0
点赞
收藏
分享

微信扫一扫

wazuh安装


终端

终端系统:win10
agent:wazuh-agent-4.2.2-1 ​​​https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.2-1.msi​​

服务器

安装方式:单步安装​​Step-by-step installation - All-in-one deployment​​

echo "1 install necessary packages"
yum install curl unzip wget libcap -y
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

echo "2 install wazuh manager"
yum install wazuh-manager -y
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager


echo "3 install es"
yum install opendistroforelasticsearch -y

echo "config es"
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

echo "add user, role"
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml


echo "remove demo certificates"
rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

echo "generate and deploy the certificates"
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
bash ~/wazuh-cert-tool.sh

mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

echo "test whether install success"
curl -XGET https://localhost:9200 -u admin:admin -k

echo "remove es analyzer tool"
/usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer
systemctl restart elasticsearch


echo "4 install filebeat"
yum install filebeat -y

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

filebeat test output

echo "5 install kibana"
yum install opendistroforelasticsearch-kibana -y

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip

mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

安装kibana失败

[root@localhost kibana]# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip
Transferring 34628785 bytes....
Transfer complete
Retrieving metadata from plugin archive
Error: end of central directory record signature not found
at /usr/share/kibana/node_modules/yauzl/index.js:187:14
at /usr/share/kibana/node_modules/yauzl/index.js:631:5
at /usr/share/kibana/node_modules/fd-slicer/index.js:32:7
at FSReqWrap.wrapper [as oncomplete] (fs.js:467:17)
Plugin installation was unsuccessful due to error "Error retrieving metadata from plugin archive"

下载太慢导致安装失败,用迅雷下载到本地之后,以文件方式安装

[root@localhost GitHub]# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///mnt/hgfs/wazuh_kibana-4.2.2_7.10.2-1.zip 
Found previous install attempt. Deleting...
Attempting to transfer from file:///mnt/hgfs/wazuh_kibana-4.2.2_7.10.2-1.zip
Transferring 34628785 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

访问kibana web

URL: https://<wazuh_server_ip>    //例如: ​​https://192.168.1.66​​​ user: admin
password: admin 

wazuh安装_hive

   ​​https://192.168.1.66​​/app/wazuh#/manager/?tab=status 没有agent在线,通过方式添加agent

agent连接wazuh server

给agent生成一个key,让他能够连接到wazuh server, 运行以下命令

[root@localhost Hub]# /var/ossec/bin/manage_agents

wazuh安装_edr_02

 给agent配置 

  1. 服务端ip
  2. 服务端生成的key.

wazuh安装_edr_03

agent连接wazuh server失败

agent安装在vmware win7中,连接到另一个台vmware centos wazuh server,提示连接失败

telnet 192.168.1.66 1514失败,在centos中查看1514端口是处理监听状态,因此应该是防火墙没有开1514端口,通过以下命令开放1514之后连接成功

firewall-cmd --list-ports

firewall-cmd --zone=public --add-port=1514/tcp --permanent (--permanent永久生效,没有此参数重启后失效)
firewall-cmd --zone=public --add-port=1515/tcp --permanent

firewall-cmd --reload

 查看状态

wazuh安装_json_04

 wazuh相关进程

wazuh安装_edr_05

举报

相关推荐

0 条评论