一、wazhu部署架构
1.服务器上运行的Agent端会将采集到的各种信息通过加密信道传输到管理端。
2.管理端负责分析从代理接收的数据,并在事件与告警规则匹配时触发警报。
3.LogStash会将告警日志或者监控日志发送到Elasticsearch上面,最后通过Kibana可视化展示日志。
分布式部署:在不同主机上运行Wazuh服务器和Elastic Stack集群(一个或多个服务器)。
单主机架构:在同一主机上运行Wazuh服务器和Elastic Stack。
两者的主要差别在于,前者需要使用FileBeat与Logstash进行日志传输,后者直接本机读取日志文件


二、更新源配置
如果网速比较慢的可以更换为国内软件源,默认情况下并不用
yum repolist #查看当前使用的源 cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak #备份原来的源 wget http://mirrors.aliyun.com/repo/Centos-7.repo #下载阿里云centos7源 wget http://mirrors.163.com/.help/CentOS7-Base-163.repo #下载163 centos7源 mv 你下载的源 /etc/yum.repos.d/CentOS-Base.repo yum clean all && yum makecache #清理并重建yum缓存
yum -y install ntp ntpdate #安装NTP和更新NTP ntpdate cn.ntp.org.cn #NTP设置 hwclock --systohc #系统时间写入硬件时间 ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #linux的时区设置为上海时区
三、安装 Wazuh Manager
安装环境为centos7.1X64系统
方法一:
cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF yum install wazuh-manager
方法二:
[root@wazhu-manage ~]# cd /opt [root@wazhu-manage opt]# wget https://packages.wazuh.com/3.x/yum/wazuh-manager-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# chmod +x wazuh-manager-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# rpm -ivh wazuh-manager-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# systemctl status wazuh-manager.service ● wazuh-manager.service - Wazuh manager Loaded: loaded (/etc/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2019-01-21 09:58:45 UTC; 34s ago Process: 13789 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-manager.service ├─13819 /var/ossec/bin/ossec-authd ├─13823 /var/ossec/bin/wazuh-db ├─13841 /var/ossec/bin/ossec-execd ├─13847 /var/ossec/bin/ossec-analysisd ├─13851 /var/ossec/bin/ossec-syscheckd ├─13859 /var/ossec/bin/ossec-remoted ├─13861 /var/ossec/bin/ossec-logcollector ├─13882 /var/ossec/bin/ossec-monitord └─13886 /var/ossec/bin/wazuh-modulesd
四、安装 Wazuh API
要运行Wazuh API,需要NodeJS> = 4.6.1,如果您没有安装NodeJS或者您的版本低于4.6.1,我们建议您添加官方NodeJS存储库,如下所示:
[root@wazhu-manage bin]# curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - [root@wazhu-manage bin]# yum install nodejs.x86_64 [root@wazhu-manage bin]# node -v #或者yum install nodejs v6.14
要运行Wazuh API,需要Python> = 2.7。它默认安装或包含在大多数Linux发行版的官方存储库中。要确定系统上的python版本是否低于2.7,可以运行以下命令:
[root@wazhu-manage bin]# python --version #Centos7默认python2 Python 2.7.5 [root@wazhu-manage bin]# cd /opt [root@wazhu-manage opt]# wget https://packages.wazuh.com/3.x/yum/wazuh-api-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# ls wazuh-api-3.8.0-1.x86_64.rpm wazuh-manager-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# chmod +x wazuh-api-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# rpm -ivh wazuh-api-3.8.0-1.x86_64.rpm #或者yum install wazuh-api [root@wazhu-manage opt]# systemctl start wazuh-api [root@wazhu-manage opt]# systemctl status wazuh-api ● wazuh-api.service - Wazuh API daemon Loaded: loaded (/etc/systemd/system/wazuh-api.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2019-01-21 10:25:30 UTC; 33s ago Docs: https://documentation.wazuh.com/current/user-manual/api/index.html Main PID: 15454 (node) CGroup: /system.slice/wazuh-api.service └─15454 /bin/node /var/ossec/api/app.js Jan 21 10:25:30 wazhu-manage systemd[1]: Started Wazuh API daemon.
