WAZUH架构图

分布式

wazuh_distributed

单台部署

wazuh_single

Install Wazuh server

添加CentOS wazuh源

1
2
3
4
5
6
7
8
9
$ cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=CentOS-$releasever - Wazuh
baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
protect=1
EOF

安装Wazuh-manager

1
$ yum install wazuh-manager
  • 查看Wazuh运行状态
    1
    2
    3
    4
    5
    6
    7
    8
    9
    [root@localhost init.d]# service wazuh-manager status
    ossec-monitord is running...
    ossec-logcollector is running...
    ossec-remoted is running...
    ossec-syscheckd is running...
    ossec-analysisd is running...
    ossec-maild not running...
    ossec-execd is running...
    wazuh-modulesd is running...

安装Wazuh API

  • 安装NodeJS

[root@localhost opt]# curl –silent –location https://rpm.nodesource.com/setup_6.x | bash -

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
## Installing the NodeSource Node.js 6.x repo...


## Inspecting system...

+ rpm -q --whatprovides redhat-release || rpm -q --whatprovides centos-release || rpm -q --whatprovides cloudlinux-release || rpm -q --whatprovides sl-release
+ uname -m

## Confirming "el6-x86_64" is supported...

+ curl -sLf -o /dev/null 'https://rpm.nodesource.com/pub_6.x/el/6/x86_64/nodesource-release-el6-1.noarch.rpm'

## Downloading release setup RPM...

+ mktemp
+ curl -sL -o '/tmp/tmp.l3Z6OzvS3W' 'https://rpm.nodesource.com/pub_6.x/el/6/x86_64/nodesource-release-el6-1.noarch.rpm'

## Installing release setup RPM...

+ rpm -i --nosignature --force '/tmp/tmp.l3Z6OzvS3W'

## Cleaning up...

+ rm -f '/tmp/tmp.l3Z6OzvS3W'

## Checking for existing installations...

+ rpm -qa 'node|npm' | grep -v nodesource

## Run `yum install -y nodejs` (as root) to install Node.js 6.x and npm.
## You may also need development tools to build native addons:
## `yum install -y gcc-c++ make`

[root@localhost opt]# ls

[root@localhost opt]# yum install nodejs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
nodesource | 2.5 kB 00:00
nodesource/primary_db | 43 kB 00:00
解决依赖关系
--> 执行事务检查
---> Package nodejs.x86_64 2:6.11.1-1nodesource.el6 will be 安装
--> 完成依赖关系计算

依赖关系解决

==========================================================================================================================================================
软件包 架构 版本 仓库 大小
==========================================================================================================================================================
正在安装:
nodejs x86_64 2:6.11.1-1nodesource.el6 nodesource 9.5 M

事务概要
==========================================================================================================================================================
Install 1 Package(s)

总下载量:9.5 M
Installed size: 33 M
确定吗?[y/N]:y
下载软件包:
nodejs-6.11.1-1nodesource.el6.x86_64.rpm | 9.5 MB 00:20
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 34fa74dd: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/NODESOURCE-GPG-SIGNING-KEY-EL
Importing GPG key 0x34FA74DD:
Userid : NodeSource <[email protected]>
Package: nodesource-release-el6-1.noarch (installed)
From : /etc/pki/rpm-gpg/NODESOURCE-GPG-SIGNING-KEY-EL
确定吗?[y/N]:y
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
Warning: RPMDB altered outside of yum.
正在安装 : 2:nodejs-6.11.1-1nodesource.el6.x86_64 1/1
Verifying : 2:nodejs-6.11.1-1nodesource.el6.x86_64 1/1

已安装:
nodejs.x86_64 2:6.11.1-1nodesource.el6

完毕!
  • 安装Wazuh API

[root@localhost opt]# yum install wazuh-api

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
解决依赖关系
--> 执行事务检查
---> Package wazuh-api.x86_64 0:2.0.1-1.el6 will be 安装
--> 完成依赖关系计算

依赖关系解决

==========================================================================================================================================================
软件包 架构 版本 仓库 大小
==========================================================================================================================================================
正在安装:
wazuh-api x86_64 2.0.1-1.el6 wazuh_repo 2.0 M

