Tostti commented 1 month ago

Description

After an issue was found after upgrading environments to 4.9.0, a new 4.9.0-2 package was generated . We need to test all the packages, upgrading from 4.7 and from 4.8 to make sure that there are no errors

Tostti commented 1 month ago

Upgrade test 🟢

Operating system: CentOS 8 From: Wazuh v4.7.5 To: Wazuh v4.9.0

Install/Upgrade process

```console [root@localhost vagrant]# bash wazuh-install.sh -u 06/09/2024 16:20:31 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.5 06/09/2024 16:20:31 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 16:20:32 INFO: Removing Wazuh manager. 06/09/2024 16:20:46 INFO: Wazuh manager removed. 06/09/2024 16:20:46 INFO: Removing Wazuh indexer. 06/09/2024 16:20:47 INFO: Wazuh indexer removed. 06/09/2024 16:20:47 INFO: Removing Filebeat. 06/09/2024 16:20:47 INFO: Filebeat removed. 06/09/2024 16:20:47 INFO: Removing Wazuh dashboard. 06/09/2024 16:20:52 INFO: Wazuh dashboard removed. [root@localhost vagrant]# bash wazuh-install.sh -a 06/09/2024 16:21:21 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.5 06/09/2024 16:21:21 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 16:21:24 INFO: --- Dependencies --- 06/09/2024 16:21:24 INFO: Installing lsof. 06/09/2024 16:21:26 INFO: Wazuh web interface port will be 443. 06/09/2024 16:21:28 INFO: Wazuh repository added. 06/09/2024 16:21:28 INFO: --- Configuration files --- 06/09/2024 16:21:28 INFO: Generating configuration files. 06/09/2024 16:21:28 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 16:21:28 INFO: --- Wazuh indexer --- 06/09/2024 16:21:28 INFO: Starting Wazuh indexer installation. 06/09/2024 16:22:31 INFO: Wazuh indexer installation finished. 06/09/2024 16:22:31 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 16:22:31 INFO: Starting service wazuh-indexer. 06/09/2024 16:22:36 INFO: wazuh-indexer service started. 06/09/2024 16:22:36 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 16:22:47 INFO: Wazuh indexer cluster initialized. 06/09/2024 16:22:47 INFO: --- Wazuh server --- 06/09/2024 16:22:47 INFO: Starting the Wazuh manager installation. 06/09/2024 16:23:26 INFO: Wazuh manager installation finished. 06/09/2024 16:23:26 INFO: Starting service wazuh-manager. 06/09/2024 16:23:35 INFO: wazuh-manager service started. 06/09/2024 16:23:35 INFO: Starting Filebeat installation. 06/09/2024 16:23:37 INFO: Filebeat installation finished. 06/09/2024 16:23:38 INFO: Filebeat post-install configuration finished. 06/09/2024 16:23:38 INFO: Starting service filebeat. 06/09/2024 16:23:38 INFO: filebeat service started. 06/09/2024 16:23:38 INFO: --- Wazuh dashboard --- 06/09/2024 16:23:38 INFO: Starting Wazuh dashboard installation. 06/09/2024 16:24:20 INFO: Wazuh dashboard installation finished. 06/09/2024 16:24:20 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 16:24:20 INFO: Starting service wazuh-dashboard. 06/09/2024 16:24:20 INFO: wazuh-dashboard service started. 06/09/2024 16:24:34 INFO: Initializing Wazuh dashboard web application. 06/09/2024 16:24:36 INFO: Wazuh dashboard web application initialized. 06/09/2024 16:24:36 INFO: --- Summary --- 06/09/2024 16:24:36 INFO: You can access the web interface https://:443 User: admin Password: VS0vy2og7A?nERxDFiwfdvkL.*h8q9q2 06/09/2024 16:24:36 INFO: --- Dependencies --- 06/09/2024 16:24:36 INFO: Removing lsof. 06/09/2024 16:24:36 INFO: Installation finished. [root@localhost vagrant]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:f1:ca:e4 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0 valid_lft 73250sec preferred_lft 73250sec inet6 fe80::4110:eb48:57c6:2836/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:70:02:c3 brd ff:ff:ff:ff:ff:ff inet 192.168.0.160/24 brd 192.168.0.255 scope global dynamic noprefixroute eth1 valid_lft 3518sec preferred_lft 3518sec inet6 fe80::a00:27ff:fe70:2c3/64 scope link valid_lft forever preferred_lft forever [root@localhost vagrant]# systemctl stop filebeat [root@localhost