Install Wazuh Open Source Security Analytics
Read Time:29 Minute, 58 Second

Install Wazuh Open Source Security Analytics

0 0
0 0


Wazuh OpenSource Security Analytics provides a production-ready setup to analyze your IT environment. It packs with a lot of features which intently need for critical business. Wazuh was born as a fork of OSSEC HIDS with rich web applications.

Wazuh is available for most operating systems like Linux, OpenBSD, macOS, Solaris, Windows and FreeBSD. In our guide, we will take you through how to guide on CentOS Linux server.

What are the features available in Wazuh?

  • Intrusion Detection
  • File Integrity Monitoring
  • Security Analytics
  • Log Data Analysis
  • Configuration Assessment
  • Vulnerability Detection
  • Incident Response
  • Cloud Security
  • Regulatory Compliance
  • Container Security

Operating System and Hostname

In our setup, we are using two servers. One will be installed with Wazuh Manager and another one will be used for elastic and Kibana.  | wazuh.linuxsysadmins.local      # Wazuh Manager  | elastic.linuxsysadmins.local    # Elastic server

We have a host entry in our DNS server.

[root@wazuh ~]# hostnamectl status
    Static hostname: localhost.localdomain
 Transient hostname: wazuh.linuxsysadmins.local
          Icon name: computer-vm
            Chassis: vm
         Machine ID: 36618758588646fb9bd7e5ceb0e73a70
            Boot ID: 39ebd50cc4fb4fdead23201f727910a9
     Virtualization: kvm
   Operating System: CentOS Linux 7 (Core)
        CPE OS Name: cpe:/o:centos:centos:7
             Kernel: Linux 3.10.0-1062.el7.x86_64
       Architecture: x86-64
[root@wazuh ~]#

To set up our Wazuh we are using with CentOS 7.7

[root@wazuh ~]# cat /etc/redhat-release 
 CentOS Linux release 7.7.1908 (Core)
[root@wazuh ~]# 

Required ports for Wazuh Manager

Let’s list out all required ports for Wazuh.

514/UDP/tcp     -  Syslog
1514/UDP/tcp    -  To get events from the agent.
1515/tcp        -  Port Used for agent Registration.
1516/tcp        -  Wazuh Cluster communications.
55000/tcp       -  Wazuh API port for incoming requests. 

Let’s add the firewall using the firewall-cmd command.

# firewall-cmd --permanent --add-port={514,1514,1515,1516,55000}/tcp
# firewall-cmd --permanent --add-port={514,1514}/udp
# firewall-cmd --reload
# firewall-cmd --list-all

Add both TCP and UDP ports.

SELinux Configuration

We are not going to disable SELinux at all.

[root@wazuh ~]# sestatus 
 SELinux status:                 enabled
 SELinuxfs mount:                /sys/fs/selinux
 SELinux root directory:         /etc/selinux
 Loaded policy name:             targeted
 Current mode:                   enforcing
 Mode from config file:          enforcing
 Policy MLS status:              enabled
 Policy deny_unknown status:     allowed
 Max kernel policy version:      31
[root@wazuh ~]#

Resolving dependencies

First of all, install the required development tools using Yum.

# yum -y install gcc gcc-c++ make policycoreutils-python automake autoconf libtool

We required more dependencies for CPython. Enable EPEL repo and install the required packages.

# yum install epel-release yum-utils -y
# yum-builddep python34 -y

We are good with the required dependencies.

   bluez-libs-devel.x86_64 0:5.44-5.el7           bzip2.x86_64 0:1.0.6-13.el7                       bzip2-devel.x86_64 0:1.0.6-13.el7               
   expat-devel.x86_64 0:2.1.0-10.el7_3            gcc-c++.x86_64 0:4.8.5-39.el7                     gdbm-devel.x86_64 0:1.10-8.el7                  
   gmp-devel.x86_64 1:6.0.0-15.el7                libX11-devel.x86_64 0:1.6.7-2.el7                 libffi-devel.x86_64 0:3.0.13-18.el7             
   mesa-libGL-devel.x86_64 0:18.3.4-6.el7_7       ncurses-devel.x86_64 0:5.9-14.20130511.el7_4      net-tools.x86_64 0:2.0-0.25.20131004git.el7     
   openssl-devel.x86_64 1:1.0.2k-19.el7           readline-devel.x86_64 0:6.2-11.el7                sqlite-devel.x86_64 0:3.7.17-8.el7_7.1          
   systemtap-sdt-devel.x86_64 0:4.0-10.el7_7      tcl-devel.x86_64 1:8.5.13-8.el7                   tix-devel.x86_64 1:8.4.3-12.el7                 
   tk-devel.x86_64 1:8.5.13-6.el7                 valgrind-devel.x86_64 1:3.14.0-16.el7             xz-devel.x86_64 0:5.2.2-1.el7                   
   zlib-devel.x86_64 0:1.2.7-18.el7              

Download and Install Wazuh

Download the latest packages of Wazuh from the Github repo.

