{"id":20274,"date":"2024-02-29T23:24:00","date_gmt":"2024-02-29T20:24:00","guid":{"rendered":"https:\/\/kifarunix.com\/?p=20274"},"modified":"2024-03-24T00:25:42","modified_gmt":"2024-03-23T21:25:42","slug":"install-wazuh-siem-server-on-ubuntu-24-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-wazuh-siem-server-on-ubuntu-24-04\/","title":{"rendered":"Install Wazuh SIEM Server on Ubuntu 24.04"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install Wazuh SIEM server on Ubuntu 24.04. The Wazuh platform offers XDR and SIEM functionalities aimed at safeguarding your cloud, container, and server workloads. These capabilities encompass the analysis of log data, detection of intrusions and malware, monitoring file integrity, assessing configurations, identifying vulnerabilities, and ensuring compliance with regulatory standards.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-wazuh-siem-server-on-ubuntu-24-04\">Installing Wazuh SIEM Server on Ubuntu 24.04<\/a><ul><li><a href=\"#wazuh-siem-capabilities\">Wazuh SIEM Capabilities<\/a><\/li><li><a href=\"#major-wazuh-siem-server-components\">Major Wazuh SIEM Server Components<\/a><\/li><li><a href=\"#wazuh-siem-system-hardware-requirements\">Wazuh SIEM System Hardware Requirements<\/a><\/li><li><a href=\"#install-wazuh-indexer-on-ubuntu-24-04\">Install Wazuh Indexer on Ubuntu 24.04<\/a><ul><li><a href=\"#install-wazuh-repository-on-ubuntu-24-04\">Install Wazuh Repository on Ubuntu 24.04<\/a><\/li><li><a href=\"#install-wazuh-indexer-on-ubuntu-24-04-1\">Install Wazuh Indexer on Ubuntu 24.04<\/a><\/li><li><a href=\"#generate-wazuh-ssl-tls-certificates\">Generate Wazuh SSL\/TLS Certificates<\/a><\/li><li><a href=\"#configure-wazuh-indexer-on-ubuntu-24-04\">Configure Wazuh Indexer on Ubuntu 24.04<\/a><\/li><li><a href=\"#start-and-initialize-wazuh-indexer-cluster\">Start and Initialize Wazuh Indexer Cluster<\/a><\/li><\/ul><\/li><li><a href=\"#install-wazuh-server-manager-on-ubuntu-24-04\">Install Wazuh Server\/Manager on Ubuntu 24.04<\/a><\/li><li><a href=\"#install-and-configure-filebeat-for-wazuh-manager\">Install and Configure Filebeat for Wazuh Manager<\/a><ul><li><a href=\"#install-filebeat\">Install Filebeat<\/a><\/li><li><a href=\"#configure-filebeat\">Configure Filebeat<\/a><\/li><\/ul><\/li><li><a href=\"#install-wazuh-dashboard-on-ubuntu-24-04\">Install Wazuh Dashboard on Ubuntu 24.04<\/a><\/li><li><a href=\"#accessing-wazuh-dashboard-web-interface\">Accessing Wazuh Dashboard Web Interface<\/a><\/li><\/ul><\/li><li><a href=\"#install-wazuh-agents-on-linux\">Install Wazuh Agents on Linux<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-wazuh-siem-server-on-ubuntu-24-04\">Installing Wazuh SIEM Server on Ubuntu 24.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"wazuh-siem-capabilities\">Wazuh SIEM Capabilities<\/h3>\n\n\n\n<p><em>Wazuh can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh provides the following capabilities<\/em>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Security Analytics<\/em><\/li>\n\n\n\n<li><em>Intrusion Detection<\/em><\/li>\n\n\n\n<li><em>Log Data Analysis<\/em><\/li>\n\n\n\n<li><em>File Integrity Monitoring<\/em><\/li>\n\n\n\n<li><em>Vulnerability Detection<\/em><\/li>\n\n\n\n<li><em>Configuration Assessment<\/em><\/li>\n\n\n\n<li><em>Incident Response<\/em><\/li>\n\n\n\n<li><em>Regulatory Compliance<\/em><\/li>\n\n\n\n<li><em>Cloud Security Monitoring<\/em><\/li>\n\n\n\n<li><em>Containers Security<\/em><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"major-wazuh-siem-server-components\">Major Wazuh SIEM Server Components<\/h3>\n\n\n\n<p>Wazuh SIEM server is made up of various components;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Wazuh Indexer<\/strong>: This is a highly scalable, full-text search and analytics engine that indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. <strong>Wazuh indexer is a open source fork of OpenSearch<\/strong>.. It can be installed on the same node as Wazuh server and dashboard or on an individual node if you are using a distributed setup.<\/li>\n\n\n\n<li><strong>Wazuh Server<\/strong>: The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when threats or anomalies are detected. It is also used to remotely manage the agents&#8217; configuration and monitor their status.<\/li>\n\n\n\n<li><strong>Wazuh Dashboard<\/strong>: It provides intuitive web interface for mining, analyzing, and visualizing security data. It provides out-of-the-box dashboards, allowing you to seamlessly navigate through the user interface.<\/li>\n\n\n\n<li><strong>Wazuh agent<\/strong>. These are the agents installed and run on the endpoints that the user wants to monitor. It communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel for processing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"wazuh-siem-system-hardware-requirements\">Wazuh SIEM System Hardware Requirements<\/h3>\n\n\n\n<p>Each Wazuh SIEM server component requires various system hardware specs to function optimally.<\/p>\n\n\n\n<p>Below are the minimum and recommended hardware requirements for each component.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Wazuh Indexer:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Minimum: 4 GB RAM, 2 CPU cores<\/li>\n\n\n\n<li>Recommended: 16 GB RAM, 8 CPU cores<\/li>\n\n\n\n<li><a href=\"https:\/\/documentation.wazuh.com\/current\/installation-guide\/wazuh-indexer\/index.html#hardware-recommendations\" target=\"_blank\" rel=\"noreferrer noopener\">Disk<\/a>: disk space required varies with the number of generated alerts per second (APS).