modified_gmt":"2024-03-10T07:33:37","slug":"install-wazuh-manager-with-elk-on-debian","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-wazuh-manager-with-elk-on-debian\/","title":{"rendered":"Install Wazuh Manager with ELK on Debian 12"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install Wazuh Manager with ELK on Debian 12. According to the <a href=\"https:\/\/documentation.wazuh.com\/current\/\" target=\"_blank\" rel=\"noreferrer noopener\">documentation<\/a>, <em>Wazuh is a free and open source platform for threat detection, security monitoring, incident response and regulatory compliance.<\/em><\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-wazuh-manager-with-elk-on-debian-12\">Installing Wazuh Manager with ELK on Debian 12<\/a><ul><li><a href=\"#install-elastic-stack-on-debian-12\">Install Elastic Stack on Debian 12<\/a><ul><li><a href=\"#install-elastic-stack-7-x-apt-repositories-on-debian-12\">Install Elastic Stack 7.x APT repositories on Debian 12;<\/a><\/li><li><a href=\"#install-elasticsearch-7-17-9-on-debian-12\">Install Elasticsearch 7.17.9 on Debian 12<\/a><\/li><li><a href=\"#configure-elasticsearch\">Configure Elasticsearch<\/a><\/li><li><a href=\"#install-kibana-7-17-9-on-debian-12\">Install Kibana 7.17.9 on Debian 12<\/a><\/li><li><a href=\"#configure-kibana\">Configure Kibana<\/a><\/li><li><a href=\"#install-filebeat-on-debian-12\">Install Filebeat on Debian 12<\/a><\/li><\/ul><\/li><li><a href=\"#install-wazuh-manager-on-debian-12\">Install Wazuh Manager on Debian 12<\/a><ul><li><a href=\"#install-wazuh-apt-repository-on-debian-12\">Install Wazuh APT Repository on Debian 12<\/a><\/li><\/ul><\/li><li><a href=\"#integrate-wazuh-manager-with-elk-stack\">Integrate Wazuh Manager with ELK Stack<\/a><ul><li><a href=\"#install-wazuh-manager-kibana-app-plugin\">Install Wazuh Manager Kibana App plugin<\/a><\/li><li><a href=\"#configure-filebeat-for-wazuh-manager\">Configure Filebeat for Wazuh Manager<\/a><\/li><\/ul><\/li><li><a href=\"#enable-syslog-logging-on-debian-12\">Enable Syslog Logging on Debian 12<\/a><\/li><li><a href=\"#restart-kibana-elasticsearch-filebeat-ans-wazuh-manager\">Restart Kibana, Elasticsearch, Filebeat ans Wazuh-manager<\/a><\/li><li><a href=\"#accessing-wazuh-app-on-kibana-web-interface\">Accessing Wazuh App on Kibana Web Interface<\/a><\/li><li><a href=\"#install-wazuh-agents\">Install Wazuh Agents<\/a><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-wazuh-manager-with-elk-on-debian-12\">Installing Wazuh Manager with ELK on Debian 12<\/h2>\n\n\n\n<p><em>Wazuh can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh provides the following capabilities<\/em>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Security Analytics<\/em><\/li>\n\n\n\n<li><em>Intrusion Detection<\/em><\/li>\n\n\n\n<li><em>Log Data Analysis<\/em><\/li>\n\n\n\n<li><em>File Integrity Monitoring<\/em><\/li>\n\n\n\n<li><em>Vulnerability Detection<\/em><\/li>\n\n\n\n<li><em>Configuration Assessment<\/em><\/li>\n\n\n\n<li><em>Incident Response<\/em><\/li>\n\n\n\n<li><em>Regulatory Compliance<\/em><\/li>\n\n\n\n<li><em>Cloud Security Monitoring<\/em><\/li>\n\n\n\n<li><em>Containers Security<\/em><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-elastic-stack-on-debian-12\">Install Elastic Stack on Debian 12<\/h3>\n\n\n\n<p>In order to fully utilize Wazuh manager capabilities and have a nice UI for visualization, Wazuh has to be integrated with Elastic Stack and to be precise, <strong>Kibana<\/strong>, for visualization, <strong>Elasticsearch<\/strong>, for data storage and search engine, <strong>Filebeat<\/strong> for collecting Wazuh manager event data and pushing them to Elasticsearch search engine.<\/p>\n\n\n\n<p>Thus, in order to install Wazuh manager, you need to begin by setting up Elastic Stack; Kibana, Elasticsearch and Filebeat.<\/p>\n\n\n\n<p>According to the Wazuh <a href=\"https:\/\/documentation.wazuh.com\/current\/upgrade-guide\/compatibility-matrix\/index.html#components-compatibility\" target=\"_blank\" rel=\"noreferrer noopener\">components compatibility matrix page<\/a>, current stable release versions of Wazuh (<strong>v4.4.4<\/strong>) supports upto ELK 7.17.9 as of this writing.<\/p>\n\n\n\n<p>This should therefore guide us on the version of Elastic stack to deploy.