{"id":6443,"date":"2020-07-19T13:27:27","date_gmt":"2020-07-19T10:27:27","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6443"},"modified":"2024-03-14T22:07:27","modified_gmt":"2024-03-14T19:07:27","slug":"install-and-setup-wazuh-server-in-centos-8-fedora-32","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-wazuh-server-in-centos-8-fedora-32\/","title":{"rendered":"Install and Setup Wazuh Server in CentOS 8\/Fedora 32"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and setup Wazuh server in CentOS 8\/Fedora 32. <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/wazuh.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Wazuh<\/a> is an open-source tool for visibility, security detection, and compliance. It is a fork of OSSEC HIDS with additional integration with ELK stack and OpenSCAP. The Wazuh stack consists of the Wazuh server (manager), the ELK stack, and the Wazuh agents as shown in the image below. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"802\" height=\"337\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/wazuh_arch.png\" alt=\"\" class=\"wp-image-9585\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/wazuh_arch.png 802w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/wazuh_arch-768x323.png 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/wazuh_arch-150x63.png 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/wazuh_arch-300x126.png 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/wazuh_arch-696x292.png 696w\" sizes=\"(max-width: 802px) 100vw, 802px\" \/><\/figure><\/div>\n\n\n<p>As of this writing, the current latest and stable version is of Wazuh is v4.4.1.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#install-wazuh-server-on-cent-os-8-fedora-32\">Install Wazuh Server on CentOS 8\/Fedora 32<\/a><ul><li><a href=\"#deployment-architecture\">Deployment Architecture<\/a><\/li><li><a href=\"#system-requirements\">System Requirements<\/a><\/li><li><a href=\"#install-wazuh-server-on-cent-os-8-fedora-32-1\">Install Wazuh Server on CentOS 8\/Fedora 32<\/a><ul><li><a href=\"#add-wazuh-to-repository\">Add Wazuh to repository<\/a><\/li><li><a href=\"#install-wazuh-server-on-cent-os-8-fedora-32-2\">Install Wazuh  Server on CentOS 8\/Fedora 32<\/a><\/li><\/ul><\/li><li><a href=\"#install-elastic-stack-on-cent-os-8-fedora-32\">Install Elastic Stack on CentOS 8\/Fedora 32<\/a><ul><li><a href=\"#create-elastic-repository\">Create Elastic Repository<\/a><\/li><li><a href=\"#install-elasticsearch-kibana-and-filebeat\">Install Elasticsearch, Kibana and Filebeat<\/a><\/li><li><a href=\"#configuring-elasticsearch\">Configuring Elasticsearch<\/a><\/li><li><a href=\"#configure-filebeat\">Configure Filebeat<\/a><\/li><li><a href=\"#configure-kibana\">Configure Kibana<\/a><\/li><li><a href=\"#open-ports-on-firewall\">Open Ports on Firewall<\/a><\/li><li><a href=\"#accessing-wazuh-app-on-kibana-web-interface\">Accessing Wazuh App on Kibana Web Interface<\/a><\/li><\/ul><\/li><li><a href=\"#sending-events-data-to-wazuh-server-using-wazuh-agents\">Sending Events\/Data to Wazuh Server using Wazuh Agents<\/a><ul><li><a href=\"#manually-install-wazuh-agent-on-cent-os-8-fedora-32\">Manually Install Wazuh Agent on CentOS 8\/Fedora 32<\/a><ul><li><a href=\"#create-the-wazuh-repository\">Create the Wazuh Repository<\/a><\/li><li><a href=\"#add-wazuh-agent-on-wazuh-server\">Add Wazuh Agent on Wazuh Server<\/a><\/li><li><a href=\"#extract-wazuh-agent-key\">Extract Wazuh Agent Key<\/a><\/li><li><a href=\"#set-the-wazuh-server-address-on-wazuh-agent\">Set the Wazuh Server Address on Wazuh Agent<\/a><\/li><\/ul><\/li><li><a href=\"#automatically-install-wazuh-agent-on-cent-os-fedora\">Automatically Install Wazuh Agent on CentOS\/Fedora<\/a><\/li><\/ul><\/li><li><a href=\"#verify-wazuh-agent-data-reception-on-kibana\">Verify Wazuh Agent Data Reception on Kibana<\/a><\/li><li><a href=\"#further-reading\">Further Reading<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-wazuh-server-on-cent-os-8-fedora-32\">Install Wazuh Server on CentOS 8\/Fedora 32<\/h2>\n\n\n\n<p>The Wazuh server has the primary functions of <strong>agent registration, data analysis, and managing of agents<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"deployment-architecture\">Deployment Architecture<\/h3>\n\n\n\n<p>There are two different <a href=\"https:\/\/documentation.wazuh.com\/3.9\/getting-started\/architecture.html\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">deployment architectures for Wazuh server<\/a>;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>All-in-one<\/strong>: The Wazuh server and Elastic Stack are installed on the same host.