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Wazuh Server:\n<ul class=\"wp-block-list\">\n<li>Minimum: 2 GB RAM, 2 CPU cores<\/li>\n\n\n\n<li>Recommended: 4 GB RAM, 8 CPU cores<\/li>\n\n\n\n<li><a href=\"https:\/\/documentation.wazuh.com\/current\/installation-guide\/wazuh-server\/index.html#hardware-requirements\" target=\"_blank\" rel=\"noreferrer noopener\">Disk<\/a>: disk space required varies with the number of generated alerts per second (APS).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Wazuh Dashboard:\n<ul class=\"wp-block-list\">\n<li>Minimum: 4 GB RAM, 2 CPU cores<\/li>\n\n\n\n<li>Recommended: 8 GB RAM, 4 CPU cores<\/li>\n\n\n\n<li>Disk: disk space required varies with the number of generated alerts per second (APS).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>In this tutorial, we will be installing the major components of Wazuh on a single node. Hence, here are our system hardware specs.<\/p>\n\n\n\n<p>RAM: 16G<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>free -h<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>               total        used        free      shared  buff\/cache   available\nMem:            15Gi       3.9Gi        10Gi       1.2Mi       1.2Gi        11Gi\nSwap:          2.0Gi          0B       2.0Gi\n<\/code><\/pre>\n\n\n\n<p>CPU Cores:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nproc --all<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>8<\/code><\/pre>\n\n\n\n<p>Disk space;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>df -hT -P \/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Filesystem                        Type  Size  Used Avail Use% Mounted on\n\/dev\/mapper\/ubuntu--vg-ubuntu--lv ext4   98G  7.6G   86G   9% \/\n<\/code><\/pre>\n\n\n\n<p>Next, proceed to install Wazuh SIEM server. As already mentioned, we will install a single node deployment with Wazuh indexer, Wazuh siem and Wazuh dashboard.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wazuh-indexer-on-ubuntu-24-04\">Install Wazuh Indexer on Ubuntu 24.04<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-repository-on-ubuntu-24-04\">Install Wazuh Repository on Ubuntu 24.04<\/h4>\n\n\n\n<p>To smoothly run the installation of Wazuh SIEM components on Ubuntu 24.04, you need to install Wazuh repository.<\/p>\n\n\n\n<p>Thus, to begin with, install Wazuh repository GPG signing key on Ubuntu 24.04.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo su -<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install gnupg apt-transport-https<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -s https:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH | \\\ngpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/wazuh.gpg<\/code><\/pre>\n\n\n\n<p>Install the Wazuh 4.x repository;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb https:\/\/packages.wazuh.com\/4.x\/apt stable main\" &gt; \/etc\/apt\/sources.list.d\/wazuh.list<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-indexer-on-ubuntu-24-04-1\">Install Wazuh Indexer on Ubuntu 24.04<\/h4>\n\n\n\n<p>Update the package cache;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<p>Next, install Wazuh SIEM server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install wazuh-indexer<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-wazuh-ssl-tls-certificates\">Generate Wazuh SSL\/TLS Certificates<\/h4>\n\n\n\n<p>Generate SSL\/TLS certificates that will be used to encrypt communication between the Wazuh SIEM components.<\/p>\n\n\n\n<p>Wazuh provides some tools that can be used to generate the certificates.<\/p>\n\n\n\n<p>Replace the value of the <strong>VER<\/strong> below with the current major release version of Wazuh;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=4.7<\/code><\/pre>\n\n\n\n<p>Then, download the tools required to generate the certificates;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/packages.wazuh.com\/${VER}\/wazuh-certs-tool.sh<\/code><\/pre>\n\n\n\n<p>Download a configuration file that helps you to define the IP address and name of each Wazuh node.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/packages.wazuh.com\/${VER}\/config.yml<\/code><\/pre>\n\n\n\n<p>By default, this is how the configuration looks like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat config.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>nodes:\n  # Wazuh indexer nodes\n  indexer:\n    - name: node-1\n      ip: \"&lt;indexer-node-ip>\"\n    #- name: node-2\n    #  ip: \"&lt;indexer-node-ip>\"\n    #- name: node-3\n    #  ip: \"&lt;indexer-node-ip>\"\n\n  # Wazuh server nodes\n  # If there is more than one Wazuh server\n  # node, each one must have a node_type\n  server:\n    - name: wazuh-1\n      ip: \"&lt;wazuh-manager-ip>\"\n    #  node_type: master\n    #- name: wazuh-2\n    #  ip: \"&lt;wazuh-manager-ip>\"\n    #  node_type: worker\n    #- name: wazuh-3\n    #  ip: \"&lt;wazuh-manager-ip>\"\n    #  node_type: worker\n\n  # Wazuh dashboard nodes\n  dashboard:\n    - name: dashboard\n      ip: \"&lt;dashboard-node-ip>\"\n<\/code><\/pre>\n\n\n\n<p>You can edit the configuration file and replace the nodes names and IP addresses with your respective names and IP\/hostnames based on your architecture.<\/p>\n\n\n\n<p>Since we are running a single node cluster of Wazuh SIEM server, this how our final <strong>config.yml<\/strong> looks like<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat config.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>nodes:\n  # Wazuh indexer nodes\n  indexer:\n    - name: indexer\n      ip: \"192.168.122.149\"\n  # Wazuh server nodes\n  server:\n    - name: wazuh\n      ip: \"192.168.122.149\"\n\n  # Wazuh dashboard nodes\n  dashboard:\n    - name: dash\n      ip: \"192.168.122.149\"\n<\/code><\/pre>\n\n\n\n<p>Save the updated configuration file and generate the SSL\/TLS certificates for Wazuh components using the <strong>wazuh-certs-tool.sh<\/strong> script. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bash .\/wazuh-certs-tool.sh -A<\/code><\/pre>\n\n\n\n<p>Option <strong>-A<\/strong> or <strong>&#8211;all<\/strong> allows generation of all commands.<\/p>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>29\/02\/2024 17:06:03 INFO: Admin certificates created.\n29\/02\/2024 17:06:03 INFO: Wazuh indexer certificates created.\n29\/02\/2024 17:06:04 INFO: Wazuh server certificates created.\n29\/02\/2024 17:06:04 INFO: Wazuh dashboard certificates created.\n<\/code><\/pre>\n\n\n\n<p>You can see other options using;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bash wazuh-certs-tool.sh --help<\/code><\/pre>\n\n\n\n<p>The generated certs are placed under wazuh-certificates directory created in the current working directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 wazuh-certificates<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>admin-key.pem\nadmin.pem\ndash-key.pem\ndash.pem\nindexer-key.pem\nindexer.pem\nroot-ca.key\nroot-ca.pem\nwazuh-key.pem\nwazuh.pem\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-wazuh-indexer-on-ubuntu-24-04\">Configure Wazuh Indexer on Ubuntu 24.04<\/h4>\n\n\n\n<p>Since we are running a single node Wazuh, there are only a few things we will update on the Wazuh indexer configuration.<\/p>\n\n\n\n<p>The default Wazuh indexer configuration is <strong><code>\/etc\/wazuh-indexer\/opensearch.yml<\/code><\/strong>.<\/p>\n\n\n\n<p>This is how it looks like by default;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/wazuh-indexer\/opensearch.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>network.host: \"0.0.0.0\"\nnode.name: \"node-1\"\ncluster.initial_master_nodes:\n- \"node-1\"\n#- \"node-2\"\n#- \"node-3\"\ncluster.name: \"wazuh-cluster\"\n#discovery.seed_hosts:\n#  - \"node-1-ip\"\n#  - \"node-2-ip\"\n#  - \"node-3-ip\"\nnode.max_local_storage_nodes: \"3\"\npath.data: \/var\/lib\/wazuh-indexer\npath.logs: \/var\/log\/wazuh-indexer\n\nplugins.security.ssl.http.pemcert_filepath: \/etc\/wazuh-indexer\/certs\/indexer.pem\nplugins.security.ssl.http.pemkey_filepath: \/etc\/wazuh-indexer\/certs\/indexer-key.pem\nplugins.security.ssl.http.pemtrustedcas_filepath: \/etc\/wazuh-indexer\/certs\/root-ca.pem\nplugins.security.ssl.transport.pemcert_filepath: \/etc\/wazuh-indexer\/certs\/indexer.pem\nplugins.security.ssl.transport.pemkey_filepath: \/etc\/wazuh-indexer\/certs\/indexer-key.pem\nplugins.security.ssl.transport.pemtrustedcas_filepath: \/etc\/wazuh-indexer\/certs\/root-ca.pem\nplugins.security.ssl.http.enabled: true\nplugins.security.ssl.transport.enforce_hostname_verification: false\nplugins.security.ssl.transport.resolve_hostname: false\n\nplugins.security.authcz.admin_dn:\n- \"CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US\"\nplugins.security.check_snapshot_restore_write_privileges: true\nplugins.security.enable_snapshot_restore_privilege: true\nplugins.security.nodes_dn:\n- \"CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US\"\n#- \"CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US\"\n#- \"CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US\"\nplugins.security.restapi.roles_enabled:\n- \"all_access\"\n- \"security_rest_api_access\"\n\nplugins.security.system_indices.enabled: true\nplugins.security.system_indices.indices: [\".plugins-ml-model\", \".plugins-ml-task\", \".opendistro-alerting-config\", \".opendistro-alerting-alert*\", \".opendistro-anomaly-results*\", \".opendistro-anomaly-detector*\", \".opendistro-anomaly-checkpoints\", \".opendistro-anomaly-detection-state\", \".opendistro-reports-*\", \".opensearch-notifications-*\", \".opensearch-notebooks\", \".opensearch-observability\", \".opendistro-asynchronous-search-response*\", \".replication-metadata-store\"]\n\n### Option to allow Filebeat-oss 7.10.2 to work ###\ncompatibility.override_main_response_version: true\n<\/code><\/pre>\n\n\n\n<p>As already mentioned, for a single node, there are only a changes we will make here:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>network.host<\/strong>: We will leave default setting to allow Wazuh indexer to listen on all interfaces for both HTTP and Transport (if we had a cluster) connections.<\/li>\n\n\n\n<li><strong>node.name<\/strong>: Set to the name of the indexer as defined <strong>config.yml<\/strong> used in generating the SSL\/TLS certs.<\/li>\n\n\n\n<li><strong>cluster.initial_master_nodes<\/strong>: used during the initial setup of a cluster to identify the master-eligible nodes. It is more relevant when running a multi-node cluster. The value of this setting&nbsp;must exactly match the&nbsp;<strong>node.name<\/strong> value(s) based on your cluster architecture.<\/li>\n\n\n\n<li><strong>cluster.name<\/strong>: defines cluster name. You can leave default or define your own.<\/li>\n\n\n\n<li><strong>plugins.security.nodes_dn<\/strong>: This setting is used to specify the Distinguished Names (DN) of the nodes that are allowed to join the cluster. You can obtain the value using openssl command;<\/li>\n<\/ul>\n\n\n\n<p>You can get DN using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl x509 -noout -subject -in wazuh-certificates\/indexer.pem<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = indexer<\/code><\/pre>\n\n\n\n<p>This is how our updated Wazuh indexer configuration looks like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/wazuh-indexer\/opensearch.