<\/p>\n\n\n\n<p>To install Elastic Stack 7.17.9 components on Debian 12, proceed as follows.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-elastic-stack-7-x-apt-repositories-on-debian-12\">Install Elastic Stack 7.x APT repositories on Debian 12;<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO - https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch \\\n| sudo gpg --dearmor -o \/etc\/apt\/trusted.gpg.d\/elastic.gpg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main\" \\\n&gt; \/etc\/apt\/sources.list.d\/elastic-7.x.list<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-elasticsearch-7-17-9-on-debian-12\">Install Elasticsearch 7.17.9 on Debian 12<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install elasticsearch=7.17.9<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-elasticsearch\">Configure Elasticsearch<\/h4>\n\n\n\n<p>By default, Elasticsearch should just work with the default settings by default. Feel free to check <a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/settings.html\" target=\"_blank\" rel=\"noreferrer noopener\">Important Elasticsearch settings<\/a>.<\/p>\n\n\n\n<p>If Elasticsearch will need to be accessed by other external Beats, then you need to set the IP address and define whether to run in a multi node or single node cluster.<\/p>\n\n\n\n<p>Start and enable Elasticsearch to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now elasticsearch<\/code><\/pre>\n\n\n\n<p>Confirm the Elasticsearch port is opened;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altnp | grep 9200<\/code><\/pre>\n\n\n\n<p>You can check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status elasticsearch<\/code><\/pre>\n\n\n\n<p>You can check the logs if need be. By default, the logs are written to <strong><code>\/var\/log\/elasticsearch\/CLUSTER_NAME.log<\/code><\/strong>, where CLUSTER_NAME is <strong><code>elasticsearch<\/code><\/strong> by default. Thus, the default log file is <strong><code>\/var\/log\/elasticsearch\/elasticsearch.log<\/code><\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-kibana-7-17-9-on-debian-12\">Install Kibana 7.17.9 on Debian 12<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install kibana=7.17.9<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-kibana\">Configure Kibana<\/h4>\n\n\n\n<p>To begin with, set the Kibana server IP address to allow external access. Usually, it only listens on loopback interface.<\/p>\n\n\n\n<p>For example, my server IP address is <code>192.168.57.102<\/code>. Thus, to configure Kibana to listen on this host IP address, run the command below (Be sure to change the address as per your setup environment).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/server.host:\/s\/^#\/\/;s\/localhost\/192.168.57.102\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>If you want to configure Kibana to listen on all interfaces, just use <code>0.0.0.0<\/code> instead of the IP above. For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/server.host:\/s\/^#\/\/;s\/localhost\/0.0.0.0\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>We will use the other settings with the default values.<\/p>\n\n\n\n<p>Start and enable Kibana to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now kibana<\/code><\/pre>\n\n\n\n<p>Confirm the Kibana port is opened <strong>after a short while<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altnp | grep 5601<\/code><\/pre>\n\n\n\n<p>If need be, check <strong><code>syslog<\/code><\/strong> and <strong><code>\/var\/log\/kibana\/kibana.log<\/code><\/strong> log files.<\/p>\n\n\n\n<p>Open Kibana port on firewall;<\/p>\n\n\n\n<p>If using UFW, run;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 5601\/tcp<\/code><\/pre>\n\n\n\n<p>If using iptables;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -I INPUT -p tcp --dport 5601 -j ACCEPT<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables-save &gt; \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-filebeat-on-debian-12\">Install Filebeat on Debian 12<\/h4>\n\n\n\n<p>Filebeat is required to <em>forward Wazuh manager alerts and archived events to Elasticsearch<\/em>. You can install version 7.17.9, currently supported by Wazuh as of this writing, using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install