防止自动升级:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
五、安装 Wazuh agent
1.centos下安装agent:
1.1. 包安装
[root@wazhu-manage opt]# ls wazuh-api-3.8.0-1.x86_64.rpm wazuh-manager-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# wget https://packages.wazuh.com/3.x/yum/wazuh-agent-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# chmod +x wazuh-agent-3.8.0-1.x86_64.rpm [root@wazhu-manage opt]# rpm -ivh wazuh-agent-3.8.0-1.x86_64.rpm warning: wazuh-agent-3.8.0-1.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 29111145: NOKEY error: Failed dependencies: wazuh-manager conflicts with wazuh-agent-3.8.0-1.x86_64 wazuh-agent conflicts with (installed) wazuh-manager-3.8.0-1.x86_64 # 修改配置文件 vim /var/ossec/etc/ossec.conf # 导入密钥 /var/ossec/bin/manage_agents # 启动服务 /var/ossec/bin/ossec-control start
1.2. yum安装:
cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF [root@wazhu-manage opt]# yum install wazuh-agent
2.ubuntu下安装agent
2.1.包安装
root@agent01:~# cd /opt root@agent01:/opt# wget https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-agent/wazuh-agent_3.8.0-1_amd64.deb root@agent01:/opt# dpkg -i wazuh-agent_3.8.0-1_amd64.deb Selecting previously unselected package wazuh-agent. (Reading database ... 92845 files and directories currently installed.) Preparing to unpack wazuh-agent_3.8.0-1_amd64.deb ... Unpacking wazuh-agent (3.8.0-1) ... Setting up wazuh-agent (3.8.0-1) ... Processing triggers for systemd (229-4ubuntu21.4) ... Processing triggers for ureadahead (0.100.0-19) ...
2.2. apt-get安装
# apt-get install curl apt-transport-https lsb-release #安装必要包 # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - #安装Wazuh存储库GPG密钥 #echo"deb https://packages.wazuh.com/3.x/apt/ stable main"| tee /etc/apt/sources.list.d/wazuh.list #添加存储库 # apt-get update #更新包信息 # apt-get install wazuh-agent #安装Wazuh代理 #echo"wazuh-agent hold"| sudo dpkg --set-selections #禁用更新
3.windows下安装agent
https://packages.wazuh.com/3.x/windows/wazuh-agent-3.8.0-1.msi agent-auth.exe -m 管理端ip -P "管理端密码 agent-auth -m 管理端ip
六、安装Elastic Stack
1.安装elastic stack运行环境包
Logstash和Elasticsearch需要Oracle Java JRE 8
[root@wazhu-manage opt]# curl -Lo jre-8-linux-x64.rpm --header "Cookie: oraclelicense=accept-securebackup-cookie" "https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm" [root@wazhu-manage opt]# rpm -qlp jre-8-linux-x64.rpm > /dev/null 2>&1 && echo "Java package downloaded successfully" || echo "Java package did not download successfully" Java package downloaded successfully [root@wazhu-manage opt]# yum -y install jre-8-linux-x64.rpm [root@wazhu-manage opt]# java -version java version "1.8.0_202"
安装Elastic存储库及其GPG密钥:
[root@wazhu-manage opt]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch [root@wazhu-manage opt]# cat > /etc/yum.repos.d/elastic.repo << EOF > [elasticsearch-6.x] > name=Elasticsearch repository for 6.x packages > baseurl=https://artifacts.elastic.co/packages/6.x/yum > gpgcheck=1 > gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch > enabled=1 > autorefresh=1 > type=rpm-md > EOF [root@wazhu-manage opt]# cat /etc/yum.repos.d/elastic.repo [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefr