终端
终端系统:win10
agent:wazuh-agent-4.2.2-1 https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.2-1.msi
服务器
安装方式:单步安装Step-by-step installation - All-in-one deployment
echo "1 install necessary packages"
yum install curl unzip wget libcap -y
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
echo "2 install wazuh manager"
yum install wazuh-manager -y
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager
echo "3 install es"
yum install opendistroforelasticsearch -y
echo "config es"
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
echo "add user, role"
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
echo "remove demo certificates"
rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
echo "generate and deploy the certificates"
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
bash ~/wazuh-cert-tool.sh
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
echo "test whether install success"
curl -XGET https://localhost:9200 -u admin:admin -k
echo "remove es analyzer tool"
/usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer
systemctl restart elasticsearch
echo "4 install filebeat"
yum install filebeat -y
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
filebeat test output
echo "5 install kibana"
yum install opendistroforelasticsearch-kibana -y
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip
mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
安装kibana失败
[root@localhost kibana]# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip
Transferring 34628785 bytes....
Transfer complete
Retrieving metadata from plugin archive
Error: end of central directory record signature not found
at /usr/share/kibana/node_modules/yauzl/index.js:187:14
at /usr/share/kibana/node_modules/yauzl/index.js:631:5
at /usr/share/kibana/node_modules/fd-slicer/index.js:32:7
at FSReqWrap.wrapper [as oncomplete] (fs.js:467:17)
Plugin installation was unsuccessful due to error "Error retrieving metadata from plugin archive"
下载太慢导致安装失败,用迅雷下载到本地之后,以文件方式安装
[root@localhost GitHub]# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///mnt/hgfs/wazuh_kibana-4.2.2_7.10.2-1.zip
Found previous install attempt. Deleting...
Attempting to transfer from file:///mnt/hgfs/wazuh_kibana-4.2.2_7.10.2-1.zip
Transferring 34628785 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete
访问kibana web
URL: https://<wazuh_server_ip> //例如: https://192.168.1.66 user: admin
password: admin
https://192.168.1.66/app/wazuh#/manager/?tab=status 没有agent在线,通过方式添加agent
agent连接wazuh server
给agent生成一个key,让他能够连接到wazuh server, 运行以下命令
[root@localhost Hub]# /var/ossec/bin/manage_agents
给agent配置
- 服务端ip
- 服务端生成的key.
agent连接wazuh server失败
agent安装在vmware win7中,连接到另一个台vmware centos wazuh server,提示连接失败
telnet 192.168.1.66 1514失败,在centos中查看1514端口是处理监听状态,因此应该是防火墙没有开1514端口,通过以下命令开放1514之后连接成功
firewall-cmd --list-ports
firewall-cmd --zone=public --add-port=1514/tcp --permanent (--permanent永久生效,没有此参数重启后失效)
firewall-cmd --zone=public --add-port=1515/tcp --permanent
firewall-cmd --reload