filebeat=7.17.9 -y<\/code><\/pre>\n\n\n\n<p>Enable it to run on boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable filebeat<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wazuh-manager-on-debian-12\">Install Wazuh Manager on Debian 12<\/h3>\n\n\n\n<p>Next, proceed to install Wazuh server\/manager on Debian 12<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-apt-repository-on-debian-12\">Install Wazuh APT Repository on Debian 12<\/h4>\n\n\n\n<p>Install Wazuh repos using the commands below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -s https:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH | \\\ngpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/wazuh.gpg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb https:\/\/packages.wazuh.com\/4.x\/apt stable main\" &gt; \/etc\/apt\/sources.list.d\/wazuh.list<\/code><\/pre>\n\n\n\n<p>Update the package information:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<p>Next, install Wazuh manager on Debian 12.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install wazuh-manager<\/code><\/pre>\n\n\n\n<p>Once the installation is complete, you can start and enable Wazuh-manager to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now wazuh-manager<\/code><\/pre>\n\n\n\n<p>Open Wazuh Manager Port on Firewall. Usually, the Wazuh agents is set to communicate with Wazuh manager via TCP port 1514 by default. Thus, open port 1514\/tcp on Wazuh manager.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p tcp --dport 1514 -j ACCEPT<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 1514\/tcp<\/code><\/pre>\n\n\n\n<p>Also, allow port 1515\/tcp for agent registration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p tcp --dport 1515 -j ACCEPT<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 1515\/tcp<\/code><\/pre>\n\n\n\n<p>Read more on <a href=\"https:\/\/documentation.wazuh.com\/current\/getting-started\/architecture.html#required-ports\" target=\"_blank\" rel=\"noreferrer noopener\">required ports<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"integrate-wazuh-manager-with-elk-stack\">Integrate Wazuh Manager with ELK Stack<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-manager-kibana-app-plugin\">Install Wazuh Manager Kibana App plugin<\/h4>\n\n\n\n<p>To install Wazuh manager\/server Kibana App, proceed as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R kibana: \/usr\/share\/kibana\/plugins<\/code><\/pre>\n\n\n\n<p>Ensure the plugin version to install is compatible with currently installed version of ELK stack as well as the Wazuh manager installed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -u kibana \/usr\/share\/kibana\/bin\/kibana-plugin install \\\nhttps:&#47;&#47;packages.wazuh.com\/4.x\/ui\/kibana\/wazuh_kibana-4.4.4_7.17.9-1.zip<\/code><\/pre>\n\n\n\n<p>Sample output of the installation;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nhttps:\/\/packages.wazuh.com\/4.x\/ui\/kibana\/wazuh_kibana-4.4.4_7.17.9-1.zip\nAttempting to transfer from https:\/\/packages.wazuh.com\/4.x\/ui\/kibana\/wazuh_kibana-4.4.4_7.17.9-1.zip\nTransferring 38528170 bytes....................\nTransfer complete\nRetrieving metadata from plugin archive\nExtracting plugin archive\nExtraction complete\nPlugin installation complete\n<\/code><\/pre>\n\n\n\n<p>Create Wazuh Kibana data directory and set the ownership to&nbsp;<code><strong>kibana<\/strong><\/code>&nbsp;user.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/usr\/share\/kibana\/data<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R kibana: \/usr\/share\/kibana\/data<\/code><\/pre>\n\n\n\n<p>Restart Kibana;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart kibana<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-filebeat-for-wazuh-manager\">Configure Filebeat for Wazuh Manager<\/h4>\n\n\n\n<p>Make a backup of the default configuration file and replace it with the following configs.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv \/etc\/filebeat\/filebeat.