事务概要
==========================================================================================================================================================
Install 1 Package(s)

总下载量:2.0 M
Installed size: 7.8 M
确定吗?[y/N]:y
下载软件包:
wazuh-api-2.0.1-1.el6.x86_64.rpm | 2.0 MB 00:04
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在安装 : wazuh-api-2.0.1-1.el6.x86_64 1/1
Installing for SysVinit
WAZUH-API is not running.
WAZUH-API started.
Don't forget to run the configuration script after installation: /var/ossec/api/scripts/configure_api.sh
Warning: Minimal supported version is 2.7
root 21160 5.0 0.2 614120 7952 pts/0 Rl+ 15:12 0:00 /usr/bin/node /var/ossec/api/app.js
WAZUH-API stopped.
WAZUH-API started.
Verifying : wazuh-api-2.0.1-1.el6.x86_64 1/1

已安装:
wazuh-api.x86_64 0:2.0.1-1.el6

完毕!
  • wazuh-api状态错误
1
2
3
4
5
6
7
[root@localhost Python-2.7.3]# service wazuh-api status
WAZUH-API is stopped.

Last 20 log entries:
WazuhAPI 2017-08-01 15:12:23: ERROR: No suitable Python version found. This application requires Python 2.7 or newer. Exiting.

Full log: /var/ossec/logs/api.log
  • Cent0S 6安装python27
1
2
$ yum install -y centos-release-scl
$ yum install -y python27
  • 查看wazuh-api状态
1
2
3
4
[root@localhost Python-2.7.3]# service wazuh-api start
WAZUH-API started.
[root@localhost Python-2.7.3]# service wazuh-api status
WAZUH-API is running.

安装 Filebeat

1
2
3
4
5
6
7
8
9
10
11
[root@localhost opt]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
[root@localhost opt]# cat > /etc/yum.repos.d/elastic.repo << EOF
> [elastic-5.x]
> name=Elastic repository for 5.x packages
> baseurl=https://artifacts.elastic.co/packages/5.x/yum
> gpgcheck=1
> gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
> enabled=1
> autorefresh=1
> type=rpm-md
> EOF

[root@localhost opt]# yum install filebeat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
elastic-5.x | 1.3 kB 00:00
elastic-5.x/primary | 81 kB 00:00
elastic-5.x 206/206
解决依赖关系
--> 执行事务检查
---> Package filebeat.x86_64 0:5.5.1-1 will be 安装
--> 完成依赖关系计算

依赖关系解决

==========================================================================================================================================================
软件包 架构 版本 仓库 大小
==========================================================================================================================================================
正在安装:
filebeat x86_64 5.5.1-1 elastic-5.x 8.7 M

事务概要
==========================================================================================================================================================
Install 1 Package(s)

总下载量:8.7 M
Installed size: 29 M
确定吗?[y/N]:y
下载软件包:
filebeat-5.5.1-x86_64.rpm | 8.7 MB 06:35
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在安装 : filebeat-5.5.1-1.x86_64 1/1
Verifying : filebeat-5.5.1-1.x86_64 1/1

已安装:
filebeat.x86_64 0:5.5.1-1

完毕!
  • 下载Filebeat配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@localhost opt]# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/filebeat/filebeat.yml
[root@localhost opt]# ls /etc/file
filebeat/ filesystems
[root@localhost opt]# ls /etc/filebeat/filebeat.
filebeat.full.yml filebeat.template-es2x.json filebeat.template-es6x.json filebeat.template.json filebeat.yml
[root@localhost opt]# ls /etc/filebeat/filebeat.
filebeat.full.yml filebeat.template-es2x.json filebeat.template-es6x.json filebeat.template.json filebeat.yml
[root@localhost opt]# ls /etc/filebeat/filebeat.yml
/etc/filebeat/filebeat.yml
[root@localhost opt]# cat /etc/filebeat/filebeat.yml
filebeat:
prospectors:
- input_type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true

output:
logstash:
# The Logstash hosts
hosts: ["YOUR_ELASTIC_SERVER_IP:5000"]
# ssl:
# certificate_authorities: ["/etc/filebeat/logstash.crt"]
  • 修改elastic_server_ip

