Setting Up a Distributed Wazuh Deployment [DL Series-1]

In this article, we’ll explore how to set up a distributed Wazuh deployment with the Wazuh indexer, OpenSearch server, and OpenSearch dashboard deployed on three separate servers. I also explain the commands step by step so that people who are just starting out can understand what we are actually doing.

Project Prerequisites

Below are the servers and endpoints used for this setup, including their specifications and costs:

Endpoints

Linux Endpoints

? dev-jack-linux (Ubuntu 24.04 LTS)

? prod-Amal-linux (Ubuntu 22.04 LTS)

Optional Endpoints

? Windows OS

? macOS

Note: While Windows and macOS endpoints are optional for this lab, I’ll guide you through the process of onboarding them for those who want to explore a multi-OS environment.

For this lab, I set up all these servers and linux endpoints using DigitalOcean Cloud.

What is DigitalOcean?

DigitalOcean is a cloud platform designed for simplicity and scalability. It allows you to quickly set up virtual servers (called “droplets”) to host applications or projects. For this lab, DigitalOcean provides a $200 credit valid for 60 days — plenty to complete the entire Detection Lab setup.

Click here to sign up and get started right away!

Logical Architecture

Moving on to our Detection Lab setup, here’s the logical diagram of the project:

Understanding the Logical Diagram

Within this VPC:

• Wazuh Server acts as the central hub for log ingestion and analysis.
• Indexer processes the logs into a searchable format.
• Dashboard visualizes the data for actionable insights.

Outside VPC:

• Linux, Windows, and macOS Agents send their logs directly to the Wazuh Server.
• VirusTotal API Integration allows for automated threat intelligence queries from the Wazuh Server.

We will explore the specifics of these logs and the VirusTotal integration in upcoming articles of this series.

Why Use a VPC?

> Private Networking: Ensures secure communication between servers without exposure to the public internet.

> Improved Performance: Reduces latency for data flow between the servers.

Infrastructure Preparation

Step 1: Create the VPC

Navigate to Networking > Create VPC in your DigitalOcean dashboard, select a Datacenter Region (e.g., Bangalore), configure the Private IP Range as 172.31.0.0/24, name it (e.g., Detection-Lab-VPC), and click Create.

Step 2: Set Up the Servers

Go to Create > Droplet in your DigitalOcean dashboard, select the Image(e.g., Ubuntu 24.04 LTS), configure the Size as mentioned in the above table, choose the VPC created in Step 1, and assign names to your servers (e.g., Wazuh-Master, OS-Indexer, etc.).

Let’s Begin Deployment!

Indexer Deployment Process

ssh [email protected]        

1. Certificates Creation

Download the SSL certificate tool and configuration file

curl -sO https://packages.wazuh.com/4.10/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.10/config.yml        

What it does: These commands use curl (a tool for downloading files from the internet) to fetch two files:

• wazuh-certs-tool.sh: A script that generates SSL certificates to secure communication between Wazuh components.
• config.yml: A configuration file where you specify details like node names and IP addresses.

Edit the configuration file

vim ./config.yml        

Update the name and IP for Wazuh indexer, server, and dashboard nodes as shown in the snippet above.

Compress the certificates

tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates        

What it does:

• tar -cvf: Compresses all the generated certificates into a single file named wazuh-certificates.tar for easy transfer.
• rm -rf: Deletes the uncompressed folder (wazuh-certificates) after compression to save space and avoid duplication.

Transfer the certificates

scp ./wazuh-certificates.tar root@<node-ip>:/root        

What it does: Uses scp (secure copy) to send the compressed file to other nodes (server, dashboard). Replace <node-ip> with the actual public IP address of the destination node.

2. Installing and Configuring the Wazuh Indexer

Install required system packages

apt-get install debconf adduser procps gnupg apt-transport-https        

What it does: Installs essential tools and libraries:

• debconf: Helps manage package configuration.
• adduser: Allows creating new users (needed by some services).
• procps: Provides tools like ps and top for process monitoring.
• gnupg and apt-transport-https: Enable secure communication when downloading files from the Wazuh repository.

Add the Wazuh GPG key

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg        

What it does:

? Downloads the GPG key, which is like a digital signature that ensures the files you download from the Wazuh repository are authentic.

• The key is stored in /usr/share/keyrings/wazuh.gpg.

Add the Wazuh repository

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list        

What it does: Adds the Wazuh repository to your system’s list of package sources. This allows your system to download and install Wazuh software.

Install the Wazuh Indexer package

apt-get update
apt-get -y install wazuh-indexer        

What it does:

• Refreshes the list of available packages so your system knows about the new Wazuh repository.
• Installs the Wazuh Indexer, which is responsible for storing and searching logs.

Edit the configuration file

vim /etc/wazuh-indexer/opensearch.yml        

Set the network.host to the indexer’s private IP and update node.name to node-1, as shown in the snippet above.

3. Deploying Certificates

Create a directory for certificates, Extract and move the certificates

Run the following commands replacing $NODE_NAME with the name of the Wazuh indexer node (in my case, node-1).

mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem        

What it does:

• Creates a folder to store the SSL certificates for secure communication.
• Extracts the certificates for this specific node from the compressed file.
• Places them in the /etc/wazuh-indexer/certs/ folder.

Rename the certificates

mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem        

What it does: Renames the node’s certificates to a standard name (indexer.pem and indexer-key.pem).

Secure the certificates

chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs        

What it does:

• chmod: Sets strict permissions to prevent unauthorized access.
• chown: Changes the ownership of the files to the Wazuh Indexer service.

4. Start the Wazuh Indexer Service

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer
systemctl status wazuh-indexer        

? What it does:

• daemon-reload: Refreshes the system to recognize new or updated services.
• enable: Ensures the Wazuh Indexer starts automatically on reboot.
• start: Starts the Wazuh Indexer immediately.
• status: Displays the running status of the service.

5. Initialize the cluster with new certificates

/usr/share/wazuh-indexer/bin/indexer-security-init.sh        

What it does: Configures the cluster to use the new SSL certificates, enabling secure communication between nodes.

6. Testing the Deployment

curl -k -u admin:admin https://<WAZUH_INDEXER_Private_IP>:9200        

You see output similar to the snippet below, confirming that the Wazuh indexer deployment is successful.

Note: admin:admin is the default username and password for authentication.

Wazuh Manager Deployment Process

ssh [email protected]        

1. Installing dependencies & Wazuh Manager

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get -y install wazuh-manager
        

Here, we install the necessary packages to support secure connections and repository management. Then, we add the Wazuh GPG key, configure the official Wazuh repository, update the package list (just as we do for the Wazuh indexer), and install the Wazuh manager.

2. Installing and Configuring Filebeat

Install the Filebeat package & Download the preconfigured Filebeat configuration file

apt-get -y install filebeat
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.yml        

Edit the Filebeat configuration file

vim /etc/filebeat/filebeat.yml        

Set the hosts to {indexer’s private IP}:9200 as shown in the snippet above.

Create Filebeat Keystore

filebeat keystore create
echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force        

What it does:

This command creates a keystore for Filebeat to securely store sensitive credentials, and then use echo with the — stdin and — force flags to securely add the username and password to the keystore, ensuring they are not stored in plain text.

Download the Wazuh Template for Filebeat

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json        

What it does:

It downloads the Wazuh indexer template for OpenSearch, a fork of Elasticsearch, and saves it to the Filebeat configuration directory, defining the structure for Wazuh logs in OpenSearch.

Install the Wazuh module for Filebeat.

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module        

What it does:

It downloads the Wazuh Filebeat module, which enables Filebeat to collect and forward Wazuh alerts to Opensearch. It extracts the module into the appropriate Filebeat module directory.

3. Deploying Certificates

Run the following commands replacing $NODE_NAME with the name of the Wazuh server node (in my case, wazuh-1).

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs        

4. Configuring the Wazuh Server

vim /var/ossec/etc/ossec.conf        

Set the <host>://{indexer’s private IP}:9200</host> as shown in the snippet above.

5. Start the Wazuh Manager & Filebeat Services

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl enable filebeat
systemctl start filebeat        

6. Testing the Deployment

filebeat test output        

You see output similar to the snippet below, confirming that the Wazuh manager deployment is successful.

Wazuh Dashboard Deployment Process

ssh [email protected]        

1. Installing dependencies & Wazuh Dashboard

apt-get -y install debhelper tar curl libcap2-bin gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get -y install wazuh-dashboard        

2. Configuring the Wazuh dashboard

vim /etc/wazuh-dashboard/opensearch_dashboards.yml        

Set server.host to 0.0.0.0 to accept all available IP addresses of the host, and update opensearch.hosts to hhtps://{indexer’s private IP}:9200 as shown in the snippet above.

3. Deploying Certificates

Run the following commands replacing $NODE_NAME with the name of the Wazuh dashboard node (in my case, dashboard).

mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs        

4. Start the Wazuh Dashboard Service

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard        

5. Configuring wazuh.yml

vim /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml        

Set the url to https://{manager’s private IP} as shown in the snippet above.

6. Testing the Deployment

Access the Wazuh web interface with your credentials.

https://<WAZUH_DASHBOARD_IP_ADDRESS>        

Default username: admin & password: admin

You see a result similar to the snippet below, confirming that the Wazuh dashboard deployment is successful.

Securing your Wazuh installation

On Indexer Server — (ssh root@wazuh-indexer-ip)

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all        

What it does:

It automatically changes the passwords for all Wazuh users in the system. The script output the new passwords (as shown in the snippet) and update the relevant configuration files to reflect the changes.

On Manager Sever — (ssh root@wazuh-manager-ip)

curl -sO https://packages.wazuh.com/4.10/wazuh-passwords-tool.sh
bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh        

What it does:

It automatically changes, displays the output, and updates the passwords for Wazuh API users.

Run the following command to update the admin password in the Filebeat keystore. Replace <ADMIN_PASSWORD> with the random password generated in the first step, as shown in the output above: “INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j”

systemctl restart filebeat        

On Dashboard Server — (ssh root@wazuh-dashboard-ip)

echo <KIBANASERVER_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password        

Run the following command by replacing <KIBANASERVER_PASSWORD> with the password generated in the first step.

Edit wazuh.yml Update the wazuh.yml configuration file with the .

vim /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml        

Change <WAZUH_WUI_PASSWORD> to the newly generated wazuh-wui password from the second step.

systemctl restart wazuh-dashboard        

Key Takeaway

“Remember, in any deployment, 20% is about setting things up, and 80% is troubleshooting — and that’s where we truly learn and grow.”

Acknowledgments

I want to express my heartfelt gratitude to Santiago Bassett for creating such an incredible tool that empowers us to enhance security monitoring and management. A special thanks to Ashish Bansal for the motivation and guidance that inspired this journey.

Upcoming

In the next article, we will dive into the process of Agent Onboarding and Log Sources. From connecting Linux, Windows, and macOS agents to configuring various log sources, I’ll guide you step by step to help you set up a comprehensive monitoring environment.

Check out the next article here: Agent Onboarding and Log Sources [DL Series-2]

Feel free to ask questions or share your feedback in the comments section — I’d love to hear from you! You can also connect with me on Gibin John to to clarify any doubts or continue the conversation.

Follow my Medium profile to stay updated on the full series: Gibin John.

#WazuhSecurity #CyberDetectionLab #WazuhSIEM #ThreatHunting #CybersecurityLab #Wazuh #SecurityMonitoring #SIEM #IncidentResponse #ThreatDetection #SecurityOps #WazuhDetection #SOCLab #CyberThreatIntel #WazuhAlerting #LogAnalysis #CyberDefense #MalwareDetection #Sysmon #SOCAnalysis