vagrant]# systemctl stop wazuh-dashboard [root@localhost vagrant]# systemctl stop wazuh-indexer [root@localhost vagrant]# yum upgrade wazuh-indexer Failed to set locale, defaulting to C.UTF-8 Last metadata expiration check: 0:05:34 ago on Fri Sep 6 16:21:28 2024. Dependencies resolved. =========================================================================================== Package Architecture Version Repository Size =========================================================================================== Upgrading: wazuh-indexer x86_64 4.8.2-1 wazuh 743 M Transaction Summary =========================================================================================== Upgrade 1 Package Total download size: 743 M Is this ok [y/N]: n Operation aborted. [root@localhost vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/pre-release/yum/ protect=1 [root@localhost vagrant]# yum upgrade wazuh-indexer Failed to set locale, defaulting to C.UTF-8 EL-8 - Wazuh 196 B/s | 306 B 00:01 Errors during downloading metadata for repository 'wazuh': - Status code: 404 for https://packages.wazuh.com/pre-release/yum/repodata/repomd.xml (IP: 3.160.107.82) Error: Failed to download metadata for repo 'wazuh': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried [root@localhost vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@localhost vagrant]# yum upgrade wazuh-indexer Failed to set locale, defaulting to C.UTF-8 EL-8 - Wazuh 2.7 kB/s | 3.5 kB 00:01 EL-8 - Wazuh 6.9 MB/s | 29 MB 00:04 Last metadata expiration check: 0:00:07 ago on Fri Sep 6 16:27:42 2024. Dependencies resolved. =========================================================================================== Package Architecture Version Repository Size =========================================================================================== Upgrading: wazuh-indexer x86_64 4.9.0-1 wazuh 813 M Transaction Summary =========================================================================================== Upgrade 1 Package Total download size: 813 M Is this ok [y/N]: y Downloading Packages: wazuh-indexer-4.9.0-1.x86_64.rpm 16 MB/s | 813 MB 00:50 ------------------------------------------------------------------------------------------- Total 16 MB/s | 813 MB 00:50 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/2 Upgrading : wazuh-indexer-4.9.0-1.x86_64 1/2 warning: /etc/wazuh-indexer/jvm.options created as /etc/wazuh-indexer/jvm.options.rpmnew warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml saved as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmsave Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/2 ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Running scriptlet: wazuh-indexer-4.7.5-1.x86_64 2/2 Cleanup : wazuh-indexer-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-indexer-4.7.5-1.x86_64 2/2 Verifying : wazuh-indexer-4.9.0-1.x86_64 1/2 Verifying : wazuh-indexer-4.7.5-1.x86_64 2/2 Upgraded: wazuh-indexer-4.9.0-1.x86_64 Complete! [root@localhost vagrant]# systemctl daemon-reload [root@localhost vagrant]# systemctl enable wazuh-indexer Synchronizing state of wazuh-indexer.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable wazuh-indexer [root@localhost vagrant]# systemctl start wazuh-indexer [root@localhost vagrant]# curl -k -u 'admin:VS0vy2og7A?nERxDFiwfdvkL.*h8q9q2' https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 12 98 2 0.69 0.46 0.26 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@localhost vagrant]# yum upgrade wazuh-manager Failed to set locale, defaulting to C.UTF-8 Last metadata expiration check: 0:01:56 ago on Fri Sep 6 16:27:42 2024. Dependencies resolved. =========================================================================================== Package Architecture Version Repository Size =========================================================================================== Upgrading: wazuh-manager x86_64 4.9.0-1 wazuh 303 M Transaction Summary =========================================================================================== Upgrade 1 Package Total download size: 303 M Is this ok [y/N]: y Downloading Packages: wazuh-manager-4.9.0-1.x86_64.rpm 15 MB/s | 303 MB 00:20 ------------------------------------------------------------------------------------------- Total 15 MB/s | 303 MB 00:20 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/2 Upgrading : wazuh-manager-4.9.0-1.x86_64 1/2 warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/2 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 2/2 Cleanup : wazuh-manager-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 2/2 Verifying : wazuh-manager-4.9.0-1.x86_64 1/2 Verifying : wazuh-manager-4.7.5-1.x86_64 2/2 Upgraded: wazuh-manager-4.9.0-1.x86_64 Complete! [root@localhost vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin [root@localhost vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v VS0vy2og7A?nERxDFiwfdvkL.*h8q9q2 [root@localhost vagrant]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json [root@localhost vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json [root@localhost vagrant]# chmod go+r /etc/filebeat/wazuh-template.json [root@localhost vagrant]# systemctl daemon-reload [root@localhost vagrant]# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat [root@localhost vagrant]# systemctl start filebeat [root@localhost vagrant]# filebeat setup --pipelines Loaded Ingest pipelines [root@localhost vagrant]# filebeat setup --index-management -E output.logstash.enabled=false ILM policy and write alias loading not enabled. Index setup finished. [root@localhost vagrant]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml rm: remove regular file '/etc/wazuh-dashboard/opensearch_dashboards.yml'? y [root@localhost vagrant]# yum upgrade wazuh-dashboard Failed to set locale, defaulting to C.UTF-8 Last metadata expiration check: 0:04:58 ago on Fri Sep 6 16:27:42 2024. Dependencies resolved. =========================================================================================== Package Architecture Version Repository Size =========================================================================================== Upgrading: wazuh-dashboard x86_64 4.9.0-2 wazuh 253 M Transaction Summary =========================================================================================== Upgrade 1 Package Total download size: 253 M Is this ok [y/N]: y Downloading Packages: wazuh-dashboard-4.9.0-2.x86_64.rpm 15 MB/s | 253 MB 00:16 ------------------------------------------------------------------------------------------- Total 15 MB/s | 253 MB 00:16 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 1/1 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 1/2 Upgrading : wazuh-dashboard-4.9.0-2.x86_64 1/2 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 1/2 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 2/2 Cleanup : wazuh-dashboard-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 2/2 Verifying : wazuh-dashboard-4.9.0-2.x86_64 1/2 Verifying : wazuh-dashboard-4.7.5-1.x86_64 2/2 Upgraded: wazuh-dashboard-4.9.0-2.x86_64 Complete! [root@localhost vagrant]# systemctl daemon-reload [root@localhost vagrant]# systemctl enable wazuh-dashboard [root@localhost vagrant]# systemctl start wazuh-dashboard ```

Verify files

```console [root@localhost vagrant]# cat /etc/default/wazuh-dashboard user="wazuh-dashboard" group="wazuh-dashboard" chroot="/" chdir="/" nice="" KILL_ON_STOP_TIMEOUT=0 OSD_PATH_CONF="/etc/wazuh-dashboard" [root@localhost vagrant]# cat /usr/share/wazuh-dashboard/bin/opensearch-dashboards #!/bin/sh # # SPDX-License-Identifier: Apache-2.0 # # The OpenSearch Contributors require contributions made to # this file be licensed under the Apache-2.0 license or a # compatible open source license. # # Any modifications Copyright OpenSearch Contributors. See # GitHub history for details. # SCRIPT="$0" # SCRIPT may be an arbitrarily deep series of symlinks. Loop until we have the concrete path. while [ -h "$SCRIPT" ] ; do loc=$(ls -ld "$SCRIPT") # Drop everything prior to -> link=$(expr "$loc" : '.