[root@localhost opt]# vi /etc/filebeat/filebeat.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
filebeat:
prospectors:
- input_type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true

output:
logstash:
# The Logstash hosts
hosts: ["192.168.1.43:5000"]
# ssl:
# certificate_authorities: ["/etc/filebeat/logstash.crt"]
  • 添加Filebeat服务并启动
1
2
3
4
5
6
7
8
9
10
11
12
[root@localhost opt]# chkconfig --add filebeat
[root@localhost opt]# service filebeat start
Starting filebeat: 2017/08/01 10:06:00.996092 beat.go:285: INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017/08/01 10:06:00.996210 beat.go:186: INFO Setup Beat: filebeat; Version: 5.5.1
2017/08/01 10:06:00.996254 metrics.go:23: INFO Metrics logging every 30s
2017/08/01 10:06:00.996500 logstash.go:90: INFO Max Retries set to: 3
2017/08/01 10:06:00.996763 outputs.go:108: INFO Activated logstash as output plugin.
2017/08/01 10:06:00.997506 publish.go:295: INFO Publisher name: localhost.localdomain
2017/08/01 10:06:01.008432 async.go:63: INFO Flush Interval set to: 1s
2017/08/01 10:06:01.008471 async.go:64: INFO Max Bulk Size set to: 2048
Config OK
[确定]

Install Elastic Stack

安装 Java JRE (Logstash和Elasticsearch必要的依赖)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
[root@localhost ~]# cd /opt/
[root@localhost opt]# ls
[root@localhost opt]# curl -Lo jre-8-linux-x64.rpm --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u144-b01/090f390dda5b47b9b721c7dfaa008135/jre-8u144-linux-x64.rpm"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 56.4M 100 56.4M 0 0 20.1M 0 0:00:02 0:00:02 --:--:-- 23.3M
[root@localhost opt]# ll
总用量 57832
-rw-r--r--. 1 root root 59219102 8月 22 14:45 jre-8-linux-x64.rpm
[root@localhost opt]# rpm -qlp jre-8-linux-x64.rpm > /dev/null 2>&1 && echo "Java package downloaded successfully" || echo "Java package did not download successfully"
Java package downloaded successfully
[root@localhost opt]# yum install jre-8-linux-x64.rpm
已加载插件:fastestmirror
设置安装进程
诊断 jre-8-linux-x64.rpm: jre1.8.0_144-1.8.0_144-fcs.x86_64
jre-8-linux-x64.rpm 将被安装
base | 3.7 kB 00:00
base/primary_db | 4.7 MB 00:00
extras | 3.4 kB 00:00
extras/primary_db | 29 kB 00:01
updates | 3.4 kB 00:00
updates/primary_db | 2.5 MB 00:05
解决依赖关系
--> 执行事务检查
---> Package jre1.8.0_144.x86_64 0:1.8.0_144-fcs will be 安装
--> 完成依赖关系计算

依赖关系解决

================================================================================================================================================
软件包 架构 版本 仓库 大小
================================================================================================================================================
正在安装:
jre1.8.0_144 x86_64 1.8.0_144-fcs /jre-8-linux-x64 133 M

事务概要
================================================================================================================================================
Install 1 Package(s)

总文件大小:133 M
Installed size: 133 M
确定吗?[y/N]:y
下载软件包:
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在安装 : jre1.8.0_144-1.8.0_144-fcs.x86_64 1/1
Unpacking JAR files...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
Verifying : jre1.8.0_144-1.8.0_144-fcs.x86_64 1/1