<\/li>\n\n\n\n<li><strong>Distributed<\/strong>: Each component is installed on a separate host as a single-node or multi-node cluster. This type of deployment provides high availability and scalability of the product, and it is convenient for large working environments.<\/li>\n<\/ul>\n\n\n\n<p>In this tutorial, we will use the <strong>All-in-one deployment architecture<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"system-requirements\">System Requirements<\/h3>\n\n\n\n<p>Consult the documentation for the <a href=\"https:\/\/documentation.wazuh.com\/current\/installation-guide\/requirements.html\" target=\"_blank\" rel=\"noreferrer noopener\">recommended system requirements<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wazuh-server-on-cent-os-8-fedora-32-1\">Install Wazuh Server on CentOS 8\/Fedora 32<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"add-wazuh-to-repository\">Add Wazuh to repository<\/h4>\n\n\n\n<p>You first have to add Wazuh repository to the server by running the command below.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/yum.repos.d\/wazuh.repo << 'EOL'\n[wazuh_repo]\ngpgcheck=1\ngpgkey=https:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH\nenabled=1\nname=Wazuh repository\nbaseurl=https:\/\/packages.wazuh.com\/4.x\/yum\/\nprotect=1\nEOL\n<\/code><\/pre>\n\n\n\n<p>Import the Wazuh repository GPG key<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rpm --import https:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-server-on-cent-os-8-fedora-32-2\">Install Wazuh  Server on CentOS 8\/Fedora 32<\/h4>\n\n\n\n<p>Run the following command to install wazuh server. on CentOS 8\/Fedora 32<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf -y install wazuh-manager<\/code><\/pre>\n\n\n\n<p>When the installation process is complete, start Wazuh Manager.<\/p>\n\n\n\n<pre id=\"block-24d1b016-220e-4375-9a01-ba22f1147037\" class=\"wp-block-preformatted\">systemctl start wazuh-manager<\/code><\/pre>\n\n\n\n<p>You can check the status as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status wazuh-manager<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf wazuh-manager.service - Wazuh manager\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/wazuh-manager.service; disabled; vendor preset: disabled)\n   Active: active (running) since Tue 2023-05-09 14:15:02 EDT; 6s ago\n  Process: 6018 ExecStart=\/usr\/bin\/env \/var\/ossec\/bin\/wazuh-control start (code=exited, status=0\/SUCCESS)\n    Tasks: 99 (limit: 17668)\n   Memory: 204.5M\n   CGroup: \/system.slice\/wazuh-manager.service\n           \u251c\u25006077 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n           \u251c\u25006117 \/var\/ossec\/bin\/wazuh-authd\n           \u251c\u25006132 \/var\/ossec\/bin\/wazuh-db\n           \u251c\u25006157 \/var\/ossec\/bin\/wazuh-execd\n           \u251c\u25006171 \/var\/ossec\/bin\/wazuh-analysisd\n           \u251c\u25006223 \/var\/ossec\/bin\/wazuh-syscheckd\n           \u251c\u25006238 \/var\/ossec\/bin\/wazuh-remoted\n           \u251c\u25006251 \/var\/ossec\/bin\/wazuh-logcollector\n           \u251c\u25006262 \/var\/ossec\/bin\/wazuh-monitord\n           \u2514\u25006301 \/var\/ossec\/bin\/wazuh-modulesd\n\nMay 09 14:14:54 rocky9 env[6018]: Started wazuh-db...\nMay 09 14:14:55 rocky9 env[6018]: Started wazuh-execd...\nMay 09 14:14:56 rocky9 env[6018]: Started wazuh-analysisd...\nMay 09 14:14:57 rocky9 env[6018]: Started wazuh-syscheckd...\nMay 09 14:14:58 rocky9 env[6018]: Started wazuh-remoted...\nMay 09 14:14:58 rocky9 env[6018]: Started wazuh-logcollector...\nMay 09 14:14:59 rocky9 env[6018]: Started wazuh-monitord...\nMay 09 14:15:00 rocky9 env[6018]: Started wazuh-modulesd...\nMay 09 14:15:02 rocky9 env[6018]: Completed.\nMay 09 14:15:02 rocky9 systemd[1]: Started Wazuh manager.\n<\/code><\/pre>\n\n\n\n<p>To avoid issues on version control and updates, it is recommended you disable the repository.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code> sed -i \"s\/enabled=1\/enabled=0\/\" \/etc\/yum.repos.d\/wazuh.repo<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-elastic-stack-on-cent-os-8-fedora-32\">Install Elastic Stack on CentOS 8\/Fedora 32<\/h3>\n\n\n\n<p>Next, you need to install Elasticsearch, Kibana, Filebeat and Wazuh APP  to be able to use Wazuh-manager to its full potential.