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code><strong>network.host: \"0.0.0.0\"\nnode.name: \"indexer\"\ncluster.initial_master_nodes:\n- \"indexer\"\ncluster.name: \"wazuh-cluster\"<\/strong>\nnode.max_local_storage_nodes: \"3\"\npath.data: \/var\/lib\/wazuh-indexer\npath.logs: \/var\/log\/wazuh-indexer\n\nplugins.security.ssl.http.pemcert_filepath: \/etc\/wazuh-indexer\/certs\/indexer.pem\nplugins.security.ssl.http.pemkey_filepath: \/etc\/wazuh-indexer\/certs\/indexer-key.pem\nplugins.security.ssl.http.pemtrustedcas_filepath: \/etc\/wazuh-indexer\/certs\/root-ca.pem\nplugins.security.ssl.transport.pemcert_filepath: \/etc\/wazuh-indexer\/certs\/indexer.pem\nplugins.security.ssl.transport.pemkey_filepath: \/etc\/wazuh-indexer\/certs\/indexer-key.pem\nplugins.security.ssl.transport.pemtrustedcas_filepath: \/etc\/wazuh-indexer\/certs\/root-ca.pem\nplugins.security.ssl.http.enabled: true\nplugins.security.ssl.transport.enforce_hostname_verification: false\nplugins.security.ssl.transport.resolve_hostname: false\n\nplugins.security.authcz.admin_dn:\n- \"CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US\"\nplugins.security.check_snapshot_restore_write_privileges: true\nplugins.security.enable_snapshot_restore_privilege: true\n<strong>plugins.security.nodes_dn:\n- \"CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US\"<\/strong>\nplugins.security.restapi.roles_enabled:\n- \"all_access\"\n- \"security_rest_api_access\"\n\nplugins.security.system_indices.enabled: true\nplugins.security.system_indices.indices: [\".plugins-ml-model\", \".plugins-ml-task\", \".opendistro-alerting-config\", \".opendistro-alerting-alert*\", \".opendistro-anomaly-results*\", \".opendistro-anomaly-detector*\", \".opendistro-anomaly-checkpoints\", \".opendistro-anomaly-detection-state\", \".opendistro-reports-*\", \".opensearch-notifications-*\", \".opensearch-notebooks\", \".opensearch-observability\", \".opendistro-asynchronous-search-response*\", \".replication-metadata-store\"]\n\ncompatibility.override_main_response_version: true\n<\/code><\/pre>\n\n\n\n<p>Next, copy the generated SSL\/TLS certs for <strong>Wazuh indexer<\/strong> as well as the <strong>Admin certs\/key<\/strong> to certs directory as defined in the <strong>\/etc\/wazuh-indexer\/opensearch.yml<\/strong> configuration file.<\/p>\n\n\n\n<p>See;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>plugins.security.ssl.http.pemcert_filepath: \/etc\/wazuh-indexer\/certs\/indexer.pem\nplugins.security.ssl.http.pemkey_filepath: \/etc\/wazuh-indexer\/certs\/indexer-key.pem\nplugins.security.ssl.http.pemtrustedcas_filepath: \/etc\/wazuh-indexer\/certs\/root-ca.pem\nplugins.security.ssl.transport.pemcert_filepath: \/etc\/wazuh-indexer\/certs\/indexer.pem\nplugins.security.ssl.transport.pemkey_filepath: \/etc\/wazuh-indexer\/certs\/indexer-key.pem\nplugins.security.ssl.transport.pemtrustedcas_filepath: \/etc\/wazuh-indexer\/certs\/root-ca.pem\n<\/code><\/pre>\n\n\n\n<p>Thus, create the directory and copy certs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/etc\/wazuh-indexer\/certs\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp wazuh-certificates\/{root-ca.pem,indexer.pem,indexer-key.pem,admin.pem,admin-key.pem} \/etc\/wazuh-indexer\/certs\/<\/code><\/pre>\n\n\n\n<p>Should now look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/etc\/wazuh-indexer\/certs\/*<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\/etc\/wazuh-indexer\/certs\/admin-key.pem\n\/etc\/wazuh-indexer\/certs\/admin.pem\n\/etc\/wazuh-indexer\/certs\/indexer-key.pem\n\/etc\/wazuh-indexer\/certs\/indexer.pem\n\/etc\/wazuh-indexer\/certs\/root-ca.pem\n<\/code><\/pre>\n\n\n\n<p>Update the permissions and set the ownership of the SSL\/TLS certs to wazuh-indexer;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 500 \/etc\/wazuh-indexer\/certs<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 400 \/etc\/wazuh-indexer\/certs\/*<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R wazuh-indexer: \/etc\/wazuh-indexer\/certs<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"start-and-initialize-wazuh-indexer-cluster\">Start and Initialize Wazuh Indexer Cluster<\/h4>\n\n\n\n<p>You can now start and enable Wazuh indexer to run on system boot. Ensure there is no service listening in port 9200\/tcp.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now wazuh-indexer<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status wazuh-indexer<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf wazuh-indexer.service - Wazuh-indexer\n     Loaded: loaded (\/usr\/lib\/systemd\/system\/wazuh-indexer.service; enabled; preset: enabled)\n     Active: active (running) since Thu 2024-02-29 17:45:06 UTC; 25s ago\n       Docs: https:\/\/documentation.wazuh.com\n   Main PID: 5400 (java)\n      Tasks: 90 (limit: 18952)\n     Memory: 1.3G (peak: 1.3G)\n        CPU: 23.804s\n     CGroup: \/system.slice\/wazuh-indexer.service\n             \u2514\u25005400 \/usr\/share\/wazuh-indexer\/jdk\/bin\/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+Alway>\n\nFeb 29 17:44:59 elk.kifarunix-demo.com systemd[1]: Starting wazuh-indexer.service - Wazuh-indexer...\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: A terminally deprecated method in java.lang.System has been called\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:\/usr\/share>\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager will be removed in a future release\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: A terminally deprecated method in java.lang.System has been called\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:\/usr\/share\/w>\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security\nFeb 29 17:45:00 elk.kifarunix-demo.com systemd-entrypoint[5400]: WARNING: System::setSecurityManager will be removed in a future release\nFeb 29 17:45:06 elk.kifarunix-demo.com systemd[1]: Started wazuh-indexer.service - Wazuh-indexer.