Installing the New Wazuh version 4.4 — The SOCFortress Way

Learn how to deploy the latest version of the Wazuh-Manager, Wazuh-Indexer with full Graylog integration.

INTRO

Are you ready to fortify your security operations with the latest advancements in threat detection and response? Look no further! In this blog post, we dive into the exciting world of Wazuh version 4.4 installation and introduce you to the SOCFortress way. With the ever-evolving threat landscape, it’s crucial to stay one step ahead. Join us as we detail installing and configuring all things Wazuh with Graylog integration.

Notable Mentions

Some highlights that I want to note prior to beginning the installation process.

1️⃣ IPv6 support

2️⃣ Vulnerability detection support for SUSE agents

3️⃣ The Wazuh-Indexer and Wazuh-Dashboard has been bumped to OpenSearch 2.4.1 . RELEASE NOTES

❗ GRAYLOG MUST BE ON VERSION 5.x. LOWER VERSIONS OF GRAYLOG DO NOT SUPPORT OPENSEARCH VERSIONS 2.x ❗

Installation Order

While deploying the tools in the following order is not mandatory, I find it beneficial. Click on the links below to explore the specific purposes of each tool in greater detail.

1️⃣ Wazuh Indexer — What the hell is a Wazuh-Indexer?

2️⃣ Wazuh Dashboard

3️⃣ Graylog — Why do I want gray logs?

4️⃣ Wazuh Manager — Who decided you were the manager?

Wazuh Indexer Install

To deploy the new Wazuh-Indexer 4.4 release, follow the below steps.

Install Prerequisites

apt-get install debconf adduser procps
apt-get install gnupg apt-transport-https

Install GPG Key and Add repo

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Install

apt-get update

apt-get -y install wazuh-indexer

Certificate Deployment

Deploy certificates for encryption and security.

1. Collect the SOCFortress modified version of the wazuh-certs-tool.sh script.

wget https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/wazuh-certs-tool.sh -q -O /tmp/wazuh-certs-tool.sh

wget https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/config.yml -q -O /tmp/config.yml

2. Update the /tmp/config.yml file to fit your hostname and IP.

3. Run the /tmp/wazuh-certs-tool.sh -A script to generate the certificates.

4. Obtain the the value of the CN of the hostname.pem certificate.

openssl x509 -in wazuh-indexer01.socfortress.demo -text -noout

NODE_NAME=wazuh-indexer01.socfortress.demo

5. Copy certs into /etc/wazuh-indexer/certs

• mkdir /etc/wazuh-indexer/certs
• cd /tmp/wazuh-certificates
• cp ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem /etc/wazuh-indexer/certs/
• mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
• mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem

6. Set ownership and permissions

• chmod 500 /etc/wazuh-indexer/certs
• chmod 400 /etc/wazuh-indexer/certs/*
• chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Wazuh Indexer Configuration

1. network.host: Sets the address of this node for both HTTP and transport traffic. The node will bind to this address and will also use it as its publish address. Accepts an IP address or a hostname. Use the same node address set in config.yml to create the SSL certificates.
2. node.name: Name of the Wazuh indexer node as defined in the config.yml file. For example, node-1.
3. cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are defined in the config.yml file. Uncomment the node-2 and node-3 lines, change the names, or add more lines, according to your config.yml definitions.
4. discovery.seed_hosts: List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. You may leave this setting commented if you are configuring the Wazuh indexer as a single-node. For multi-node configurations, uncomment this setting and set your master-eligible nodes addresses.
5. plugins.security.nodes_dn: List of the Distinguished Names of the certificates of all the Wazuh indexer cluster nodes. Uncomment the lines for node-2 and node-3, and change the common names (CN) and values according to your settings and your config.yml definitions.

network.host: "0.0.0.0"
node.name: "wazuh-indexer01.socfortress.demo"
cluster.initial_master_nodes:
- "wazuh-indexer01.socfortress.demo"
cluster.name: "socfortress_demo"
discovery.seed_hosts:
- "wazuh-indexer01.socfortress.demo"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

bootstrap.memory_lock: true

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=SOCFortress,O=SOCFortress,L=Texas,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh-indexer01.socfortress.demo,OU=SOCFortress,O=SOCFortress,L=Texas,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
### SOCFortress comments out due to: https://community.graylog.org/t/elasticsearch-exception-reason-key-types-is-not-supported-in-the-metadata-section/27468/6
#compatibility.override_main_response_version: true

Memory Locking

1. Uncomment or add this line to the /etc/wazuh-indexer/opensearch.yml file:
2. bootstrap.memory_lock: true

2. Edit the limit of system resources:

nano /usr/lib/systemd/system/wazuh-indexer.service

Place under [Service] block LimitMEMLOCK=infinity

3. Set JVM Options to 50% of total memory available

nano /etc/wazuh-indexer/jvm.options

Start the Service

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

Cluster Initialization

Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and start the single-node or multi-node cluster.
> Note: You only have to initialise the cluster once, there is no need to run this command on every node. Make sure you are running on the same node that you generated the admin certificate on.