<\/p>\n\n\n\n<p>Before you can proceed, you need to ensure that the Elastic components being installed are compatible with the version of Wazuh-manager installed.<\/p>\n\n\n\n<p>In this demo, Wazuh-manager 4.4.1 is installed:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rpm -qa wazuh-manager<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wazuh-manager-4.4.1-1.x86_64<\/code><\/pre>\n\n\n\n<p>Based on the <a href=\"https:\/\/documentation.wazuh.com\/current\/upgrade-guide\/compatibility_matrix\/\" target=\"_blank\" rel=\"noreferrer noopener\">Wazuh compatibility matrix<\/a>, Wazuh 4.4.1 is compatible with Elastic 7.17.9, as of this writing.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-elastic-repository\">Create Elastic Repository<\/h4>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/yum.repos.d\/elasticstack.repo << EOL\n[elasticsearch]\nname=Elasticsearch repository for 7.x packages\nbaseurl=https:\/\/artifacts.elastic.co\/packages\/7.x\/yum\ngpgcheck=1\ngpgkey=https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\nenabled=1\nautorefresh=1\ntype=rpm-md\nEOL\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-elasticsearch-kibana-and-filebeat\">Install Elasticsearch, Kibana and Filebeat<\/h4>\n\n\n\n<p>Based on the compatibility matrix for Wazuh 4.4.1, install Elasticsearch 7.17.9, Kibana 7.17.9 and Filebeat 7.17.9 by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install elasticsearch-7.17.9 kibana-7.17.9 filebeat-7.17.9<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nDependencies resolved.\n===================================================================================================================================================================================================================\n Package                                               Architecture                                   Version                                          Repository                                             Size\n===================================================================================================================================================================================================================\nInstalling:\n elasticsearch                                         x86_64                                         7.17.9-1                                         elasticsearch                                         301 M\n filebeat                                              x86_64                                         7.17.9-1                                         elasticsearch                                          34 M\n kibana                                                x86_64                                         7.17.9-1                                         elasticsearch                                         261 M\n\nTransaction Summary\n===================================================================================================================================================================================================================\nInstall  3 Packages\n\nTotal download size: 595 M\nInstalled size: 1.3 G\nIs this ok [y\/N]: y\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configuring-elasticsearch\">Configuring Elasticsearch<\/h4>\n\n\n\n<p>There are only a few changes we are going to make in regards to configuring  Elasticsearch.<\/p>\n\n\n\n<p>You can optionally set the Elastic cluster name;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sed -i 's\/#cluster.name: my-application\/cluster.name: wazuh-elastic\/' \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<p>Next, configure JVM heap size to no more than half the size of your memory. In this case, our test server has 2G RAM and the heap size is set to 512M for both maximum and minimum sizes.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo '-Xms512m\n-Xmx512m' &gt; \/etc\/elasticsearch\/jvm.options.d\/jvm-memory.options<\/code><\/pre>\n\n\n\n<p>Start and enable ES to run on system boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now elasticsearch<\/code><\/pre>\n\n\n\n<p>Verify that Elasticsearch is running as expected.