{yml,stock}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/filebeat\/filebeat.yml &lt;&lt; 'EOL'\noutput.elasticsearch:\n  hosts: [\"localhost:9200\"]\nsetup.template.json.enabled: true\nsetup.template.json.path: '\/etc\/filebeat\/wazuh-template.json'\nsetup.template.json.name: 'wazuh'\nsetup.ilm.overwrite: true\nsetup.ilm.enabled: false\n\nfilebeat.modules:\n  - module: wazuh\n    alerts:\n      enabled: true\n    archives:\n      enabled: false\nlogging.level: info\nlogging.to_files: true\nlogging.files:\n  path: \/var\/log\/filebeat\n  name: filebeat\n  keepfiles: 7\n  permissions: 0644\nlogging.metrics.enabled: false\n\nseccomp:\n  default_action: allow\n  syscalls:\n  - action: allow\n    names:\n    - rseq\nEOL\n<\/code><\/pre>\n\n\n\n<p>Install Filebeat Wazuh Module:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO- https:\/\/packages.wazuh.com\/4.x\/filebeat\/wazuh-filebeat-0.2.tar.gz \\\n| tar -xz -C \/usr\/share\/filebeat\/module\/<\/code><\/pre>\n\n\n\n<p>Download and install Wazuh alerts Elasticsearch template:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -O \/etc\/filebeat\/wazuh-template.json \\\nhttps:&#47;&#47;raw.githubusercontent.com\/wazuh\/wazuh\/4.4\/extensions\/elasticsearch\/7.x\/wazuh-template.json<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod go+r \/etc\/filebeat\/wazuh-template.json<\/code><\/pre>\n\n\n\n<p>Test Filebeat config;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test config<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Config OK<\/code><\/pre>\n\n\n\n<p>Test Filebeat Elasticsearch output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test output<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>elasticsearch: http:\/\/localhost:9200...\n  parse url... OK\n  connection...\n    parse host... OK\n    dns lookup... OK\n    addresses: 127.0.0.1\n    dial up... OK\n  TLS... WARN secure connection disabled\n  talk to server... OK\n  version: 7.17.9\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enable-syslog-logging-on-debian-12\">Enable Syslog Logging on Debian 12<\/h3>\n\n\n\n<p>Note that in the recent base Debian systems, Systemd Journald is now the default logging system. Rsyslog has been made optional and thus, not installed by default.<\/p>\n\n\n\n<p>As a result, you might want to use other mechanisms to read and collect Journald logs using Wazuh.<\/p>\n\n\n\n<p>To make life &#8220;easier&#8221;, let&#8217;s just enable Rsyslog!<\/p>\n\n\n\n<p>Install Rsyslog;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install rsyslog<\/code><\/pre>\n\n\n\n<p>Start and enable rsyslog to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now rsyslog<\/code><\/pre>\n\n\n\n<p>You now have your usual logs under <strong><code>\/var\/log\/<\/code><\/strong>.<\/p>\n\n\n\n<p>To avoid double log storage on the system, just remove Journald log directory;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rm -rf \/var\/log\/journal<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart systemd-journald<\/code><\/pre>\n\n\n\n<p>Next, configure Wazuh-manager to include your Syslog logs in its configuration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/var\/ossec\/etc\/ossec.conf<\/code><\/pre>\n\n\n\n<p>You can add these lines in between the <code>&lt;ossec_config&gt;<\/code> and <code>&lt;\/ossec_config&gt;<\/code>;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n&lt;localfile>\n  &lt;log_format>syslog&lt;\/log_format>\n  &lt;location>\/var\/log\/syslog&lt;\/location>\n&lt;\/localfile>\n&lt;localfile>\n  &lt;log_format>syslog&lt;\/log_format>\n  &lt;location>\/var\/log\/auth.log&lt;\/location>\n&lt;\/localfile>\n<\/pre><\/code>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"restart-kibana-elasticsearch-filebeat-ans-wazuh-manager\">Restart Kibana, Elasticsearch, Filebeat ans Wazuh-manager<\/h3>\n\n\n\n<p>The configuration is done! <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart elasticsearch kibana filebeat wazuh-manager<\/code><\/pre>\n\n\n\n<p>Checking the status of each service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status elasticsearch kibana filebeat wazuh-manager<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf elasticsearch.service - Elasticsearch\n     Loaded: loaded (\/lib\/systemd\/system\/elasticsearch.service; enabled; preset: enabled)\n     Active: active (running) since Tue 2023-07-04 15:01:42 EDT; 4min 53s ago\n       Docs: https:\/\/www.elastic.co\n   Main PID: 49870 (java)\n      Tasks: 67 (limit: 4642)\n     Memory: 2.2G\n        CPU: 1min 2.324s\n     CGroup: \/system.slice\/elasticsearch.service\n             \u251c\u250049870 \/usr\/share\/elasticsearch\/jdk\/bin\/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negati>\n             \u2514\u250050181 \/usr\/share\/elasticsearch\/modules\/x-pack-ml\/platform\/linux-x86_64\/bin\/controller\n\nJul 04 15:01:11 wazuh-elk systemd[1]: Starting elasticsearch.service - Elasticsearch...