已安装:
jre1.8.0_144.x86_64 0:1.8.0_144-fcs

完毕!
[root@localhost opt]# rm jre-8-linux-x64.rpm
rm:是否删除普通文件 "jre-8-linux-x64.rpm"?y
[root@localhost opt]# ls
[root@localhost opt]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
[root@localhost opt]# ls
[root@localhost opt]# cat > /etc/yum.repos.d/elastic.repo << EOF
> [elastic-5.x]
> name=Elastic repository for 5.x packages
> baseurl=https://artifacts.elastic.co/packages/5.x/yum
> gpgcheck=1
> gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
> enabled=1
> autorefresh=1
> type=rpm-md
> EOF

安装elasticsearch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
[root@localhost opt]# yum install elasticsearch
已加载插件:fastestmirror
设置安装进程
Determining fastest mirrors
* base: mirrors.btte.net
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirror.bit.edu.cn
elastic-5.x | 1.3 kB 00:00
elastic-5.x/primary | 86 kB 00:00
elastic-5.x 218/218
解决依赖关系
--> 执行事务检查
---> Package elasticsearch.noarch 0:5.5.2-1 will be 安装
--> 完成依赖关系计算

依赖关系解决

================================================================================================================================================
软件包 架构 版本 仓库 大小
================================================================================================================================================
正在安装:
elasticsearch noarch 5.5.2-1 elastic-5.x 32 M

事务概要
================================================================================================================================================
Install 1 Package(s)

总下载量:32 M
Installed size: 36 M
确定吗?[y/N]:y
下载软件包:
elasticsearch-5.5.2.rpm | 32 MB 09:03
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在安装 : elasticsearch-5.5.2-1.noarch 1/1
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using chkconfig
sudo chkconfig --add elasticsearch
### You can start elasticsearch service by executing
sudo service elasticsearch start
Verifying : elasticsearch-5.5.2-1.noarch 1/1

已安装:
elasticsearch.noarch 0:5.5.2-1

完毕!
[root@localhost opt]# chkconfig --add elasticsearch
[root@localhost opt]# service elasticsearch start
正在启动 elasticsearch: [确定]
[root@localhost opt]# curl https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/template_file.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15547 100 15547 0 0 16125 0 --:--:-- --:--:-- --:--:-- 40592
{"acknowledged":true}[root@localhost opt]# ls
[root@localhost opt]# ls
[root@localhost opt]# curl https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
102 1432 102 1432 0 0 1567 0 --:--:-- --:--:-- --:--:-- 4937
{"_index":"wazuh-alerts-2017.08.22","_type":"wazuh","_id":"sample","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"created":true}[root@localhost opt]#
[root@localhost opt]#

It is recommended to edit the default configuration to improve the Elasticsearch performance. To do so, please see Elasticsearch tuning.https://documentation.wazuh.com/current/installation-guide/optional-configurations/elastic-tuning.html#elastic-tuning

安装Logstash

Logstash is the tool that will collect, parse, and forward to Elasticsearch for indexing and storage all logs generated by Wazuh server. For more info please see Logstash.https://www.elastic.co/products/logstash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
[root@localhost opt]# yum install logstash
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirrors.btte.net
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirror.bit.edu.cn
解决依赖关系
--> 执行事务检查
---> Package logstash.noarch 1:5.5.2-1 will be 安装
--> 完成依赖关系计算

依赖关系解决

================================================================================================================================================
软件包 架构 版本 仓库 大小
================================================================================================================================================
正在安装:
logstash noarch 1:5.5.2-1 elastic-5.x 90 M

事务概要
================================================================================================================================================
Install 1 Package(s)

总下载量:90 M
Installed size: 169 M
确定吗?[y/N]:y
下载软件包:
logstash-5.5.2.rpm | 90 MB 33:26
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在安装 : 1:logstash-5.5.2-1.noarch 1/1
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash
Verifying : 1:logstash-5.5.2-1.noarch 1/1