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl -XGET localhost:9200<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n{\n  \"name\" : \"rocky9\",\n  \"cluster_name\" : \"wazuh-elastic\",\n  \"cluster_uuid\" : \"-bJbTqm8S2OVWpgka0RSnQ\",\n  \"version\" : {\n    \"number\" : \"7.17.9\",\n    \"build_flavor\" : \"default\",\n    \"build_type\" : \"rpm\",\n    \"build_hash\" : \"ef48222227ee6b9e70e502f0f0daa52435ee634d\",\n    \"build_date\" : \"2023-01-31T05:34:43.305517834Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"8.11.1\",\n    \"minimum_wire_compatibility_version\" : \"6.8.0\",\n    \"minimum_index_compatibility_version\" : \"6.0.0-beta1\"\n  },\n  \"tagline\" : \"You Know, for Search\"\n}\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-filebeat\">Configure Filebeat<\/h4>\n\n\n\n<p>Create a backup of the Filebeat configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mv \/etc\/filebeat\/filebeat.yml{,.original}<\/code><\/pre>\n\n\n\n<p>In our setup, we use the Filebeat configuration file below. You can configure it to your liking.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/filebeat\/filebeat.yml << 'EOL'\n# Wazuh - Filebeat configuration file\noutput.elasticsearch:\n  hosts: [\"localhost:9200\"]\nsetup.template.json.enabled: true\nsetup.template.json.path: '\/etc\/filebeat\/wazuh-template.json'\nsetup.template.json.name: 'wazuh'\nsetup.ilm.overwrite: true\nsetup.ilm.enabled: false\n\nfilebeat.modules:\n  - module: wazuh\n    alerts:\n      enabled: true\n    archives:\n      enabled: false\n      \nlogging.level: info\nlogging.to_files: true\nlogging.files:\n  path: \/var\/log\/filebeat\n  name: filebeat\n  keepfiles: 7\n  permissions: 0644\nEOL\n<\/code><\/pre>\n\n\n\n<p>Then download the alerts template for ELK<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl -so \/etc\/filebeat\/wazuh-template.json \\\nhttps:\/\/raw.githubusercontent.com\/wazuh\/wazuh\/4.4\/extensions\/elasticsearch\/7.x\/wazuh-template.json<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chmod go+r \/etc\/filebeat\/wazuh-template.json<\/code><\/pre>\n\n\n\n<p>Test Filebeat connection to Elasticsearch<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>filebeat test output<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nelasticsearch: http:\/\/localhost:9200...\n  parse url... OK\n  connection...\n    parse host... OK\n    dns lookup... OK\n    addresses: ::1, 127.0.0.1\n    dial up... OK\n  TLS... WARN secure connection disabled\n  talk to server... OK\n  version: 7.17.9\n<\/code><\/pre>\n\n\n\n<p>Install the Wazuh module for Filebeat:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl -s https:\/\/packages.wazuh.com\/4.x\/filebeat\/wazuh-filebeat-0.2.tar.gz | \\\ntar -xz -C \/usr\/share\/filebeat\/module<\/code><\/pre>\n\n\n\n<p>Start and enable Filebeat to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now filebeat<\/code><\/pre>\n\n\n\n<p>Filebeat will write logs to <strong>\/var\/log\/filebeat\/<\/strong> just in case you need to check something.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-kibana\">Configure Kibana<\/h4>\n\n\n\n<p>Define the address to which the Kibana server will bind. By IP addresses and host names are both valid values. <strong>localhost<\/strong> is the default value.<\/p>\n\n\n\n<p>In my case, the IP address of my Wazuh server is 192.168.56.145. Hence, I will configure Kibana to listen on this address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sed -i -e '\/server.host:\/s\/^#\/\/' -e '\/server.host:\/s\/localhost\/192.168.56.145\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>To configure Kibana to listen on any interface IP, replace the IP above with 0.0.0.0. For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i -e '\/server.host:\/s\/^#\/\/' -e '\/server.host:\/s\/localhost\/0.0.0.0\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>Install Wazuh App Kibana Plugin<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/usr\/share\/kibana\/data<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R kibana: \/usr\/share\/kibana\/data<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R kibana: \/usr\/share\/kibana\/plugins<\/code><\/pre>\n\n\n\n<p>Before you download and install the plugin, get the tag for your <a href=\"https:\/\/github.com\/wazuh\/wazuh-kibana-app\/\" target=\"_blank\" rel=\"noreferrer noopener\">specific version of Wazuh<\/a>;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo -u kibana \/usr\/share\/kibana\/bin\/kibana-plugin install \\\nhttps:\/\/packages.wazuh.com\/4.x\/ui\/kibana\/wazuh_kibana-4.4.1_7.17.9-1.zip<\/code><\/pre>\n\n\n\n<p>You can list installed plugins;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo -u kibana \/usr\/share\/kibana\/bin\/kibana-plugin list<\/code><\/pre>\n\n\n\n<p>Output;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wazuh@4.4.1-01<\/code><\/pre>\n\n\n\n<p>Start Kibana;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now kibana<\/code><\/pre>\n\n\n\n<p>Restart Elasticsearch and Wazuh manager;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart elasticsearch wazuh-manager<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"open-ports-on-firewall\">Open Ports on Firewall<\/h4>\n\n\n\n<p>Read about Wazuh Server ports on <a href=\"https:\/\/documentation.wazuh.com\/current\/getting-started\/architecture.html#required-ports\" target=\"_blank\" rel=\"noreferrer noopener\">Required Wazuh Ports page<\/a>.<\/p>\n\n\n\n<p>You need to allow some ports on firewall. These include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>5601\/tcp for external access to Kibana<\/li>\n\n\n\n<li>1514\/udp\/tcp to allow collection of events from agents (when configured for UDP, TCP is used by default).<\/li>\n\n\n\n<li>1515\/udp for Agents registration service<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-port=5601\/tcp --permanent<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-port={1514,1515}\/udp --permanent<\/code><\/pre>\n\n\n\n<pre id=\"block-4bdb6266-8a77-4106-acd7-0883cfd275ab\" class=\"wp-block-preformatted\">firewall-cmd --add-port={1514,1515}\/tcp --permanent<\/code><\/pre>\n\n\n\n<p>Then reload the firewall<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --reload<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"accessing-wazuh-app-on-kibana-web-interface\">Accessing Wazuh App on Kibana Web Interface<\/h4>\n\n\n\n<p>You can now access Kibana web interface via the address <strong>http:\/\/server-IP-or-hostname:5601<\/strong>.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1870\" height=\"842\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app.png\" alt=\"Install Wazuh Server on Rocky Linux\" class=\"wp-image-16444\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app.png?v=1683646799 1870w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app-768x346.png?v=1683646799 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/wazuh-kibana-app-1536x692.png?v=1683646799 1536w\" sizes=\"(max-width: 1870px) 100vw, 1870px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Wazuh App dashboard<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/07\/kibana-wazuhapp-dashboard.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1892\" height=\"753\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/07\/kibana-wazuhapp-dashboard.png\" alt=\"Install and Setup Wazuh Server in Rocky Linux\" class=\"wp-image-9587\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/07\/kibana-wazuhapp-dashboard.png?v=1625905543 1892w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/07\/kibana-wazuhapp-dashboard-768x306.png?v=1625905543 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/07\/kibana-wazuhapp-dashboard-1536x611.png?v=1625905543 1536w\" sizes=\"(max-width: 1892px) 100vw, 1892px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>In the next section, we will learn how to push event data\/logs to Elasticsearch via the Wazuh agents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"sending-events-data-to-wazuh-server-using-wazuh-agents\">Sending Events\/Data to Wazuh Server using Wazuh Agents<\/h3>\n\n\n\n<p>Wazuh agents can be installed on client servers or workstations from which logs are collected. Agents are available for both Windows and UNIX systems.