# curl -Ls | tar zx

While we running the curl command it will extract the tar.gz file under the current location.

[root@wazuh ~]# ls
 anaconda-ks.cfg  wazuh-3.11.4
 [root@wazuh ~]# cd wazuh-3.11.4/
 [root@wazuh wazuh-3.11.4]# 
 [root@wazuh wazuh-3.11.4]# ls -lthr
 total 224K
 drwxrwxr-x.  6 root root   84 Feb 24 17:53 wodles
 -rwxrwxr-x.  1 root root  225 Feb 24 17:53
 drwxrwxr-x.  4 root root   53 Feb 24 17:53 tools
 drwxrwxr-x. 37 root root 4.0K Feb 24 17:53 src
 drwxrwxr-x.  2 root root   54 Feb 24 17:53 integrations
 -rwxrwxr-x.  1 root root  28K Feb 24 17:53
[root@wazuh wazuh-3.11.4]# 

To start the installation from the source run ./

  • Use your prefered language by choosing from the list.
  • Choose the kind of installation. We need a manager so type “manager”.
  • If you need to configure email notifications provide your email server/Relay details.
  • For remaining prompts provide “y” to use the default value.

This will take a few minutes to complete the installation.

[root@wazuh wazuh-3.11.4]# ./ 
 ** Para instalação em português, escolha [br].
   ** 要使用中文进行安装, 请选择 [cn].
   ** Für eine deutsche Installation, wählen Sie [de].
   ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
   ** For installation in English, choose [en].
   ** Para instalar en español, elija [es].
   ** Pour une installation en français, choisissez [fr]
   ** A Magyar nyelvű telepítéshez válassza [hu].
   ** Per l'installazione in Italiano, scegli [it].
   ** 日本語でインストールします.選択して下さい.[jp].
   ** Voor installatie in het Nederlands, kies [nl].
   ** Aby instalować w języku Polskim, wybierz [pl].
   ** Для инструкций по установке на русском ,введите [ru].
   ** Za instalaciju na srpskom, izaberi [sr].
   ** Türkçe kurulum için seçin [tr].
   (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
 Wazuh v3.11.4 (Rev. 31121) Installation Script -
 You are about to start the installation process of Wazuh.
  You must have a C compiler pre-installed in your system.
 System: Linux wazuh.linuxsysadmins.local 3.10.0-1062.el7.x86_64 (centos 7.7)
 User: root
 Host: wazuh.linuxsysadmins.local
 -- Press ENTER to continue or Ctrl-C to abort. -- 
 1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager
 Manager (server) installation chosen. 
 2- Setting up the installation environment.
 Choose where to install Wazuh [/var/ossec]: 
 Installation will be made at  /var/ossec . 
 3- Configuring Wazuh.
 3.1- Do you want e-mail notification? (y/n) [n]: y
 What's your e-mail address? admin@linuxsysadmins.local
 What's your SMTP server ip/host?
 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
 Running syscheck (integrity check daemon).
 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
 Running rootcheck (rootkit detection).
 3.4- Do you want to run policy monitoring checks? (OpenSCAP) (y/n) [y]: y
 Running OpenSCAP (policy monitoring checks).
 3.5- Active response allows you to execute a specific
    command based on the events received.
    By default, no active responses are defined.
 Default white list for the active response:
 Do you want to add more IPs to the white list? (y/n)? [n]: y
 IPs (space separated):
 3.6- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
 Remote syslog enabled.
 3.7 - Do you want to run the Auth daemon? (y/n) [y]: y
 Running Auth daemon.
 3.8- Do you want to start Wazuh after the installation? (y/n) [y]: y
 Wazuh will start at the end of installation.
 3.9- Setting the configuration to analyze the following logs:
 -- /var/log/audit/audit.log
 -- /var/ossec/logs/active-responses.log
 -- /var/log/messages
 -- /var/log/secure
 -- /var/log/maillog
 If you want to monitor any other file, just change
 the ossec.conf and add a new localfile entry.
 Any questions about the configuration can be answered
 by visiting us online at
 --- Press ENTER to continue --- 
 4- Installing the system
 Running the Makefile 
 curl -so external/cJSON.tar.gz
 cd external && gunzip cJSON.tar.gz
 cd external && tar -xf cJSON.tar
 rm external/cJSON.tar
 curl -so external/cpython_amd64.tar.gz
 cd external && gunzip cpython_amd64.tar.gz
 cd external && tar -xf cpython_amd64.tar
 rm external/cpython_amd64.tar
 curl -so external/curl.tar.gz
 cd external && gunzip curl.tar.gz
 cd external && tar -xf curl.tar
 rm external/curl.tar
 curl -so external/libdb.tar.gz
 cd external && gunzip libdb.tar.gz
 cd external && tar -xf libdb.tar
 rm external/libdb.tar
 curl -so external/libffi.tar.gz
 Installed /var/ossec/framework/python/lib/python3.7/site-packages/wazuh-3.11.4-py3.7.egg
 Processing dependencies for wazuh==3.11.4
 Finished processing dependencies for wazuh==3.11.4
 Installing SCAP security policies…
 Generating self-signed certificate for ossec-authd…
 Building CDB lists…
 Created symlink from /etc/systemd/system/ to /etc/systemd/system/wazuh-manager.service.
 Starting Wazuh…
 Configuration finished properly.
 To start Wazuh:
   /var/ossec/bin/ossec-control start
 To stop Wazuh:
   /var/ossec/bin/ossec-control stop
 The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
 Thanks for using Wazuh.
 Please don't hesitate to contact us if you need help or find
 any bugs.
 Use our public Mailing List at:!forum/wazuh
 More information can be found at:
 ---  Press ENTER to finish (maybe more information below). ---
 In order to connect agent and server, you need to add each agent to the server.
 Run the 'manage_agents' to add or remove them:
 More information at: 
[root@wazuh wazuh-3.11.4]# 