已安装:
logstash.noarch 1:5.5.2-1

完毕!
[root@localhost opt]# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/logstash/01-wazuh.conf
[root@localhost opt]# curl -so /etc/logstash/wazuh-elastic5-template.json https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/elasticsearch/wazuh-elastic5-template.json
[root@localhost opt]# /usr/share/logstash/bin/system-install
Successfully created system startup script for Logstash
[root@localhost opt]# chkconfig --add logstash
在 logstash 服务中读取信息时出错:没有那个文件或目录
[root@localhost opt]# ls /etc/init.d/
auditd functions iptables killall netconsole postfix rsyslog single
crond halt jexec mdmonitor netfs rdisc sandbox sshd
elasticsearch ip6tables kdump messagebus network restorecond saslauthd udev-post
[root@localhost opt]# /usr/share/logstash/bin/system-install /etc/logstash/startup.options sysv
Using provided startup.options file: /etc/logstash/startup.options
Manually creating startup for specified platform: sysv
Successfully created system startup script for Logstash
[root@localhost opt]# chkconfig --add logstash
[root@localhost opt]# service logstash start
logstash started

Setting up SSL for Filebeat and Logstash

因为Wazuh server和Elastic Stack server是分布式架构,要配置在Filebeat和Logstash之间配SSL加密。

1
[root@localhost opt]# cp /etc/pki/tls/openssl.cnf custom_openssl.cnf

vi custom_openssl.cnf
找到[ v3_ca ]字段,然后在它下面添加一行elastic server的ip地址:

1
2
[ v3_ca ]
subjectAltName = IP: 192.168.106.43

1
2
3
4
5
6
7
8
[root@localhost opt]# openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout /etc/logstash/logstash.key -out /etc/logstash/logstash.crt -config custom_openssl.cnf
Generating a 2048 bit RSA private key
.................+++
.....+++
writing new private key to '/etc/logstash/logstash.key'
-----
[root@localhost opt]# rm custom_openssl.cnf
rm:是否删除普通文件 "custom_openssl.cnf"?y

配置Logstash server,这时在服务器中应该有了/etc/logstash/logstash.crt 证书和 /etc/logstash/logstash.key秘钥。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
vi /etc/logstash/conf.d/01-wazuh.conf

input {
beats {
port => 5000
codec => "json_lines"
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
}
}

改成
input {
beats {
port => 5000
codec => "json_lines"
ssl => true
ssl_certificate => "/etc/logstash/logstash.crt"
ssl_key => "/etc/logstash/logstash.key"
}
}
1
2
3
重启logstash
[root@localhost opt]# service logstash restart
logstash started

配置Filebeat

现在我们配置filebeat认证logstash服务器认证。
使用scp命令必须两台服务器都安装openssh-clients,yum -y install openssh-clients要在两台服务器上分别执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[root@localhost ~]# yum -y install openssh-clients
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
解决依赖关系
--> 执行事务检查
---> Package openssh-clients.x86_64 0:5.3p1-122.el6 will be 安装
--> 处理依赖关系 openssh = 5.3p1-122.el6,它被软件包 openssh-clients-5.3p1-122.el6.x86_64 需要
--> 处理依赖关系 libedit.so.0()(64bit),它被软件包 openssh-clients-5.3p1-122.el6.x86_64 需要
--> 执行事务检查
---> Package libedit.x86_64 0:2.11-4.20080712cvs.1.el6 will be 安装
---> Package openssh.x86_64 0:5.3p1-111.el6 will be 升级
--> 处理依赖关系 openssh = 5.3p1-111.el6,它被软件包 openssh-server-5.3p1-111.el6.x86_64 需要
---> Package openssh.x86_64 0:5.3p1-122.el6 will be an update
--> 执行事务检查
---> Package openssh-server.x86_64 0:5.3p1-111.el6 will be 升级
---> Package openssh-server.x86_64 0:5.3p1-122.el6 will be an update
--> 完成依赖关系计算

依赖关系解决

================================================================================================================================================
软件包 架构 版本 仓库 大小
================================================================================================================================================
正在安装:
openssh-clients x86_64 5.3p1-122.el6 base 443 k
为依赖而安装:
libedit x86_64 2.11-4.20080712cvs.1.el6 base 74 k
为依赖而更新:
openssh x86_64 5.3p1-122.el6 base 277 k
openssh-server x86_64 5.3p1-122.el6 base 329 k

事务概要
================================================================================================================================================
Install 2 Package(s)
Upgrade 2 Package(s)

