taibeihacker
Moderator
一、wazhu部署架构
1.服務器上運行的Agent端會將採集到的各種信息通過加密信道傳輸到管理端。2.管理端負責分析從代理接收的數據,並在事件與告警規則匹配時觸發警報。
3.LogStash會將告警日誌或者監控日誌發送到Elasticsearch上面,最後通過Kibana可視化展示日誌。
分佈式部署:在不同主機上運行Wazuh服務器和Elastic Stack集群(一個或多個服務器)。
單主機架構:在同一主機上運行Wazuh服務器和Elastic Stack。
兩者的主要差別在於,前者需要使用FileBeat與Logstash進行日誌傳輸,後者直接本機讀取日誌文件
二、更新源配置
如果網速比較慢的可以更換為國內軟件源,默認情況下並不用yum repolist #查看當前使用的源
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak #備份原來的源
wget http://mirrors.aliyun.com/repo/Centos-7.repo #下載阿里雲centos7源
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo #下載163 centos7源
mv 你下載的源/etc/yum.repos.d/CentOS-Base.repo
yum clean all yum makecache #清理並重建yum緩存
時間服務器:
yum -y install ntp ntpdate #安裝NTP和更新NTP
ntpdate cn.ntp.org.cn #NTP設置
hwclock --systohc #系統時間寫入硬件時間
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #linux的時區設置為上海時區
三、安装 Wazuh Manager
安裝環境為centos7.1X64系統方法一:
cat /etc/yum.repos.d/wazuh.repo \EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
yum install wazuh-manager
方法二:
[root@wazhu-manage ~]# cd /opt
[root@wazhu-manage opt]# wget https://packages.wazuh.com/3.x/yum/wazuh-manager-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# chmod +x wazuh-manager-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# rpm -ivh wazuh-manager-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# systemctl status wazuh-manager.service
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/etc/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-01-21 09:58:45 UTC; 34s ago
Process: 13789 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/wazuh-manager.service
├─13819 /var/ossec/bin/ossec-authd
├─13823 /var/ossec/bin/wazuh-db
├─13841 /var/ossec/bin/ossec-execd
├─13847 /var/ossec/bin/ossec-analysisd
├─13851 /var/ossec/bin/ossec-syscheckd
├─13859 /var/ossec/bin/ossec-remoted
├─13861 /var/ossec/bin/ossec-logcollector
├─13882 /var/ossec/bin/ossec-monitord
└─13886 /var/ossec/bin/wazuh-modulesd
四、安装 Wazuh API
要運行Wazuh API,需要NodeJS=4.6.1,如果您沒有安裝NodeJS或者您的版本低於4.6.1,我們建議您添加官方NodeJS存儲庫,如下所示:[root@wazhu-manage bin]# curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
[root@wazhu-manage bin]# yum install nodejs.x86_64
[root@wazhu-manage bin]# node -v #或者yum install nodejs
v6.14
要運行Wazuh API,需要Python=2.7。它默認安裝或包含在大多數Linux發行版的官方存儲庫中。要確定係統上的python版本是否低於2.7,可以運行以下命令:
[root@wazhu-manage bin]# python --version #Centos7默認python2
Python 2.7.5
[root@wazhu-manage bin]# cd /opt
[root@wazhu-manage opt]# wget https://packages.wazuh.com/3.x/yum/wazuh-api-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# ls
wazuh-api-3.8.0-1.x86_64.rpm wazuh-manager-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# chmod +x wazuh-api-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# rpm -ivh wazuh-api-3.8.0-1.x86_64.rpm #或者yum install wazuh-api
[root@wazhu-manage opt]# systemctl start wazuh-api
[root@wazhu-manage opt]# systemctl status wazuh-api
● wazuh-api.service - Wazuh API daemon
Loaded: loaded (/etc/systemd/system/wazuh-api.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-01-21 10:25:30 UTC; 33s ago
Docs: https://documentation.wazuh.com/current/user-manual/api/index.html
Main PID: 15454 (node)
CGroup: /system.slice/wazuh-api.service
└─15454 /bin/node /var/ossec/api/app.js
Jan 21 10:25:30 wazhu-manage systemd[1]: Started Wazuh API daemon.
防止自動升級:
# sed -i 's/^enabled=1/enabled=0/' /etc/yum.repos.d/wazuh.repo
五、安装 Wazuh agent
1.centos下安装agent:1.1. 包安装[root@wazhu-manage opt]# lswazuh-api-3.8.0-1.x86_64.rpm wazuh-manager-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# wget https://packages.wazuh.com/3.x/yum/wazuh-agent-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# chmod +x wazuh-agent-3.8.0-1.x86_64.rpm
[root@wazhu-manage opt]# rpm -ivh wazuh-agent-3.8.0-1.x86_64.rpm
warning: wazuh-agent-3.8.0-1.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 29111145: NOKEY
error: Failed dependencies:
wazuh-manager conflicts with wazuh-agent-3.8.0-1.x86_64
wazuh-agent conflicts with (installed) wazuh-manager-3.8.0-1.x86_64
# 修改配置文件vim /var/ossec/etc/ossec.conf # 導入密鑰/var/ossec/bin/manage_agents # 啟動服務/var/ossec/bin/ossec-control start
1.2. yum安装:cat /etc/yum.repos.d/wazuh.repo \EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
[root@wazhu-manage opt]# yum install wazuh-agent
2.ubuntu下安装agent2.1.包安装root@agent01:~# cd /opt
root@agent01:/opt# wget https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-agent/wazuh-agent_3.8.0-1_amd64.deb
root@agent01:/opt# dpkg -i wazuh-agent_3.8.0-1_amd64.deb
Selecting previously unselected package wazuh-agent.
(Reading database . 92845 files and directories currently installed.)
Preparing to unpack wazuh-agent_3.8.0-1_amd64.deb .
Unpacking wazuh-agent (3.8.0-1) .
Setting up wazuh-agent (3.8.0-1) .
Processing triggers for systemd (229-4ubuntu21.4) .
Processing triggers for ureadahead (0.100.0-19) .
2.2. apt-get安装# apt-get install curl apt-transport-https lsb-release #安裝必要包
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - #安裝Wazuh存儲庫GPG密鑰
#echo'deb https://packages.wazuh.com/3.x/apt/stable main'| tee /etc/apt/sources.list.d/wazuh.list #添加存儲庫
# apt-get update #更新包信息
# apt-get install wazuh-agent #安裝Wazuh代理
#echo'wazuh-agent hold'| sudo dpkg --set-selections #禁用更新
3.windows下安装agent agent-auth.exe -m 管理端ip -P '管理端密碼
agent-auth -m 管理端ip
六、安装Elastic Stack
1.安装elastic stack运行环境包Logstash和Elasticsearch需要Oracle Java JRE 8[root@wazhu-manage opt]# curl -Lo jre-8-linux-x64.rpm --header 'Cookie: oraclelicense=accept-securebackup-cookie' 'https://download.oracle.com/otn-pub...b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm'
[root@wazhu-manage opt]# rpm -qlp jre-8-linux-x64.rpm /dev/null 21 echo 'Java package downloaded successfully' || echo 'Java package did not download successfully'
Java package downloaded successfully
[root@wazhu-manage opt]# yum -y install jre-8-linux-x64.rpm
[root@wazhu-manage opt]# java -version
java version '1.8.0_202'
安裝Elastic存儲庫及其GPG密鑰:
[root@wazhu-manage opt]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
[root@wazhu-manage opt]# cat /etc/yum.repos.d/elastic.repo EOF
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
[root@wazhu-manage opt]# cat /etc/yum.repos.d/elastic.repo
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
2.安装elasticsearch[root@wazhu-manage opt]# yum install elasticsearch-6.5.4
[root@wazhu-manage opt]# systemctl daemon-reload
[root@wazhu-manage opt]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@wazhu-manage opt]# systemctl start elasticsearch.service
[root@wazhu-manage opt]# systemctl status elasticsearch.service
elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-01-21 11:20:32 UTC; 12s ago
Docs: http://www.elastic.co
Main PID: 16541 (java)
CGroup: /system.slice/elasticsearch.service
├─16541 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitia.
└─16604 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86.
等待Elasticsearch服務器完成啟動非常重要。使用以下命令檢查當前狀態,該命令應該給出如下所示的響應:
[root@wazhu-manage opt]# curl 'http://localhost:9200/?pretty'
{
'name' : 'j2iH056',
'cluster_name' : 'elasticsearch',
'cluster_uuid' : 'iHTOPid4SR-EoZ5qX73-kw',
'version' : {
'number' : '6.5.4',
'build_flavor' : 'default',
'build_type' : 'rpm',
'build_hash' : 'd2ef93d',
'build_date' : '2018-12-17T21:17:40.758843Z',
'build_snapshot' : false,
'lucene_version' : '7.5.0',
'minimum_wire_compatibility_version' : '5.6.0',
'minimum_index_compatibility_version' : '5.0.0'
},
'tagline' : 'You Know, for Search'
}
為Elasticsearch加載Wazuh模板:(Kibana的Wazuh應用程序需要Elasticsearch模板才能正常工作,因此確保正確插入它非常重要。)
[root@wazhu-manage opt]# curl https://raw.githubusercontent.com/w...ticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
% Total % Re