云网牛站
所在位置:首页 > Linux云服务器 > 在Ubuntu 20.04系统上安装和设置Wazuh Server的详细步骤

在Ubuntu 20.04系统上安装和设置Wazuh Server的详细步骤

2021-04-27 16:16:46作者:戴进稿源:云网牛站

本文介绍在Ubuntu 20.04系统上安装和设置Wazuh Server的详细步骤,包含的内容有:安装依赖、从Open Distro安装Elasticsearch、安装证书、安装Filebeat、及安装Kibana。

 

步骤1:安装依赖

安装以下运行Wazuh Manager所需的软件包:

sudo apt update

sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

然后再安装Java:

sudo apt install default-jre

 

步骤2:在Ubuntu 20.04上安装Wazuh Server

以下步骤将指导我们如何在Ubuntu 20.04上安装Wazuh服务器。

1、添加GPG密钥

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -

2、添加Wazuh存储库

echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

3、更新系统

sudo apt update

4、安装Wazuh Manager

sudo apt install wazuh-manager

5、启动并启用服务

sudo systemctl daemon-reload

sudo systemctl enable --now wazuh-manager

检查Wazuh管理器的状态并确认它是否已启动并正在运行:

systemctl status wazuh-manager

检查服务状态,是否是Active: active (running)。

 

步骤3:从Open Distro安装Elasticsearch

参考:在Ubuntu 20.04服务器上安装和配置Elasticsearch的方法

Open Distro是高度可扩展的全文本搜索引擎,该软件包提供高级安全性、警报、深入的性能分析、索引管理和许多其他功能:

sudo apt install elasticsearch-oss opendistro-alerting opendistro-anomaly-detection opendistro-index-management opendistro-job-scheduler opendistro-knn opendistro-knnlib opendistro-performance-analyzer opendistro-security opendistro-sql opendistroforelasticsearch

下载/etc/elasticsearch/elasticsearch.yml的定制配置文件,如下所示:

sudo curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

使用以下模板配置Kibana角色和用户:

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/elasticsearch/roles/roles.yml

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/elasticsearch/roles/roles_mapping.yml

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/elasticsearch/roles/internal_users.yml

上面的命令为Kibana添加了以下用户:

Wazuh_user–将用于需要只读访问Wazuh Kibana插件的用户。

Wazuh_admin–适用于需要管理特权的用户。

还创建了两个其他角色,以为用户提供适当的权限。

wazuh_ui_user–提供wazuh_user权限以读取Wazuh的索引。

wazuh_ui_admin–允许wazuh_admins对wazuh索引执行读/写,管理和索引。

 

步骤4:安装证书

我们可以设置证书以用于Elasticsearch和Wazuh之间的TLS通信。

1、删除演示证书

sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}

2.生成新证书

sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs

sudo curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip

3、解压缩下载的文件

sudo unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard

4、下载预配置的search-guard.yml文件

sudo curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/searchguard/search-guard-aio.yml

5、运行搜索保护脚本以创建证书

sudo ~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/

6、创建证书后,删除不必要的文件

sudo rm /etc/elasticsearch/certs/client-certificates.readme sudo /etc/elasticsearch/certs/elasticsearch_elasticsearch_config_snippet.yml ~/search-guard-tlstool-1.8.zip ~/searchguard -rf

7、启用并启动Elasticsearch服务

sudo systemctl enable --now elasticsearch

8、通过运行Elasticsearch的securityadmin脚本来加载新证书

sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key

您应该看到类似于以下内容的输出:

WARNING: JAVA_HOME not set, will use /usr/bin/java

Open Distro Security Admin v7

Will connect to localhost:9300 ... done

Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US

Elasticsearch Version: 7.10.0

Open Distro Security Version: 1.12.0.0

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...