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"manually-install-wazuh-agent-on-cent-os-8-fedora-32\">Manually Install Wazuh Agent on CentOS 8\/Fedora 32<\/h4>\n\n\n\n<p>In this tutorial, we are going to install the Wazuh agent in another CentOS 8 server acting at the end point from which we are collecting logs. <\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"create-the-wazuh-repository\">Create the Wazuh Repository<\/h5>\n\n\n\n<p>Copy and paste the following content to add Wazuh repository on a CentOS 8 agent. <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rpm --import http:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat &gt; \/etc\/yum.repos.d\/wazuh.repo &lt;&lt; 'EOF'\n[wazuh_repo] \ngpgcheck=1 \ngpgkey=https:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH \nenabled=1 \nname=Wazuh repository \nbaseurl=https:\/\/packages.wazuh.com\/4.x\/yum\/ \nprotect=1 \nEOF\n<\/code><\/pre>\n\n\n\n<p>Install Wazuh Agents on CentOS 8\/Fedora 32<\/p>\n\n\n\n<p>Once the repos are in place, you can install Wazuh agent by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf -y install wazuh-agent<\/code><\/pre>\n\n\n\n<p>The installation is now complete. The next step is to enable the agent to communicate with the manager.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"add-wazuh-agent-on-wazuh-server\">Add Wazuh Agent on Wazuh Server<\/h5>\n\n\n\n<p>On Wazuh manager, run the command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<p>Select add an agent (A) and press enter.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nWazuh v4.4.1 Agent manager. *\nThe following options are available: *\n\n(A)dd an agent (A).\n(E)xtract key for an agent (E).\n(L)ist already added agents (L).\n(R)emove an agent (R).\n(Q)uit.\nChoose your action: A,E,L,R or Q: A\n<\/code><\/pre>\n\n\n\n<p>Provide a name for the agent(in our case RHAgent) and IP of the agent and confirm.<\/p>\n\n\n\n<p><strong>Note the ID given to the agent.<\/strong><\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nAdding a new agent (use '\\q' to return to the main menu).\nPlease provide the following:\nA name for the new agent: RHAgent\nThe IP Address of the new agent: 192.168.56.130\nConfirm adding it?(y\/n): y\nAgent added with ID 002.\n<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"extract-wazuh-agent-key\">Extract Wazuh Agent Key<\/h5>\n\n\n\n<p>For an agent to communicate with the manager, the agent needs a key. Proceed to extract agent key by typing E.Select the ID of the Agent (002 in this case).<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nChoose your action: A,E,L,R or Q: E\nAvailable agents:\nID: 001, Name: centos8, IP: 192.168.56.103\nID: 002, Name: RHAgent, IP: 192.168.56.130\nProvide the ID of the agent to extract the key (or '\\q' to quit): 002\nAgent key information for '002' is:\n<strong>MDAyIFJIQWdlbnQgMTkyLjE2OC41Ni4xMzAgMzFjNTVjOGNiMzU2YmJkOTcyYzE2YjVhMDZiNzNkMGNmYTFhYmJlYWM4OTZmMGE0OWY3NzdjNjEwNTJiMGZjMQ==<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Copy the key and paste it in an accessible place as we will be using in the next step.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"set-the-wazuh-server-address-on-wazuh-agent\">Set the Wazuh Server Address on Wazuh Agent<\/h5>\n\n\n\n<p> On <strong>the agent,<\/strong> edit the file<strong> \/var\/ossec\/etc\/ossec.conf<\/strong> and add the Wazuh manager IP\/resolvable hostname.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/var\/ossec\/etc\/ossec.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n... \n&lt;server&gt;\n      &lt;address&gt;192.168.56.145&lt;\/address&gt;\n      &lt;port&gt;1514&lt;\/port&gt;\n      &lt;protocol&gt;udp&lt;\/protocol&gt;\n    &lt;\/server&gt;\n...\n<\/code><\/pre>\n\n\n\n<p>Save and quit<\/p>\n\n\n\n<p>Navigate to <strong>\/var\/ossec\/bin<\/strong> and run <code>manage_agents<\/code> script to import the agent key.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<p>Press I to import the key previously generated from the manager.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nProvide the Key generated by the server.\nThe best approach is to cut and paste it.\n*** OBS: Do not include spaces or new lines.\nPaste it here (or '\\q' to quit): <strong>PASTE THE AGENT KEY HERE<\/strong>\nAgent information:\nID:002\nName:RHAgent\nIP Address:192.168.56.130\nConfirm adding it?(y\/n): y\nAdded.