总下载量:1.1 M
下载软件包:
(1/4): libedit-2.11-4.20080712cvs.1.el6.x86_64.rpm | 74 kB 00:00
(2/4): openssh-5.3p1-122.el6.x86_64.rpm | 277 kB 00:00
(3/4): openssh-clients-5.3p1-122.el6.x86_64.rpm | 443 kB 00:00
(4/4): openssh-server-5.3p1-122.el6.x86_64.rpm | 329 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------
总计 414 kB/s | 1.1 MB 00:02
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在升级 : openssh-5.3p1-122.el6.x86_64 1/6
正在安装 : libedit-2.11-4.20080712cvs.1.el6.x86_64 2/6
正在安装 : openssh-clients-5.3p1-122.el6.x86_64 3/6
正在升级 : openssh-server-5.3p1-122.el6.x86_64 4/6
清理 : openssh-server-5.3p1-111.el6.x86_64 5/6
清理 : openssh-5.3p1-111.el6.x86_64 6/6
Verifying : openssh-server-5.3p1-122.el6.x86_64 1/6
Verifying : libedit-2.11-4.20080712cvs.1.el6.x86_64 2/6
Verifying : openssh-5.3p1-122.el6.x86_64 3/6
Verifying : openssh-clients-5.3p1-122.el6.x86_64 4/6
Verifying : openssh-5.3p1-111.el6.x86_64 5/6
Verifying : openssh-server-5.3p1-111.el6.x86_64 6/6

已安装:
openssh-clients.x86_64 0:5.3p1-122.el6

作为依赖被安装:
libedit.x86_64 0:2.11-4.20080712cvs.1.el6

作为依赖被升级:
openssh.x86_64 0:5.3p1-122.el6 openssh-server.x86_64 0:5.3p1-122.el6

完毕!

以下内容在filebeat服务端,也就是wazuh server上执行。

1
2
3
[root@localhost ~]# scp [email protected]:/etc/logstash/logstash.crt /etc/filebeat
[email protected]'s password:
logstash.crt

vi /etc/filebeat/filebeat.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
修改
output:
logstash:
# The Logstash hosts
hosts: ["192.168.106.43:5000"]
# ssl:
# certificate_authorities: ["/etc/filebeat/logstash.crt"]

变成
output:
logstash:
hosts: ["192.168.106.43:5000"]
ssl:
certificate_authorities: ["/etc/filebeat/logstash.crt"]

重新启动filebeat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@localhost ~]# service filebeat restart
2017/08/23 03:36:41.485699 beat.go:285: INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017/08/23 03:36:41.485822 beat.go:186: INFO Setup Beat: filebeat; Version: 5.5.1
2017/08/23 03:36:41.485956 metrics.go:23: INFO Metrics logging every 30s
2017/08/23 03:36:41.488062 logstash.go:90: INFO Max Retries set to: 3
2017/08/23 03:36:41.488281 outputs.go:108: INFO Activated logstash as output plugin.
2017/08/23 03:36:41.489904 publish.go:295: INFO Publisher name: localhost.localdomain
2017/08/23 03:36:41.508442 async.go:63: INFO Flush Interval set to: 1s
2017/08/23 03:36:41.508504 async.go:64: INFO Max Bulk Size set to: 2048
Config OK
Stopping filebeat: [确定]
Starting filebeat: 2017/08/23 03:36:41.654868 beat.go:285: INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017/08/23 03:36:41.654971 beat.go:186: INFO Setup Beat: filebeat; Version: 5.5.1
2017/08/23 03:36:41.655207 metrics.go:23: INFO Metrics logging every 30s
2017/08/23 03:36:41.656127 logstash.go:90: INFO Max Retries set to: 3
2017/08/23 03:36:41.656311 outputs.go:108: INFO Activated logstash as output plugin.
2017/08/23 03:36:41.656522 publish.go:295: INFO Publisher name: localhost.localdomain
2017/08/23 03:36:41.657083 async.go:63: INFO Flush Interval set to: 1s
2017/08/23 03:36:41.657125 async.go:64: INFO Max Bulk Size set to: 2048
Config OK
[确定]