Clustername: elasticsearch

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)

Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/

Will update '_doc/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml 

SUCC: Configuration for 'config' created or updated

Will update '_doc/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml 

SUCC: Configuration for 'roles' created or updated

Will update '_doc/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml

SUCC: Configuration for 'rolesmapping' created or updated

Will update '_doc/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

SUCC: Configuration for 'internalusers' created or updated

Will update '_doc/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml

SUCC: Configuration for 'actiongroups' created or updated

Will update '_doc/tenants' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml 

SUCC: Configuration for 'tenants' created or updated

Will update '_doc/nodesdn' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml 

SUCC: Configuration for 'nodesdn' created or updated

Will update '_doc/whitelist' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml 

SUCC: Configuration for 'whitelist' created or updated

Will update '_doc/audit' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml 

SUCC: Configuration for 'audit' created or updated

Done with success

运行以下命令以确认安装成功:

curl -XGET https://localhost:9200 -u admin:admin -k

响应应如下所示:

{

 "name" : "node-1",

 "cluster_name" : "elasticsearch",

 "cluster_uuid" : "9JuWWZBHSX65WNZioHQcMg",

 "version" : {

  "number" : "7.10.0",

  "build_flavor" : "oss",

  "build_type" : "deb",

  "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",

  "build_date" : "2020-11-09T21:30:33.964949Z",

  "build_snapshot" : false,

  "lucene_version" : "8.7.0",

  "minimum_wire_compatibility_version" : "6.8.0",

  "minimum_index_compatibility_version" : "6.0.0-beta1"

  },

  "tagline" : "You Know, for Search"

}

您可能选择删除Open Distro for Elasticsearch性能分析器插件,该插件在默认情况下会安装,有时可能会占用大量资源。使用下面的命令将其删除:

sudo /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer

 

步骤5:在Ubuntu 20.04上安装Filebeat

Filebeat用于将警报和事件从Wazuh服务器发送到Elasticsearch:

sudo apt install filebeat

下载下面的filebeat配置文件,该文件将用于将wazuh警报转发到Elasticsearch:

sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml

使用下面的命令为Elasticsearch下载警报模板:

sudo curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.0/extensions/elasticsearch/7.x/wazuh-template.json

sudo chmod go+r /etc/filebeat/wazuh-template.json

下载Wazuh FIlebeat模块:

sudo curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

将Elasticsearch证书复制到/etc/filebeat/certs:

sudo mkdir /etc/filebeat/certs && cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/

sudo mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/

启动并启用Filebeat服务:

sudo systemctl enable --now filebeat

通过以下命令确认Filebeat配置:

sudo filebeat test output

样本输出:

elasticsearch: https://127.0.0.1:9200...

 parse url... OK

 connection...

  parse host... OK

  dns lookup... OK

  addresses: 127.0.0.1

  dial up... OK

 TLS...

  security: server's certificate chain verification is enabled

  handshake... OK

  TLS version: TLSv1.3

  dial up... OK

  talk to server... OK

  version: 7.10.0

 

步骤6:在Ubuntu 20.04上安装Kibana

Kibana是一个Web界面,可帮助我们可视化和分析Elasticsearch中存储的事件。

使用以下命令在Ubuntu 20.04上安装Kibana:

sudo apt-get install opendistroforelasticsearch-kibana

下载Kibana的配置文件:

sudo curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/kibana/7.x/kibana_all_in_one.yml

为以下文件分配正确的权限:

sudo chown -R kibana:kibana /usr/share/kibana/optimize

sudo chown -R kibana:kibana /usr/share/kibana/plugins

为Wazuh安装Kibana插件。这必须在Kibana主目录中完成:

cd /usr/share/kibana

sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.1-1.zip

将Elasticsearch证书复制到/etc/kibana/certs:

sudo mkdir /etc/kibana/certs

sudo cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/

sudo mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key

sudo mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem

将Kibana的套接字绑定到特权443端口:

sudo setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

启动并启用Kibana服务:

sudo systemctl enable --now kibana

允许Kibana通过防火墙:

sudo ufw allow 443/tcp

您现在可以通过访问wazuh kibana界面,有用的信息如下:

URL: https://<wazuh_server_ip>

user: admin

password: admin

在Ubuntu 20.04系统上安装和设置Wazuh Server的详细步骤

您可以登录并继续查看来自Wazuh的可用指标:

在Ubuntu 20.04系统上安装和设置Wazuh Server的详细步骤

至此,通过以上步骤,我们已经在Ubuntu 20.04上成功设置了Wazuh服务器。

 

相关主题

在ubuntu中安装ELK Stack(Elasticsearch,Logstash和Kibana)

精选文章
热门文章