*-> $.*$$') if expr "$link" : '/.*' > /dev/null; then SCRIPT="$link" else SCRIPT=$(dirname "$SCRIPT")/"$link" fi done # Get an absolute path for OSD_HOME OSD_HOME="$(cd "$(dirname "${SCRIPT}")/.."; pwd)" OSD_PATH_CONF="/etc/wazuh-dashboard" OSD_NODE_OPTS_PREFIX="--no-warnings --max-http-header-size=65536" OSD_USE_NODE_JS_FILE_PATH=/src/cli/dist NODE_ENV=production exec ${OSD_HOME}/bin/use_node "${@}" [root@localhost vagrant]# ls -l /etc/wazuh-dashboard/ total 12 dr-x------. 2 wazuh-dashboard wazuh-dashboard 83 Sep 6 16:24 certs -rw-r-----. 1 wazuh-dashboard wazuh-dashboard 312 Sep 6 14:33 node.options -rw-r-----. 1 wazuh-dashboard wazuh-dashboard 254 Sep 6 16:24 opensearch_dashboards.keystore -rw-r-----. 1 wazuh-dashboard wazuh-dashboard 642 Sep 6 14:33 opensearch_dashboards.yml [root@localhost vagrant]# ls -l /usr/share/wazuh-dashboard/config/ total 8 -rw-r-----. 1 wazuh-dashboard wazuh-dashboard 312 Sep 6 14:30 node.options -rw-r-----. 1 wazuh-dashboard wazuh-dashboard 642 Sep 6 14:30 opensearch_dashboards.yml ```

gdiazlo commented 1 month ago

Upgrade test

Operating system: RHEL 9 From: Wazuh v4.7.5 To: Wazuh 4.9.0

Install/upgrade cycle terminal output

``` PS G:\vagrant\osd> vagrant ssh wz1 Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard [vagrant@rhel9 ~]$ sudo su - [root@rhel9 ~]# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 16:05:40 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.5 06/09/2024 16:05:40 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 16:05:46 INFO: Wazuh web interface port will be 443. 06/09/2024 16:05:46 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1515, 1514, 443. 06/09/2024 16:05:47 INFO: Wazuh repository added. 06/09/2024 16:05:47 INFO: --- Configuration files --- 06/09/2024 16:05:47 INFO: Generating configuration files. 06/09/2024 16:05:48 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 16:05:48 INFO: --- Wazuh indexer --- 06/09/2024 16:05:48 INFO: Starting Wazuh indexer installation. 06/09/2024 16:06:47 INFO: Wazuh indexer installation finished. 06/09/2024 16:06:47 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 16:06:47 INFO: Starting service wazuh-indexer. 06/09/2024 16:06:55 INFO: wazuh-indexer service started. 06/09/2024 16:06:55 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 16:07:06 INFO: Wazuh indexer cluster initialized. 06/09/2024 16:07:06 INFO: --- Wazuh server --- 06/09/2024 16:07:06 INFO: Starting the Wazuh manager installation. 06/09/2024 16:07:35 INFO: Wazuh manager installation finished. 06/09/2024 16:07:35 INFO: Starting service wazuh-manager. 06/09/2024 16:07:45 INFO: wazuh-manager service started. 06/09/2024 16:07:45 INFO: Starting Filebeat installation. 06/09/2024 16:07:48 INFO: Filebeat installation finished. 06/09/2024 16:07:49 INFO: Filebeat post-install configuration finished. 06/09/2024 16:07:49 INFO: Starting service filebeat. 06/09/2024 16:07:49 INFO: filebeat service started. 06/09/2024 16:07:49 INFO: --- Wazuh dashboard --- 06/09/2024 16:07:49 INFO: Starting Wazuh dashboard installation. 06/09/2024 16:08:43 INFO: Wazuh dashboard installation finished. 06/09/2024 16:08:43 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 16:08:43 INFO: Starting service wazuh-dashboard. 06/09/2024 16:08:43 INFO: wazuh-dashboard service started. 06/09/2024 16:09:00 INFO: Initializing Wazuh dashboard web application. 06/09/2024 16:09:01 INFO: Wazuh dashboard web application initialized. 06/09/2024 16:09:01 INFO: --- Summary --- 06/09/2024 16:09:01 INFO: You can access the web interface https://:443 User: admin Password: aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG 06/09/2024 16:09:01 INFO: Installation finished. [root@rhel9 ~]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@rhel9 ~]# systemctl stop firewalld [root@rhel9 ~]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:01:92:10 brd ff:ff:ff:ff:ff:ff inet 172.27.250.26/20 brd 172.27.255.255 scope global dynamic noprefixroute eth0 valid_lft 84880sec preferred_lft 84880sec [root@rhel9 ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-pre.