We have truncated the long output.

Start and Enable service

Start and enable the Wazuh by running any one of below commands.

# /var/ossec/bin/ossec-control start
# systemctl start wazuh-manager
# systemctl enable wazuh-manager
[root@wazuh ~]# systemctl status wazuh-manager
 ● wazuh-manager.service - Wazuh manager
    Loaded: loaded (/etc/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
    Active: active (running) since Fri 2020-03-13 12:28:21 +04; 32min ago
   Process: 20862 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/wazuh-manager.service
            ├─20927 /var/ossec/bin/ossec-authd
            ├─20936 /var/ossec/bin/wazuh-db
            ├─20953 /var/ossec/bin/ossec-execd
            ├─20961 /var/ossec/bin/ossec-analysisd
            ├─20967 /var/ossec/bin/ossec-syscheckd
            ├─20976 /var/ossec/bin/ossec-remoted
            ├─20981 /var/ossec/bin/ossec-logcollector
            ├─20987 /var/ossec/bin/ossec-monitord
            └─20999 /var/ossec/bin/wazuh-modulesd
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started wazuh-db…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-execd…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-analysisd…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-syscheckd…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-remoted…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-logcollector…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started ossec-monitord…
 Mar 13 12:28:19 wazuh.linuxsysadmins.local env[20862]: Started wazuh-modulesd…
 Mar 13 12:28:21 wazuh.linuxsysadmins.local env[20862]: Completed.
 Mar 13 12:28:21 wazuh.linuxsysadmins.local systemd[1]: Started Wazuh manager.
[root@wazuh ~]#

Let’s follow with installing API for Wazuh.

Installing Wazuh API

Before starting with installing API, we need to resolve the dependencies.

# curl --silent --location | bash -
Installing the NodeSource Node.js 10.x repo…
 Inspecting system…
 rpm -q --whatprovides redhat-release || rpm -q --whatprovides centos-release || rpm -q --whatprovides cloudlinux-release || rpm -q --whatprovides sl-release
 uname -m 
 Confirming "el7-x86_64" is supported…
 curl -sLf -o /dev/null '' 
 Downloading release setup RPM…
 curl -sL -o '/tmp/tmp.UukGHctGkt' '' 
 Installing release setup RPM…
 rpm -i --nosignature --force '/tmp/tmp.UukGHctGkt' 
 Cleaning up…
 rm -f '/tmp/tmp.UukGHctGkt' 
 Checking for existing installations…
 rpm -qa 'node|npm' | grep -v nodesource 
 Run sudo yum install -y nodejs to install Node.js 10.x and npm.
 You may also need development tools to build native addons:
  sudo yum install gcc-c++ make
 To install the Yarn package manager, run:
  curl -sL | sudo tee /etc/yum.repos.d/yarn.repo  sudo yum install yarn
[root@wazuh ~]# 

Wazhu API required NodeJS greater than the 4.6.1 version.