\n<\/code><\/pre>\n\n\n\n<p>Next, execute the &#8220;<strong>\/usr\/share\/wazuh-indexer\/bin\/indexer-security-init.sh<\/strong>&#8221; script on a Wazuh indexer node to apply the updated certificate information and start the single-node cluster.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/wazuh-indexer\/bin\/indexer-security-init.sh<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>**************************************************************************\n** This tool will be deprecated in the next major release of OpenSearch **\n** https:\/\/github.com\/opensearch-project\/security\/issues\/1755           **\n**************************************************************************\nSecurity Admin v7\nWill connect to 127.0.0.1:9200 ... done\nConnected as \"CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US\"\nOpenSearch Version: 2.8.0\nContacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...\nClustername: wazuh-cluster\nClusterstate: GREEN\nNumber of nodes: 1\nNumber of data nodes: 1\n.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)\nPopulate config from \/etc\/wazuh-indexer\/opensearch-security\/\nWill update '\/config' with \/etc\/wazuh-indexer\/opensearch-security\/config.yml \n   SUCC: Configuration for 'config' created or updated\nWill update '\/roles' with \/etc\/wazuh-indexer\/opensearch-security\/roles.yml \n   SUCC: Configuration for 'roles' created or updated\nWill update '\/rolesmapping' with \/etc\/wazuh-indexer\/opensearch-security\/roles_mapping.yml \n   SUCC: Configuration for 'rolesmapping' created or updated\nWill update '\/internalusers' with \/etc\/wazuh-indexer\/opensearch-security\/internal_users.yml \n   SUCC: Configuration for 'internalusers' created or updated\nWill update '\/actiongroups' with \/etc\/wazuh-indexer\/opensearch-security\/action_groups.yml \n   SUCC: Configuration for 'actiongroups' created or updated\nWill update '\/tenants' with \/etc\/wazuh-indexer\/opensearch-security\/tenants.yml \n   SUCC: Configuration for 'tenants' created or updated\nWill update '\/nodesdn' with \/etc\/wazuh-indexer\/opensearch-security\/nodes_dn.yml \n   SUCC: Configuration for 'nodesdn' created or updated\nWill update '\/whitelist' with \/etc\/wazuh-indexer\/opensearch-security\/whitelist.yml \n   SUCC: Configuration for 'whitelist' created or updated\nWill update '\/audit' with \/etc\/wazuh-indexer\/opensearch-security\/audit.yml \n   SUCC: Configuration for 'audit' created or updated\nWill update '\/allowlist' with \/etc\/wazuh-indexer\/opensearch-security\/allowlist.yml \n   SUCC: Configuration for 'allowlist' created or updated\nSUCC: Expected 10 config types for node {\"updated_config_types\":[\"allowlist\",\"tenants\",\"rolesmapping\",\"nodesdn\",\"audit\",\"roles\",\"whitelist\",\"internalusers\",\"actiongroups\",\"config\"],\"updated_config_size\":10,\"message\":null} is 10 ([\"allowlist\",\"tenants\",\"rolesmapping\",\"nodesdn\",\"audit\",\"roles\",\"whitelist\",\"internalusers\",\"actiongroups\",\"config\"]) due to: null\nDone with success\n<\/code><\/pre>\n\n\n\n<p>The Wazuh indexer (opensearch) should now be running. Confirm the ports;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -atlnp | grep -E \"92|93\"<\/code><\/pre>\n\n\n\nLISTEN 0      4096               *:9200             *:*    users:((&#8220;java&#8221;,pid=5400,fd=565))                       \nLISTEN 0      4096               *:9300             *:*    users:((&#8220;java&#8221;,pid=5400,fd=563))\n\n\n\n<p>Or;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -k -XGET https:\/\/localhost:9200 -u admin<\/code><\/pre>\n\n\n\n<p>When prompted for password, default is <strong>admin<\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Enter host password for user 'admin':\n{\n  \"name\" : \"indexer\",\n  \"cluster_name\" : \"wazuh-cluster\",\n  \"cluster_uuid\" : \"m5qZ7M3xRdaJ-t9X5AlL0Q\",\n  \"version\" : {\n    \"number\" : \"7.10.2\",\n    \"build_type\" : \"rpm\",\n    \"build_hash\" : \"db90a415ff2fd428b4f7b3f800a51dc229287cb4\",\n    \"build_date\" : \"2023-06-03T06:24:25.112415503Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"9.6.0\",\n    \"minimum_wire_compatibility_version\" : \"7.10.0\",\n    \"minimum_index_compatibility_version\" : \"7.0.0\"\n  },\n  \"tagline\" : \"The OpenSearch Project: https:\/\/opensearch.org\/\"\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wazuh-server-manager-on-ubuntu-24-04\">Install Wazuh Server\/Manager on Ubuntu 24.04<\/h3>\n\n\n\n<p>Since you already have the Wazuh repository installed, simply execute the command below to install Wazuh server on Ubuntu 24.04.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install wazuh-manager<\/code><\/pre>\n\n\n\n<p>Once the installation is complete, you can start and enable Wazuh-manager to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now wazuh-manager<\/code><\/pre>\n\n\n\n<p>Open Wazuh Manager Port on Firewall. Usually, the Wazuh agents is set to communicate with Wazuh manager via TCP port 1514 by default.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -alnptu | grep -i wazuh<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>tcp   LISTEN 0      128                   0.0.0.0:1514       0.0.0.0:*    users:((\"wazuh-remoted\",pid=49410,fd=4))               \ntcp   LISTEN 0      128                   0.0.0.0:1515       0.0.0.0:*    users:((\"wazuh-authd\",pid=49236,fd=3))\n<\/code><\/pre>\n\n\n\n<p>Thus, open port 1514\/tcp on Wazuh manager.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p tcp --dport 1514 -j ACCEPT<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 1514\/tcp<\/code><\/pre>\n\n\n\n<p>Also, allow port 1515\/tcp for agent registration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p tcp --dport 1515 -j ACCEPT<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 1515\/tcp<\/code><\/pre>\n\n\n\n<p>Read more on <a href=\"https:\/\/documentation.wazuh.com\/current\/getting-started\/architecture.html#required-ports\" target=\"_blank\" rel=\"noreferrer noopener\">required ports<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-configure-filebeat-for-wazuh-manager\">Install and Configure Filebeat for Wazuh Manager<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-filebeat\">Install Filebeat<\/h4>\n\n\n\n<p>Filebeat is required to ship logs and event data to the Wazuh indexer, where they are indexed and stored for efficient searching and analysis.<\/p>\n\n\n\n<p>As of this writing, Wazuh indexer v4.7.2 is <a href=\"https:\/\/documentation.wazuh.com\/current\/upgrade-guide\/compatibility-matrix\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">compatible<\/a> with Filebeat-OSS 7.10.2, which is provided by the Wazuh repository.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-cache policy filebeat<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>filebeat:\n  Installed: (none)\n  Candidate: 7.10.2\n  Version table:\n     7.10.2 500\n        500 https:\/\/packages.wazuh.com\/4.x\/apt stable\/main amd64 Packages\n     7.10.0 500\n        500 https:\/\/packages.wazuh.com\/4.x\/apt stable\/main amd64 Packages\n     7.9.1 500\n        500 https:\/\/packages.wazuh.com\/4.x\/apt stable\/main amd64 Packages\n<\/code><\/pre>\n\n\n\n<p>Thus, install Filebeat using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install filebeat<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-filebeat\">Configure Filebeat<\/h4>\n\n\n\n<p>Once the installation is done, make a backup of the default configuration file<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv \/etc\/filebeat\/filebeat.yml{,.stock}<\/code><\/pre>\n\n\n\n<p>Run the command below to create new Filebeat configuration file with the following configs.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/filebeat\/filebeat.yml &lt;&lt; 'EOL'\noutput.elasticsearch:\n  hosts: [\"192.168.122.149:9200\"]\n  protocol: https\n  username: admin\n  password: admin\n  ssl.certificate_authorities: \"\/etc\/filebeat\/certs\/root-ca.pem\"\n  ssl.certificate: \"\/etc\/filebeat\/certs\/filebeat.pem\"\n  ssl.key: \"\/etc\/filebeat\/certs\/filebeat-key.pem\"\nsetup.template.json.enabled: true\nsetup.template.json.path: '\/etc\/filebeat\/wazuh-template.json'\nsetup.template.json.name: 'wazuh'\nsetup.ilm.overwrite: true\nsetup.ilm.enabled: false\n\nfilebeat.modules:\n  - module: wazuh\n    alerts:\n      enabled: true\n    archives:\n      enabled: false\nlogging.level: info\nlogging.to_files: true\nlogging.files:\n  path: \/var\/log\/filebeat\n  name: filebeat\n  keepfiles: 7\n  permissions: 0644\nlogging.metrics.enabled: false\n\nseccomp:\n  default_action: allow\n  syscalls:\n  - action: allow\n    names:\n    - rseq\nEOL\n<\/code><\/pre>\n\n\n\n<p>Note, IP address used on the hosts setting should match the one defined while generating ssl certs.<\/p>\n\n\n\n<p>If you want, you can use Filebeat keystore to store the credentials in variables rather than plain text as in above configuration.<\/p>\n\n\n\n<p>To store credentials in keystore, create the keystore;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat keystore create<\/code><\/pre>\n\n\n\n<p>The store the username and password in keystore using variables;<\/p>\n\n\n\n<p>Both of the commands will prompt you to type the values of each variable.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat keystore add USERNAME<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat keystore add PASS<\/code><\/pre>\n\n\n\n<p>You can then update the credentials on <strong>filebeat.yml<\/strong> by changing;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>  username: admin\n  password: admin\n<\/code><\/pre>\n\n\n\n<p>to;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>  username: ${USERNAME}\n  password: ${PASS}\n<\/code><\/pre>\n\n\n\n<p>Next, install root CA Wazuh server certificates generated before to be used by Filebeat;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/etc\/filebeat\/certs\/<\/code><\/pre>\n\n\n\n<p>Copy the Wazuh server node certificates (<em>cert files are named as per the Wazuh node name provided in certs config.yml<\/em>) and rename them as defined in the filebeat.yml;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp wazuh-certificates\/root-ca.pem \/etc\/filebeat\/certs\/root-ca.pem<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp wazuh-certificates\/wazuh.pem \/etc\/filebeat\/certs\/filebeat.pem<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp wazuh-certificates\/wazuh-key.pem \/etc\/filebeat\/certs\/filebeat-key.pem<\/code><\/pre>\n\n\n\n<p>Install Filebeat Wazuh Module:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO- https:\/\/packages.wazuh.com\/4.x\/filebeat\/wazuh-filebeat-0.3.tar.gz \\\n| tar -xz -C \/usr\/share\/filebeat\/module\/<\/code><\/pre>\n\n\n\n<p>Download and install Wazuh alerts Wazuh indexer template from the <a href=\"https:\/\/github.com\/wazuh\/wazuh\" target=\"_blank\" rel=\"noreferrer noopener\">Github repo<\/a> current release branch (<em>v4.7.2 as of this writing<\/em>):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -O \/etc\/filebeat\/wazuh-template.json \\\nhttps:&#47;&#47;raw.githubusercontent.com\/wazuh\/wazuh\/v4.7.2\/extensions\/elasticsearch\/7.x\/wazuh-template.json<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod go+r \/etc\/filebeat\/wazuh-template.json<\/code><\/pre>\n\n\n\n<p>Test Filebeat config;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test config<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Config OK<\/code><\/pre>\n\n\n\n<p>Test Filebeat Elasticsearch output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test output<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>elasticsearch: https:\/\/192.168.122.149:9200...\n  parse url... OK\n  connection...\n    parse host... OK\n    dns lookup... OK\n    addresses: 192.168.122.149\n    dial up... OK\n  TLS...\n    security: server's certificate chain verification is enabled\n    handshake... OK\n    TLS version: TLSv1.3\n    dial up... OK\n  talk to server... OK\n  version: 7.10.2\n<\/code><\/pre>\n\n\n\n<p>Start and enable Filebeat to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now filebeat<\/code><\/pre>\n\n\n\n<p>Check status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status filebeat<\/code><\/pre>\n\n\n\n<p>Everything is now set for the single node Wazuh SIEM server cluster.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wazuh-dashboard-on-ubuntu-24-04\">Install Wazuh Dashboard on Ubuntu 24.04<\/h3>\n\n\n\n<p>Since you already have Wazuh repository installed, just execute the command below to install Wazuh dashboard.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install wazuh-dashboard<\/code><\/pre>\n\n\n\n<p>Configure Wazuh dashboard to allow external access and to connect it to Wazuh indexer.<\/p>\n\n\n\n<p>The default configuration file for Wazuh dashboard is <strong><code>\/etc\/wazuh-dashboard\/opensearch_dashboards.yml<\/code><\/strong>.<\/p>\n\n\n\n<p>We will only update the Wazuh indexer address;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/wazuh-dashboard\/opensearch_dashboards.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>server.host: 0.0.0.0\nserver.port: 443\n<strong>opensearch.hosts: https:\/\/192.168.122.149:9200<\/strong>\nopensearch.ssl.verificationMode: certificate\n#opensearch.username:\n#opensearch.password:\nopensearch.requestHeadersAllowlist: [\"securitytenant\",\"Authorization\"]\nopensearch_security.multitenancy.enabled: false\nopensearch_security.readonly_mode.roles: [\"kibana_read_only\"]\nserver.ssl.enabled: true\nserver.ssl.key: \"\/etc\/wazuh-dashboard\/certs\/dashboard-key.pem\"\nserver.ssl.certificate: \"\/etc\/wazuh-dashboard\/certs\/dashboard.pem\"\nopensearch.ssl.certificateAuthorities: [\"\/etc\/wazuh-dashboard\/certs\/root-ca.pem\"]\nuiSettings.overrides.defaultRoute: \/app\/wazuh\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Install the Wazuh dashboard certificates.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/etc\/wazuh-dashboard\/certs\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp wazuh-certificates\/dash.pem \/etc\/wazuh-dashboard\/certs\/dashboard.pem<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp wazuh-certificates\/dash-key.pem \/etc\/wazuh-dashboard\/certs\/dashboard-key.pem<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp wazuh-certificates\/root-ca.pem \/etc\/wazuh-dashboard\/certs\/<\/code><\/pre>\n\n\n\n<p>Update the permissions and set the ownership of the SSL\/TLS certs to wazuh-indexer;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 500 \/etc\/wazuh-dashboard\/certs<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 400 \/etc\/wazuh-dashboard\/certs\/*<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R wazuh-dashboard: \/etc\/wazuh-dashboard\/certs<\/code><\/pre>\n\n\n\n<p>Start and enable Wazuh dashboard to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now wazuh-dashboard<\/code><\/pre>\n\n\n\n<p>Checking the status of each service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status wazuh-dashboard<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf wazuh-dashboard.service - wazuh-dashboard\n     Loaded: loaded (\/etc\/systemd\/system\/wazuh-dashboard.service; enabled; preset: enabled)\n     Active: active (running) since Thu 2024-02-29 19:48:44 UTC; 3s ago\n   Main PID: 52149 (node)\n      Tasks: 11 (limit: 18952)\n     Memory: 231.0M (peak: 237.4M)\n        CPU: 3.867s\n     CGroup: \/system.slice\/wazuh-dashboard.service\n             \u2514\u250052149 \/usr\/share\/wazuh-dashboard\/node\/bin\/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn \/usr\/share\/wazuh-dashboard\/src\/cli\/dist>\n\nFeb 29 19:48:46 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:46Z\",\"tags\":[\"info\",\"savedobjects-service\"],\"pid\":52149,\"m>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"info\",\"savedobjects-service\"],\"pid\":52149,\"m>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"info\",\"savedobjects-service\"],\"pid\":52149,\"m>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"info\",\"savedobjects-service\"],\"pid\":52149,\"m>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"info\",\"savedobjects-service\"],\"pid\":52149,\"m>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"info\",\"plugins-system\"],\"pid\":52149,\"message>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"listening\",\"info\"],\"pid\":52149,\"message\":\"Se>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"info\",\"http\",\"server\",\"OpenSearchDashboards\">\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"error\",\"opensearch\",\"data\"],\"pid\":52149,\"mes>\nFeb 29 19:48:47 elk.kifarunix-demo.com opensearch-dashboards[52149]: {\"type\":\"log\",\"@timestamp\":\"2024-02-29T19:48:47Z\",\"tags\":[\"error\",\"opensearch\",\"data\"],\"pid\":52149,...\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"accessing-wazuh-dashboard-web-interface\">Accessing Wazuh Dashboard Web Interface<\/h3>\n\n\n\n<p>Open the Wazuh dashboard on the Firewall;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 443\/tcp<\/code><\/pre>\n\n\n\n<p>You can now access Wazuh dashboard via the url&nbsp;<code><strong>https:\/\/&lt;server-IP-or-hostname&gt;<\/strong><\/code>.<\/p>\n\n\n\n<p>Accept the self-signed SSL cert warning and proceed to Wazuh dashboard.