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-pre.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/pre-release/yum/ protect=1 [root@rhel9 ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@rhel9 ~]# systemctl stop filebeat systemctl stop wazuh-dashboard [root@rhel9 ~]# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u "admin:aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG" -k {"acknowledged":curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u "admin:aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG" -k -H 'Content-Type: application/json' -d'application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}[root@rhel9 ~]# curl -X POST "https://127.0.0.1:9200/_flush/sycurl -X POST "https://127.0.0.1:9200/_flush/synced" -u "admin:aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG" -k {"_shards":{"total":7,"successful":7,"failed":0}}[root@rhel9 ~]# [root@rhel9 ~]# systemctl stop wazuh-indexer [root@rhel9 ~]# yum upgrade wazuh-indexer EL-9 - Wazuh 6.3 MB/s | 29 MB 00:04 Last metadata expiration check: 0:00:07 ago on Fri 06 Sep 2024 04:31:37 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Upgrading: wazuh-indexer x86_64 4.9.0-1 wazuh 813 M Transaction Summary ============================================================================================================================================================= Upgrade 1 Package Total download size: 813 M Is this ok [y/N]: y Downloading Packages: wazuh-indexer-4.9.0-1.x86_64.rpm 21 MB/s | 813 MB 00:38 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 21 MB/s | 813 MB 00:38 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/2 Upgrading : wazuh-indexer-4.9.0-1.x86_64 1/2 warning: /etc/wazuh-indexer/jvm.options created as /etc/wazuh-indexer/jvm.options.rpmnew warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml saved as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmsave Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/2 ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Running scriptlet: wazuh-indexer-4.7.5-1.x86_64 2/2 Cleanup : wazuh-indexer-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-indexer-4.7.5-1.x86_64 2/2 Couldn't write '64' to 'kernel/random/read_wakeup_threshold', ignoring: No such file or directory Verifying : wazuh-indexer-4.9.0-1.x86_64 1/2 Verifying : wazuh-indexer-4.7.5-1.x86_64 2/2 Installed products updated. Upgraded: wazuh-indexer-4.9.0-1.x86_64 Complete! [root@rhel9 ~]# systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer [root@rhel9 ~]# curl -k -u "admin:aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG" https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 7 98 3 0.26 0.13 0.08 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@rhel9 ~]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u "admin:aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG" -k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "all" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}[root@rhel9 ~]# [root@rhel9 ~]# curl -k -u "admin:aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG" https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 12 98 0 0.06 0.10 0.07 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@rhel9 ~]# yum upgrade wazuh-manager Last metadata expiration check: 0:03:08 ago on Fri 06 Sep 2024 04:34:06 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Upgrading: wazuh-manager x86_64 4.9.0-1 wazuh 303 M Transaction Summary ============================================================================================================================================================= Upgrade 1 Package Total download size: 303 M Is this ok [y/N]: y Downloading Packages: wazuh-manager-4.9.0-1.x86_64.rpm 20 MB/s | 303 MB 00:15 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 