idps-escape

Installation CyFORT-Wazuh central components

This page explains the main steps for nstalling Wazuh central components within a containerized environment. For more details we refer to the official documentation .

Wazuh central components:

• Wazuh Manager. The Wazuh manager is the system that analyzes the data received from all registered agents and triggers alerts when an event coincides with a rule.
• Wazuh Dashboard. The Wazuh dashboard is a flexible and intuitive web user interface for mining, analyzing, and visualizing security events and alerts data. It is also used for the management and monitoring of the Wazuh platform.
• Wazuh Indexer. The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities.

Requirements

The following pieces of software are necessary for the installation of Wazuh.

1. Docker Engine
2. Docker Compose

Deployment

The deployment of Wazuh can be done as a single-node or multi-node stack.

• Single-node deployment: Deploys one Wazuh manager, indexer, and dashboard node.
• Multi-node deployment: Deploys two Wazuh manager nodes (one master and one worker), three Wazuh indexer nodes, and a Wazuh dashboard node.

For the sake of simplicity, we discuss here a single node deployment as one manager node would be used to monitor and analyze traffic from the registered agent. The deployment starts by cloning the Wazuh repository to our system.

git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.2 

The next step is to provide a group of certificates for each node in the stack to secure communication between the nodes. Execute the following command to get the desired certificates.

sudo docker-compose -f generate-indexer-certs.yml run --rm generator

This saves the certificates into the /single-node/config/wazuh_indexer_ssl_certs directory.

Start the Wazuh single-node deployment using docker-compose.

sudo docker-compose up

By running the following command it can be seen that the above command starts three containers for the above three mentioned components which are running for:

• wazuh-dashboard
• wazuh-manager
• wazuh-indexer

These can be seen by:

sudo docker ps -a 

To execute commands in the containers, you can execute the respective shell:

docker exec -it single-node-wazuh.manager-1 bash

docker exec -it single-node-wazuh.dashboard-1 bash

docker exec -it single-node-wazuh.indexer-1 bash

Next steps

• Debug Wazuh Manager, Wazuh Indexer, Wazuh Dashboard if necessary. See Troubleshooting.
• Tune and configure Wazuh to your system following the official documentation. Certain operation might differ for the docker deployment, since changes may be applied to using a specific container. Here is an example of procedure adapted to this case: Change passwords for users.
• Deploy Wazuh Agent.

This site is open source. Improve this page.