<\/p>\n\n\n\n<p>The default credentials are <strong>admin\/admin<\/strong> for user and password.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/Wazuh-siem-dashaboard.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20285&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1609,&quot;targetHeight&quot;:814,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image: Install Wazuh SIEM Server on Ubuntu 24.04&quot;,&quot;alt&quot;:&quot;Install Wazuh SIEM Server on Ubuntu 24.04&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1609\" height=\"814\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/Wazuh-siem-dashaboard.png?v=1709236381\" alt=\"Install Wazuh SIEM Server on Ubuntu 24.04\" class=\"wp-image-20285\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/Wazuh-siem-dashaboard.png?v=1709236381 1609w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/Wazuh-siem-dashaboard-768x389.png?v=1709236381 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/Wazuh-siem-dashaboard-1536x777.png?v=1709236381 1536w\" sizes=\"(max-width: 1609px) 100vw, 1609px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image: Install Wazuh SIEM Server on Ubuntu 24.04\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>You land on Wazuh agents dashboard.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/wazuh-agents-dashboard.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20286&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1598,&quot;targetHeight&quot;:845,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1598\" height=\"845\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-agents-dashboard.png?v=1709236575\" alt=\"\" class=\"wp-image-20286\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-agents-dashboard.png?v=1709236575 1598w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-agents-dashboard-768x406.png?v=1709236575 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-agents-dashboard-1536x812.png?v=1709236575 1536w\" sizes=\"(max-width: 1598px) 100vw, 1598px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>No agents are connected by default. However, there should be some default events already collected from the Wazuh manager.<\/p>\n\n\n\n<p>For example head over to <strong>Modules &gt; Security information management &gt;Security Events <\/strong>&gt;<strong>Dashboard or Events<\/strong>;<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/wazuh-security-events-dashboard.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20288&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1612,&quot;targetHeight&quot;:851,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1612\" height=\"851\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-security-events-dashboard.png?v=1709237358\" alt=\"\" class=\"wp-image-20288\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-security-events-dashboard.png?v=1709237358 1612w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-security-events-dashboard-768x405.png?v=1709237358 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-security-events-dashboard-1536x811.png?v=1709237358 1536w\" sizes=\"(max-width: 1612px) 100vw, 1612px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/wazuh-siem-security-events.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20289&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1612,&quot;targetHeight&quot;:836,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1612\" height=\"836\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-siem-security-events.png?v=1709237376\" alt=\"\" class=\"wp-image-20289\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-siem-security-events.png?v=1709237376 1612w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-siem-security-events-768x398.png?v=1709237376 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/wazuh-siem-security-events-1536x797.png?v=1709237376 1536w\" sizes=\"(max-width: 1612px) 100vw, 1612px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>And that is it!! You have successfully setup Wazuh SIEM server, integrated with Wazuh indexer and Wazuh dashboard.<\/p>\n\n\n\n<p>That closes our guide on installing Wazuh SIEM server on Ubuntu 24.04.<\/p>\n\n\n\n<p>You can now go ahead and install Wazuh agents and start log collection from your end points.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-wazuh-agents-on-linux\">Install Wazuh Agents on Linux<\/h2>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/easy-way-to-install-wazuh-agents-on-ubuntu-debian\/\" target=\"_blank\" rel=\"noreferrer noopener\">Easy Way to Install Wazuh Agents on Ubuntu\/Debian<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install Wazuh SIEM server on Ubuntu 24.04. The Wazuh platform offers XDR and SIEM functionalities aimed at<\/p>\n","protected":false},"author":10,"featured_media":20285,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72,1823],"tags":[7423,7424,7425,1829],"class_list":["post-20274","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","category-wazuh","tag-install-wazuh-on-ubuntu-24-04","tag-install-wazuh-siem-on-ubuntu-24-04","tag-wazuh-indexer","tag-wazuh-manager","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20274"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=20274"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20274\/revisions"}],"predecessor-version":[{"id":21998,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20274\/revisions\/21998"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/20285"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=20274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=20274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=20274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}