20 MB/s | 303 MB 00:15 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/2 Upgrading : wazuh-manager-4.9.0-1.x86_64 1/2 warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/2 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 2/2 Cleanup : wazuh-manager-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 2/2 Verifying : wazuh-manager-4.9.0-1.x86_64 1/2 Verifying : wazuh-manager-4.7.5-1.x86_64 2/2 Installed products updated. Upgraded: wazuh-manager-4.9.0-1.x86_64 Complete! [root@rhel9 ~]# vi /var/ossec/etc/ossec.conf [root@rhel9 ~]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin [root@rhel9 ~]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v "aGvm4AicFu5EhIaQsrAk+NhCO*D..wNG" [root@rhel9 ~]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json [root@rhel9 ~]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json [root@rhel9 ~]# systemctl daemon-reload systemctl enable filebeat systemctl start filebeat [root@rhel9 ~]# filebeat setup --pipelines filebeat setup --index-management -E output.logstash.enabled=false Loaded Ingest pipelines ILM policy and write alias loading not enabled. Index setup finished. [root@rhel9 ~]# cp /etc/wazuh-dashboard/opensearch_dashboards.yml /etc/wazuh-dashboard/opensearch_dashboards.yml.bak [root@rhel9 ~]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml yum upgrade wazuh-dashboard rm: remove regular file '/etc/wazuh-dashboard/opensearch_dashboards.yml'? y Last metadata expiration check: 0:09:29 ago on Fri 06 Sep 2024 04:34:06 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Upgrading: wazuh-dashboard x86_64 4.9.0-2 wazuh 253 M Transaction Summary ============================================================================================================================================================= Upgrade 1 Package Total download size: 253 M Is this ok [y/N]: y Downloading Packages: wazuh-dashboard-4.9.0-2.x86_64.rpm 19 MB/s | 253 MB 00:13 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 19 MB/s | 253 MB 00:13 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 1/2 Upgrading : wazuh-dashboard-4.9.0-2.x86_64 1/2 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 1/2 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 2/2 Cleanup : wazuh-dashboard-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 2/2 Verifying : wazuh-dashboard-4.9.0-2.x86_64 1/2 Verifying : wazuh-dashboard-4.7.5-1.x86_64 2/2 Installed products updated. Upgraded: wazuh-dashboard-4.9.0-2.x86_64 Complete! [root@rhel9 ~]# systemctl daemon-reload systemctl enable wazuh-dashboard systemctl start wazuh-dashboard [root@rhel9 ~]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled) Active: active (running) since Fri 2024-09-06 16:44:58 UTC; 4min 52s ago Main PID: 11463 (node) Tasks: 11 (limit: 48952) Memory: 190.1M CPU: 6.844s CGroup: /system.slice/wazuh-dashboard.service └─11463 /usr/share/wazuh-dashboard/node/bin/node /usr/share/wazuh-dashboard/src/cli/dist Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"get",> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"get",> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"post"> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"get",> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"get",> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"post"> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"post"> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"post"> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"post"> Sep 06 16:46:51 rhel9.localdomain opensearch-dashboards[11463]: {"type":"response","@timestamp":"2024-09-06T16:46:51Z","tags":[],"pid":11463,"method":"get",> [root@rhel9 ~]# ```

gdiazlo commented 1 month ago

Upgrade test

Operating system: RHEL 9 From: Wazuh v4.8.2 To: Wazuh 4.9.0

Install/upgrade cycle terminal output