\nJul 04 15:01:42 wazuh-elk systemd[1]: Started elasticsearch.service - Elasticsearch.\n<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n \u25cf kibana.service - Kibana\n     Loaded: loaded (\/etc\/systemd\/system\/kibana.service; enabled; preset: enabled)\n     Active: active (running) since Tue 2023-07-04 15:01:10 EDT; 5min ago\n       Docs: https:\/\/www.elastic.co\n   Main PID: 49805 (node)\n      Tasks: 11 (limit: 4642)\n     Memory: 423.9M\n        CPU: 22.012s\n     CGroup: \/system.slice\/kibana.service\n             \u2514\u250049805 \/usr\/share\/kibana\/bin\/..\/node\/bin\/node \/usr\/share\/kibana\/bin\/..\/src\/cli\/dist --logging.dest=\/var\/log\/kibana\/kibana.l>\n\nJul 04 15:01:10 wazuh-elk systemd[1]: Started kibana.service - Kibana.\n<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.\n     Loaded: loaded (\/lib\/systemd\/system\/filebeat.service; enabled; preset: enabled)\n     Active: active (running) since Tue 2023-07-04 15:01:10 EDT; 5min ago\n       Docs: https:\/\/www.elastic.co\/beats\/filebeat\n   Main PID: 49789 (filebeat)\n      Tasks: 7 (limit: 4642)\n     Memory: 33.2M\n        CPU: 198ms\n     CGroup: \/system.slice\/filebeat.service\n             \u2514\u250049789 \/usr\/share\/filebeat\/bin\/filebeat --environment systemd -c \/etc\/filebeat\/filebeat.yml --path.home \/usr\/share\/filebeat>\n\nJul 04 15:01:10 wazuh-elk systemd[1]: Started filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch..\n<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf wazuh-manager.service - Wazuh manager\n     Loaded: loaded (\/lib\/systemd\/system\/wazuh-manager.service; enabled; preset: enabled)\n     Active: active (running) since Tue 2023-07-04 15:01:37 EDT; 6min ago\n    Process: 50102 ExecStart=\/usr\/bin\/env \/var\/ossec\/bin\/wazuh-control start (code=exited, status=0\/SUCCESS)\n      Tasks: 112 (limit: 4642)\n     Memory: 315.9M\n        CPU: 30.736s\n     CGroup: \/system.slice\/wazuh-manager.service\n             \u251c\u250050204 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n             \u251c\u250050244 \/var\/ossec\/bin\/wazuh-authd\n             \u251c\u250050261 \/var\/ossec\/bin\/wazuh-db\n             \u251c\u250050285 \/var\/ossec\/bin\/wazuh-execd\n             \u251c\u250050299 \/var\/ossec\/bin\/wazuh-analysisd\n             \u251c\u250050311 \/var\/ossec\/bin\/wazuh-syscheckd\n             \u251c\u250050357 \/var\/ossec\/bin\/wazuh-remoted\n             \u251c\u250050405 \/var\/ossec\/bin\/wazuh-logcollector\n             \u251c\u250050413 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n             \u251c\u250050416 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n             \u251c\u250050430 \/var\/ossec\/bin\/wazuh-monitord\n             \u2514\u250050452 \/var\/ossec\/bin\/wazuh-modulesd\n\nJul 04 15:01:27 wazuh-elk env[50102]: Started wazuh-db...\nJul 04 15:01:28 wazuh-elk env[50102]: Started wazuh-execd...\nJul 04 15:01:30 wazuh-elk env[50102]: Started wazuh-analysisd...\nJul 04 15:01:31 wazuh-elk env[50102]: Started wazuh-syscheckd...\nJul 04 15:01:32 wazuh-elk env[50102]: Started wazuh-remoted...\nJul 04 15:01:33 wazuh-elk env[50102]: Started wazuh-logcollector...\nJul 04 15:01:34 wazuh-elk env[50102]: Started wazuh-monitord...\nJul 04 15:01:35 wazuh-elk env[50102]: Started wazuh-modulesd...\nJul 04 15:01:37 wazuh-elk env[50102]: Completed.\nJul 04 15:01:37 wazuh-elk systemd[1]: Started wazuh-manager.service - Wazuh manager.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"accessing-wazuh-app-on-kibana-web-interface\">Accessing Wazuh App on Kibana Web Interface<\/h3>\n\n\n\n<p>You can now access Kibana via the url&nbsp;<code><strong>http:\/\/&lt;server-IP-or-hostname&gt;:5601<\/strong><\/code>.<\/p>\n\n\n\n<p>On the UI, click <strong>Explore on my own<\/strong> and under the Kibana menu section, you should be able to see Wazuh App.