# sudo yum install -y nodejs
# npm config set user 0
Installing : 2:nodejs-10.19.0-1nodesource.x86_64           1/1 
   Verifying  : 2:nodejs-10.19.0-1nodesource.x86_64           1/1 
     nodejs.x86_64 2:10.19.0-1nodesource                                                                                                                                                                                                                                           
[root@wazuh ~]#

By following install the yarn as stated from the above output. Yarn is a package manager for codes.

# curl -sL | sudo tee /etc/yum.repos.d/yarn.repo
# yum install yarn -y

Download and start the installation of Wazuh API.

# curl -s -o && bash ./ download

Output for reference

[root@wazuh ~]# curl -s -o && bash ./ download
 Wazuh API
 Downloading API from
 Installing Wazuh API 3.11.4
 Installing API ['/var/ossec/api'].
 Installing NodeJS modules.
 Installing service.
 Installing for systemd
 Created symlink from /etc/systemd/system/ to /etc/systemd/system/wazuh-api.service.
 API URL: http://host_ip:55000/
 user: 'foo'
 password: 'bar'
 Configuration: /var/ossec/api/configuration
 Test: curl -u foo:bar -k
 Note: You can configure the API executing /var/ossec/api/scripts/
 [API installed successfully]
[root@wazuh ~]#

Check the wazuh-api service by running systemctl command

# systemctl status wazuh-api
[root@wazuh ~]# systemctl status wazuh-api
 ● wazuh-api.service - Wazuh API daemon
    Loaded: loaded (/etc/systemd/system/wazuh-api.service; enabled; vendor preset: disabled)
    Active: active (running) since Fri 2020-03-13 13:57:00 +04; 1min 20s ago
  Main PID: 22619 (node)
    CGroup: /system.slice/wazuh-api.service
            └─22619 /usr/bin/node /var/ossec/api/app.js
 Mar 13 13:57:00 wazuh.linuxsysadmins.local systemd[1]: Started Wazuh API daemon.
[root@wazuh ~]#

Securing Wazuh API

The installation provides only with HTTP and defaults user “foo” and password as “bar”. Let’s configure to secure the API for secure communication by configuring https.

# /var/ossec/api/scripts/
[root@wazuh ~]# /var/ossec/api/scripts/
 Wazuh API Configuration
 TCP port [55000]: 
 Using TCP port 55000.
 Enable HTTPS and generate SSL certificate? [Y/n/s]: Y
 Step 1: Create key [Press Enter]
 Generating RSA private key, 2048 bit long modulus
 e is 65537 (0x10001)
 Enter pass phrase for server.key:
 Verifying - Enter pass phrase for server.key:
 Enter pass phrase for
 writing RSA key
 Step 2: Create self-signed certificate [Press Enter]
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Country Name (2 letter code) [XX]:IN
 State or Province Name (full name) []:TN
 Locality Name (eg, city) [Default City]:Chennai
 Organization Name (eg, company) [Default Company Ltd]:Self
 Organizational Unit Name (eg, section) []:Nix  
 Common Name (eg, your name or your server's hostname) []:linuxsysadmins.local
 Email Address []:admin@linuxsysadmins.local
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:          
 An optional company name []:
 Key: /var/ossec/api/configuration/ssl/server.key.
 Certificate: /var/ossec/api/configuration/ssl/server.crt
 Continue with next section [Press Enter]
 Enable user authentication? [Y/n/s]: Y
 API user: babinlonston
 New password: 
 Re-type new password: 
 Adding password for user babinlonston.
 is the API running behind a proxy server? [y/N/s]: N
 API not running behind proxy server.
 Configuration changed.
 Restarting API.
 [Configuration changed]
[root@wazuh ~]#

Once the script completes it will restart the API, In case, if you need to restart the service use

# systemctl restart wazuh-api

The changed account information will be under

[root@wazuh ~]# cat /var/ossec/api/configuration/auth/user 
[root@wazuh ~]# 

Testing secure API communication

Once configured with https and default user account, try to test the configuration.