\n<\/code><\/pre>\n\n\n\n<p>Quit and restart the agent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control restart<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"automatically-install-wazuh-agent-on-cent-os-fedora\">Automatically Install Wazuh Agent on CentOS\/Fedora<\/h4>\n\n\n\n<p>You can automatically add and install Wazuh agents on CentOS\/Fedora systems;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to Wazuh app on Kibana,<\/li>\n\n\n\n<li>head over to agents<\/li>\n\n\n\n<li>Deploy a new agent<\/li>\n\n\n\n<li>Choose the operating system (CentOS)<\/li>\n\n\n\n<li>Choose the OS version (CentOS 7+)<\/li>\n\n\n\n<li>Choose the architecture, for example x86_64<\/li>\n\n\n\n<li>Wazuh server address (e.g 192.168.56.145)<\/li>\n\n\n\n<li>Assign a name and a group to the agent<\/li>\n\n\n\n<li>Copy the installation command, execute on the host where the agent is being installed to install and enroll the Wazuh agent<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1623\" height=\"1709\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/add-wazuh-agent.png\" alt=\"\" class=\"wp-image-16456\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/add-wazuh-agent.png?v=1683697023 1623w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/add-wazuh-agent-768x809.png?v=1683697023 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/add-wazuh-agent-1459x1536.png?v=1683697023 1459w\" sizes=\"(max-width: 1623px) 100vw, 1623px\" \/><\/figure>\n\n\n\n<p>Start and enable to agent to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now wazuh-agent<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-wazuh-agent-data-reception-on-kibana\">Verify Wazuh Agent Data Reception on Kibana<\/h3>\n\n\n\n<p>The agent registration is complete. Let us check its data from the Wazuh module in Kibana.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1262\" height=\"474\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/Selection_002-1-1-1.png\" alt=\"Install and Setup Wazuh Server in CentOS 8\/Fedora 32\" class=\"wp-image-6487\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/Selection_002-1-1-1.png?v=1595139033 1262w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/Selection_002-1-1-1-768x288.png?v=1595139033 768w\" sizes=\"(max-width: 1262px) 100vw, 1262px\" \/><\/figure>\n\n\n\n<p>Navigate to <strong>Wazuh&gt;Modules&gt;Security Events <\/strong>to view security related events and dashboards.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1273\" height=\"551\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/Selection_003.png\" alt=\"Install and Setup Wazuh Server in CentOS 8\/Fedora 32\" class=\"wp-image-6490\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/Selection_003.png?v=1595140587 1273w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/Selection_003-768x332.png?v=1595140587 768w\" sizes=\"(max-width: 1273px) 100vw, 1273px\" \/><\/figure>\n\n\n\n<p>You can explore more on the modules such as Auditing and Policy Monitoring,Regulatory Compliance and Threat Detection and Response.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"further-reading\">Further Reading<\/h3>\n\n\n\n<p><a href=\"https:\/\/documentation.wazuh.com\/3.13\/installation-guide\/installing-wazuh-manager\/linux\/centos\/index.html\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Installing Wazuh Server on CentOS<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-ossec-agent-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install OSSEC Agent on CentOS 8<\/a><\/p>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/installing-elk-stack-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Installing ELK Stack on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elastic-stack-7-on-fedora-30-fedora-29-centos-7\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Install Elastic Stack 7 on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and setup Wazuh server in CentOS 8\/Fedora 32. Wazuh is an open-source tool for visibility, security<\/p>\n","protected":false},"author":4,"featured_media":9589,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72,273,1823],"tags":[1827,1824,1825,1826,1623,1829,1828],"class_list":["post-6443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","category-ossec","category-wazuh","tag-install-wazuh-agents-on-centos-8-fedora-32","tag-install-wazuh-server-on-centos-8","tag-install-wazuh-server-on-fedora-32","tag-setup-wazuh-manager-on-centos-8","tag-system-monitoring","tag-wazuh-manager","tag-wazuh-server","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6443"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6443"}],"version-history":[{"count":22,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6443\/revisions"}],"predecessor-version":[{"id":21446,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6443\/revisions\/21446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9589"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}