安装Kibana

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[root@localhost opt]# yum install kibana
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirror.bit.edu.cn
* extras: mirror.bit.edu.cn
* updates: mirror.bit.edu.cn
解决依赖关系
--> 执行事务检查
---> Package kibana.x86_64 0:5.5.2-1 will be 安装
--> 完成依赖关系计算

依赖关系解决

================================================================================================================================================
软件包 架构 版本 仓库 大小
================================================================================================================================================
正在安装:
kibana x86_64 5.5.2-1 elastic-5.x 50 M

事务概要
================================================================================================================================================
Install 1 Package(s)

总下载量:50 M
Installed size: 191 M
确定吗?[y/N]:y
下载软件包:
kibana-5.5.2-x86_64.rpm | 50 MB 16:47
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在安装 : kibana-5.5.2-1.x86_64 1/1
Verifying : kibana-5.5.2-1.x86_64 1/1

已安装:
kibana.x86_64 0:5.5.2-1

完毕!
[root@localhost opt]# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Transferring 24560704 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete

vi /etc/kibana/kibana.yml

1
2
3
4
5

#server.host: "localhost"

改成
server.host: "0.0.0.0"

It is recommended to set up an Nginx proxy for Kibana in order to use SSL encryption and to enable authentication. Instructions to set the proxy up can be found at Setting up SSL and authentication for Kibana.https://documentation.wazuh.com/current/installation-guide/optional-configurations/kibana_ssl.html#kibana-ssl

重启kibana

1
2
3
[root@localhost opt]# chkconfig --add kibana
[root@localhost opt]# service kibana start
kibana started

通过API连接Wazuh App

通过192.168.106.43:5601访问 Kibana,无法访问,查看本地端口已经监听在0.0.0.0:5601,所以关闭防火墙。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@localhost opt]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 27473/node
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 27360/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5748/master
tcp 0 0 ::ffff:127.0.0.1:9200 :::* LISTEN 26585/java
tcp 0 0 ::1:9200 :::* LISTEN 26585/java
tcp 0 0 ::ffff:127.0.0.1:9300 :::* LISTEN 26585/java
tcp 0 0 ::1:9300 :::* LISTEN 26585/java
tcp 0 0 :::22 :::* LISTEN 27360/sshd
tcp 0 0 ::1:25 :::* LISTEN 5748/master
[root@localhost opt]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost opt]# service iptables stop
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
  • 访问界面
    kibana默认首页

  • 点击”Wazuh”按钮
    kibana Wazuh按钮

  • 点击”ADD NEW API”
    kibana add new api

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Welcome to the Wazuh App for Kibana 5
The Wazuh App brings together a new and useful web interface for managing and monitoring your Wazuh infrastructure. You can check agent status, alert evolution, most recent events, popular alerts, top alert groups, etc. You can also display configuration and logs of the manager.

In addition, make use of any or all of these extensions:

Linux Audit system integration.
PCI DSS Compliance.
OpenSCAP security compliance and vulnerability assessments.
The app joins Wazuh features like: Log management and analysis, file integrity monitoring, intrusion and anomaly detection and policy and compliance monitoring.

Help us to improve this app. We would appreciate your feedback. Collaborate with us on the Mailing Lists and/or the Wazuh App Github repository


Please enter your Wazuh RESTful API credentials at the form below to begin.

请看上面的介绍,Wazuh主要的功能特性和扩展。新版本在上方的导航将api、扩展、关于分3个页面。

  • 添加api之前准备工作

在填用户名、密码、url、端口之前,要先到Wazuh server主机上,使用命令生成非默认的认证来保护Wazuh API。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@localhost ~]# cd /var/ossec/api/configuration/auth/
[root@localhost auth]# ls
htpasswd user
[root@localhost auth]# sudo node htpasswd -c user wazuh-api
New password:
Re-type new password:
Adding password for user wazuh-api.
[root@localhost auth]# ll
总用量 4
lrwxrwxrwx. 1 root root 49 8月 1 15:12 htpasswd -> /var/ossec/api/node_modules/htpasswd/bin/htpasswd
-rwxr-x---. 1 root root 48 8月 23 17:47 user
[root@localhost auth]# service wazuh-api restart
WAZUH-API stopped.
WAZUH-API started.