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

Install Wazuh-Dashboard

Only needs to be installed on Wazuh-Indexer Node 01

1. Install Prerequisites:

apt-get install debhelper tar curl libcap2-bin -y  
apt-get update

2. Install:

apt-get -y install wazuh-dashboard

Configure Wazuh-Dashboard

Configure certificates so that Wazuh-Dashboard service can connect to the Wazuh-Indexer cluster.

mkdir /etc/wazuh-dashboard/certs

cp /etc/wazuh-indexer/certs/indexer.pem /etc/wazuh-dashboard/certs/

cp /etc/wazuh-indexer/certs/indexer-key.pem /etc/wazuh-dashboard/certs/

cp /etc/wazuh-indexer/certs/root-ca.pem /etc/wazuh-dashboard/certs/

chmod 500 /etc/wazuh-dashboard/certs

chmod 400 /etc/wazuh-dashboard/certs/*

chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml to set configuration:

server.host: 0.0.0.0
server.port: 443
opensearch.hosts: ["https://wazuh-indexer01.socfortress.demo:9200"]
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/indexer-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/indexer.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

Start Wazuh-Dashboard

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

Securing The Cluster

Update the default passwords of the admin and wazuh-dashboard users.
On the Wazuh Indexer Node 01, use the Wazuh passwords tool to change the passwords of the Wazuh indexer users.

1. Run Script

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all

2. Change Wazuh Dashboard Password:
On your Wazuh dashboard node, run the following command to update the kibanaserver password in the Wazuh dashboard keystore. Replace <kibanaserver-password> with the random password generated in the first step.

echo <kibanaserver-password> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password

3. Restart the service

systemctl restart wazuh-dashboard

4. Create User

Create the graylog user and give it a backend role of admin

Configure Connection To Wazuh-Manager

In order to interact with the Wazuh API via the Wazuh-Dashboards, we need to configure our Wazuh-Dashboard service to connect to the Wazuh Master node’s API.

nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

BLOCK TO CHANGE

hosts:
  - default:
    url: https://*MASTER_NODE*
    port: 55000
    username: wazuh-wui
    password: wazuh-wui
    run_as: false

Install Graylog

Now we will install Graylog Version 5.x and connect it to our Wazuh-Indexer.

❗ GRAYLOG MUST BE ON VERSION 5.x. LOWER VERSIONS OF GRAYLOG DO NOT SUPPORT OPENSEARCH VERSIONS 2.x ❗

Install MongoDB

 apt-get install gnupg
 wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add -
 echo "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/6.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
 apt-get update
 apt-get install -y mongodb-org
 systemctl daemon-reload
 systemctl enable mongod.service
 systemctl restart mongod.service
 systemctl --type=service --state=active | grep mongod

Install Graylog

❗ GRAYLOG MUST BE ON VERSION 5.x. LOWER VERSIONS OF GRAYLOG DO NOT SUPPORT OPENSEARCH VERSIONS 2.x ❗

wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb
sudo dpkg -i graylog-5.0-repository_latest.deb
apt-get update && sudo apt-get install graylog-server 

Configure Graylog

Read the instructions within the configurations file and edit as needed, located at /etc/graylog/server/server.conf. Additionally, add password_secret and root_password_sha2 as these are mandatory and Graylog will not start without them.

To create your password_secret run the following command:

pwgen -N 1 -s 96

To create your root_password_sha2 run the following command:

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Configure the Connection to your Wazuh-Indexer:

elasticsearch_hosts = https://user:pass@wazuh-indexerhostname:9200

JAVA 17 IS NOW BUNDLED WITH GRAYLOG AND IS NO LONGER NEEDED AS AN INDIVIDUAL INSTALL Copy cacerts and import the rootCA.crt info the Java Keystore.

cp -a /usr/share/graylog-server/jvm/lib/security/cacerts /etc/graylog/server/certs/cacerts

/usr/share/graylog-server/jvm/bin/keytool -importcert -keystore /etc/graylog/server/certs/cacerts -storepass changeit -alias root_ca -file /etc/graylog/server/certs/root-ca.pem

nano /etc/default/graylog-server

# Path to a custom java executable. By default the java executable of the
# bundled JVM is used.
#JAVA=/usr/bin/java

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow"

# Avoid endless loop with some TLSv1.3 implementations.
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true"

# Fix for log4j CVE-2021-44228
#GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true -Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

# Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
GRAYLOG_SERVER_ARGS=""

# Program that will be used to wrap the graylog-server command. Useful to
# support programs like authbind.
GRAYLOG_COMMAND_WRAPPER=""

systemctl start graylog-server

Install Wazuh-Manager

Installing version 4.4.x of the Wazuh-Manager

Install Prerequisites:

 apt-get install gnupg apt-transport-https
 curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
 echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
 apt-get update

Install Wazuh-Manager:

apt-get -y install wazuh-manager
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Forward Logs to Graylog:

curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh

Edit the /etc/fluent-bit/fluent-bit.conf to collect the alerts.json file and send it to Graylog:

[SERVICE]
    flush        5
    daemon       Off
    log_level    info
    parsers_file parsers.conf
    plugins_file plugins.conf
    http_server  Off
    http_listen  0.0.0.0
    http_port    2020
    storage.metrics on
    storage.path /var/log/flb-storage/
    storage.sync normal
    storage.checksum off
    storage.backlog.mem_limit 5M
    Log_File /var/log/td-agent-bit.log
[INPUT]
    name  tail
    path  /var/ossec/logs/alerts/alerts.json
    tag wazuh
    parser  json
    Buffer_Max_Size 5MB
    Buffer_Chunk_Size 400k
    storage.type      filesystem
    Mem_Buf_Limit     512MB
[OUTPUT]
    Name  tcp
    Host  *your graylog host*
    Port  *your graylog port*
    net.keepalive off
    Match wazuh
    Format  json_lines
    json_date_key true

systemctl enable fluent-bit
systemctl start fluent-bit

❗ Now you need to configure Graylog extractors to parse your Wazuh events. Follow the Part 5. Intelligent SIEM Logging post for further instructions. ❗

Need Help?

The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Professional Services: https://www.socfortress.co/ps.html