``` PS G:\vagrant\osd> vagrant ssh wz2 Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard [vagrant@rhel9 ~]$ sudo su - [root@rhel9 ~]# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 16:06:11 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.2 06/09/2024 16:06:11 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 16:06:12 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 16:06:16 INFO: Wazuh web interface port will be 443. 06/09/2024 16:06:17 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1515, 1514, 443. 06/09/2024 16:06:17 INFO: Wazuh repository added. 06/09/2024 16:06:17 INFO: --- Configuration files --- 06/09/2024 16:06:17 INFO: Generating configuration files. 06/09/2024 16:06:17 INFO: Generating the root certificate. 06/09/2024 16:06:18 INFO: Generating Admin certificates. 06/09/2024 16:06:18 INFO: Generating Wazuh indexer certificates. 06/09/2024 16:06:18 INFO: Generating Filebeat certificates. 06/09/2024 16:06:18 INFO: Generating Wazuh dashboard certificates. 06/09/2024 16:06:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 16:06:19 INFO: --- Wazuh indexer --- 06/09/2024 16:06:19 INFO: Starting Wazuh indexer installation. 06/09/2024 16:07:21 INFO: Wazuh indexer installation finished. 06/09/2024 16:07:21 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 16:07:21 INFO: Starting service wazuh-indexer. 06/09/2024 16:07:30 INFO: wazuh-indexer service started. 06/09/2024 16:07:30 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 16:07:41 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 16:07:41 INFO: Wazuh indexer cluster initialized. 06/09/2024 16:07:41 INFO: --- Wazuh server --- 06/09/2024 16:07:41 INFO: Starting the Wazuh manager installation. 06/09/2024 16:08:18 INFO: Wazuh manager installation finished. 06/09/2024 16:08:19 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 16:08:19 INFO: Starting service wazuh-manager. 06/09/2024 16:08:27 INFO: wazuh-manager service started. 06/09/2024 16:08:27 INFO: Starting Filebeat installation. 06/09/2024 16:08:31 INFO: Filebeat installation finished. 06/09/2024 16:08:31 INFO: Filebeat post-install configuration finished. 06/09/2024 16:08:31 INFO: Starting service filebeat. 06/09/2024 16:08:32 INFO: filebeat service started. 06/09/2024 16:08:32 INFO: --- Wazuh dashboard --- 06/09/2024 16:08:32 INFO: Starting Wazuh dashboard installation. 06/09/2024 16:09:22 INFO: Wazuh dashboard installation finished. 06/09/2024 16:09:22 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 16:09:22 INFO: Starting service wazuh-dashboard. 06/09/2024 16:09:22 INFO: wazuh-dashboard service started. 06/09/2024 16:09:24 INFO: Updating the internal users. 06/09/2024 16:09:26 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 16:09:58 INFO: Initializing Wazuh dashboard web application. 06/09/2024 16:09:59 INFO: Wazuh dashboard web application initialized. 06/09/2024 16:09:59 INFO: --- Summary --- 06/09/2024 16:09:59 INFO: You can access the web interface https://:443 User: admin Password: flJSAW8449FTTL?X6pry4zUiyz.mWSdC 06/09/2024 16:09:59 INFO: Installation finished. [root@rhel9 ~]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@rhel9 ~]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:01:92:11 brd ff:ff:ff:ff:ff:ff inet 172.27.253.149/20 brd 172.27.255.255 scope global dynamic noprefixroute eth0 valid_lft 84976sec preferred_lft 84976sec [root@rhel9 ~]# systemctl stop firewalld [root@rhel9 ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@rhel9 ~]# systemctl stop filebeat systemctl stop wazuh-dashboard [root@rhel9 ~]# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u "admin:flJSAW8449FTTL?X6pry4zUiyz.mWSdC" -k {"acknowledged":curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u "admin:flJSAW8449FTTL?X6pry4zUiyz.mWSdC" -k -H 'Content-Type: application/json' -d'application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}[root@rhel9 ~]# [root@rhel9 ~]# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u "admin:flJSAW8449FTTL?X6pry4zUiyz.mWSdC" -k {"_shards":{"total":9,"successful":9,"failed":0}}[root@rhel9 ~]# [root@rhel9 ~]# systemctl stop wazuh-indexer [root@rhel9 ~]# yum upgrade