可以先访问一下web,看认证是否成功
wazuh-api-credentials

  • 填入api字段-提示错误
    wazuh-add-api-error

官方的邮件列表解释了这个bug:
https://groups.google.com/forum/#!msg/wazuh/kBVoD-X7xX4/vpDOHjKhCQAJ

  • 解决v2.0的bug
1
2
yum upgrade wazuh-manager
yum upgrade wazuh-api

官方列表里的讨论在版本比对时逻辑有错误等,在新版本中修复,升级就可以了。
wazuh-api-add-success

安装agent

这个就很简单了:
https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/index.html

注册agent

Manager的server端

  • ssl认证
1
2
3
4
5
6
[root@localhost db]# openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert
Generating a 2048 bit RSA private key
...............................+++
.........+++
writing new private key to '/var/ossec/etc/sslmanager.key'
-----
  • 开启ossec-authd服务
1
2
3
4
5
6
7
8
[root@localhost db]# /var/ossec/bin/
agent_control ossec-analysisd ossec-execd ossec-luac ossec-remoted syscheck_update
clear_stats ossec-authd ossec-integratord ossec-maild ossec-reportd update_ruleset.py
list_agents ossec-control ossec-logcollector ossec-makelists ossec-syscheckd util.sh
manage_agents ossec-csyslogd ossec-logtest ossec-monitord rootcheck_control verify-agent-conf
ossec-agentlessd ossec-dbd ossec-lua ossec-regex syscheck_control wazuh-modulesd
[root@localhost db]# /var/ossec/bin/ossec-authd
[root@localhost db]#

agent-auth客户端

  • 客户端注册服务端ip
1
2
3
4
5
6
7
8
9
[root@localhost ~]# /var/ossec/bin/agent-auth -m 192.168.106.42
2017/08/28 14:54:58 agent-auth: INFO: Started (pid: 6235).
WARN: No authentication password provided.
INFO: Connected to 192.168.106.42:1515
INFO: Using agent name as: localhost.localdomain
INFO: Send request to manager. Waiting for reply.
INFO: Received response with agent key
INFO: Valid key created. Finished.
INFO: Connection closed.

查看是否成功

  • server 端
1
2
3
[root@localhost db]# cat /var/ossec/etc/client.keys
001 localhost.localdomain any 5e7168616c858ef0d9a8c1737359825e72c17bf3a9575ed9f696e4b30masaike
[root@localhost db]# /var/ossec/bin/agent_control -l
  • agent 端
1
2
[root@localhost ~]# cat /var/ossec/etc/client.keys
001 localhost.localdomain any 5e7168616c858ef0d9a8c1737359825e72c17bf3a9575ed9f696e4b30masaike

连接到服务端Manager

  • /var/ossec/etc/ossec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14

<ossec_config>
<client>
<server-ip>MANAGER_IP</server-ip>
<config-profile>centos, centos6</config-profile>
<protocol>udp</protocol>
</client>
改成
<ossec_config>
<client>
<server-ip>192.168.106.42</server-ip>
<config-profile>centos, centos6</config-profile>
<protocol>udp</protocol>
</client>
  • 启动(重启)wazuh-agent
1
2
3
[root@localhost ~]# service wazuh-agent start
Starting OSSEC: 2017/08/28 15:19:09 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
[ OK ]

但是你会看到wazuh面板agents管理上,显示的连接过来的机器ip写的是any。因为
/var/ossec/bin/ossec-authd默认启动后,将注册any为连接ip,在服务端kill掉ossec-authd进程,然后
/var/ossec/bin/ossec-authd -i启动。在server端通过
/var/ossec/bin/manage_agents,删除已经注册的agent;在agent端删除
/var/ossec/etc/client.keys里的内容记录,重新
/var/ossec/bin/agent-auth -m 192.168.106.42注册,重启agent。