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1870\" height=\"842\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app.png\" alt=\"Install Wazuh Manager with ELK on Debian 12\" class=\"wp-image-16444\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app.png?v=1683646799 1870w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app-768x346.png?v=1683646799 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app-1536x692.png?v=1683646799 1536w\" sizes=\"(max-width: 1870px) 100vw, 1870px\" \/><\/figure>\n\n\n\n<p>When you click on the APP, you should see such dashboard.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1868\" height=\"872\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-dashboard.png\" alt=\"Install Wazuh Manager with ELK on Debian 12\" class=\"wp-image-16445\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-dashboard.png?v=1683646836 1868w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-dashboard-768x359.png?v=1683646836 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-dashboard-1536x717.png?v=1683646836 1536w\" sizes=\"(max-width: 1868px) 100vw, 1868px\" \/><\/figure>\n\n\n\n<p>No agents are connected by default. However, there should be some default events already collected from the Wazuh manager.<\/p>\n\n\n\n<p>For example head over to <strong>Modules &gt; Security Events <\/strong>&gt;<strong>Dashboard or Events<\/strong>;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1876\" height=\"1854\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/wazuh-security-events.png\" alt=\"\" class=\"wp-image-17679\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/wazuh-security-events.png?v=1688534507 1876w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/wazuh-security-events-768x759.png?v=1688534507 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/wazuh-security-events-1536x1518.png?v=1688534507 1536w\" sizes=\"(max-width: 1876px) 100vw, 1876px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wazuh-agents\">Install Wazuh Agents<\/h3>\n\n\n\n<p>You can now go ahead and install Wazuh agents and start log collection from your end points.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/easy-way-to-install-wazuh-agents-on-ubuntu-debian\/\" target=\"_blank\" rel=\"noreferrer noopener\">Easy Way to Install Wazuh Agents on Ubuntu\/Debian<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wazuh-agent-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Wazuh Agent on Rocky Linux 8<\/a><\/p>\n\n\n\n<p>That marks the end of our tutorial on installing Wazuh manager with ELK on Debian 12.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-process-creation-events-on-windows-systems-using-wazuh-and-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Process Creation Events on Windows Systems using Wazuh and ELK stack<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elk-stack-8-x-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ELK Stack 8.x on Ubuntu<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-enable-basic-authentication-on-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Enable Basic Authentication on ELK Stack<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install Wazuh Manager with ELK on Debian 12. According to the documentation, Wazuh is a free and<\/p>\n","protected":false},"author":10,"featured_media":9589,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,910,121,34,1823],"tags":[6990,6991,6989,6992],"class_list":["post-17669","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-elastic-stack","category-howtos","category-security","category-wazuh","tag-debian-12-wazuh-manager","tag-elk-with-wazuh-debian-12","tag-install-wazuh-manager-debian-12","tag-wazuh-manager-installation-debain","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17669"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=17669"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17669\/revisions"}],"predecessor-version":[{"id":20828,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17669\/revisions\/20828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9589"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=17669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=17669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=17669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}