[root@wazuh ~]# curl -u babinlonston:xxxxxxxx -k -v
* About to connect() to port 55000 (#0)
* Trying…
* Connected to ( port 55000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: E=admin@linuxsysadmins.local,CN=linuxsysadmins.local,OU=Nix,O=Self,L=Chennai,ST=TN,C=IN
* start date: Mar 13 10:18:08 2020 GMT
* expire date: Oct 21 10:18:08 2025 GMT
* common name: linuxsysadmins.local
* issuer: E=admin@linuxsysadmins.local,CN=linuxsysadmins.local,OU=Nix,O=Self,L=Chennai,ST=TN,C=IN
* Server auth using Basic with user 'babinlonston' 
   > GET /?pretty HTTP/1.1
   > Authorization: Basic YmFiaW5sb25zdG9uOlJlZGhhdEAxMjM=
   > User-Agent: curl/7.29.0
   > Host:
   > Accept: /
   < HTTP/1.1 200 OK
   < X-Powered-By: Express
   < Access-Control-Allow-Origin: *
   < Content-Type: text/html; charset=utf-8
   < Content-Length: 235
   < ETag: W/"eb-TPfP9bhXx8EStmyRVAbjKXdy40c"
   < Date: Fri, 13 Mar 2020 10:23:04 GMT
   < Connection: keep-alive
      "error": 0,
      "data": {
         "msg": "Welcome to Wazuh HIDS API",
         "api_version": "v3.11.4",
         "hostname": "wazuh.linuxsysadmins.local",
         "timestamp": "Fri Mar 13 2020 14:23:04 GMT+0400 (Gulf Standard Time)"
      Connection #0 to host left intact
[root@wazuh ~]#    

Installing Filebeat

To securely forward the alerts from filebeat to elastic server we are about to use the Filebeat.

Let’s import the GPG key and add the repository.

# rpm --import
# cat > /etc/yum.repos.d/elastic.repo << EOF
 name=Elasticsearch repository for 7.x packages

Install the filebeat with required version.

# yum install filebeat-7.3.0 -y

Download the Filebeat configuration file from the Wazuh repository and save it under the /etc/filebeat/, By following add the permissions.

# curl -so /etc/filebeat/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml

Download the alerts template for Elasticsearch

# curl -so /etc/filebeat/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Download the wazuh module for filebeat. Extract and save under /usr/share/filebeat/module

# curl -s | sudo tar -xvz -C /usr/share/filebeat/module

Configure filebeat

Once the above steps are resolved, Let’s start to configure the filebeat. As we mentioned before, the IP of Elastic server is | elastic.linuxsysadmins.local

# vim /etc/filebeat/filebeat.yml

The only change we need to do in this file is just replaced http://ELASTIC_SERVER_IP:9200 with

output.elasticsearch.hosts: ['http://ELASTIC_SERVER_IP:9200']
output.elasticsearch.hosts: ['']

Enable and restart the filebeat service.

# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service

Next, we need to set up the Elastic Search server, Before that, let us prepare to set up the Java. In my setup, I’m using with Java 13.0.2.
To set up the Java follow this guide

[root@elastic ~]# java -version
 java version "13.0.2" 2020-01-14
 Java(TM) SE Runtime Environment (build 13.0.2+8)
 Java HotSpot(TM) 64-Bit Server VM (build 13.0.2+8, mixed mode, sharing)
[root@elastic ~]#

Click Next page to continuing the setup.

Install Wazuh Open Source Security Analytics 1

About Post Author

Babin Lonston

Overall 14+ Years of experience in the IT field, currently working as a Senior Linux administration with Virtualization & Cloud. Being numismatist for a long time.
0 %
0 %
0 %
0 %
0 %
0 %

Average Rating

5 Star
4 Star
3 Star
2 Star
1 Star

2 thoughts on “Install Wazuh Open Source Security Analytics

Leave a Reply

Your email address will not be published.

Setup a FreeIPA or IDM Replica Previous post Setup a FreeIPA or IDM Replica
Install Foreman with Katello on RHEL CentOS 7 Next post Install Foreman Katello Patch Management on CentOS 7


Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

We promise not to spam you, and we don't usually send more than one email a week.

You have Successfully Subscribed!