wazuh-indexer EL-9 - Wazuh 8.7 MB/s | 29 MB 00:03 Last metadata expiration check: 0:00:07 ago on Fri 06 Sep 2024 04:31:40 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Upgrading: wazuh-indexer x86_64 4.9.0-1 wazuh 813 M Transaction Summary ============================================================================================================================================================= Upgrade 1 Package Total download size: 813 M Is this ok [y/N]: y Downloading Packages: wazuh-indexer-4.9.0-1.x86_64.rpm 22 MB/s | 813 MB 00:37 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 22 MB/s | 813 MB 00:37 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/2 Upgrading : wazuh-indexer-4.9.0-1.x86_64 1/2 warning: /etc/wazuh-indexer/jvm.options created as /etc/wazuh-indexer/jvm.options.rpmnew warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml saved as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmsave Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/2 ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Running scriptlet: wazuh-indexer-4.8.2-1.x86_64 2/2 Cleanup : wazuh-indexer-4.8.2-1.x86_64 2/2 Running scriptlet: wazuh-indexer-4.8.2-1.x86_64 2/2 Couldn't write '64' to 'kernel/random/read_wakeup_threshold', ignoring: No such file or directory Verifying : wazuh-indexer-4.9.0-1.x86_64 1/2 Verifying : wazuh-indexer-4.8.2-1.x86_64 2/2 Installed products updated. Upgraded: wazuh-indexer-4.9.0-1.x86_64 Complete! [root@rhel9 ~]# systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer [root@rhel9 ~]# curl -k -u "admin:flJSAW8449FTTL?X6pry4zUiyz.mWSdC" https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 12 98 3 0.17 0.12 0.18 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@rhel9 ~]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u "admin:flJSAW8449FTTL?X6pry4zUiyz.mWSdC" -k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "all" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}[root@rhel9 ~]# [root@rhel9 ~]# curl -k -u "admin:flJSAW8449FTTL?X6pry4zUiyz.mWSdC" https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 17 98 0 0.04 0.09 0.16 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@rhel9 ~]# yum upgrade wazuh-manager Last metadata expiration check: 0:03:37 ago on Fri 06 Sep 2024 04:33:43 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Upgrading: wazuh-manager x86_64 4.9.0-1 wazuh 303 M Transaction Summary ============================================================================================================================================================= Upgrade 1 Package Total download size: 303 M Is this ok [y/N]: y Downloading Packages: wazuh-manager-4.9.0-1.x86_64.rpm 20 MB/s | 303 MB 00:15 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 20 MB/s | 303 MB 00:15 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/2 Upgrading : wazuh-manager-4.9.0-1.x86_64 1/2 warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/2 Running scriptlet: wazuh-manager-4.8.2-1.x86_64 2/2 Cleanup : wazuh-manager-4.8.2-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.8.2-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 2/2 Running scriptlet: wazuh-manager-4.8.2-1.x86_64 2/2 Verifying : wazuh-manager-4.9.0-1.x86_64 1/2 Verifying : wazuh-manager-4.8.2-1.x86_64 2/2 Installed products updated. Upgraded: wazuh-manager-4.9.0-1.x86_64 Complete! [root@rhel9 ~]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json [root@rhel9 ~]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json [root@rhel9 ~]# systemctl daemon-reload systemctl enable filebeat systemctl start filebeat [root@rhel9 ~]# filebeat setup --pipelines filebeat setup --index-management -E output.logstash.enabled=false Loaded Ingest pipelines ILM policy and write alias loading not enabled. Index setup finished. [root@rhel9 ~]# cp /etc/wazuh-dashboard/opensearch_dashboards.yml /etc/wazuh-dashboard/opensearch_dashboards.yml.bak [root@rhel9 ~]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml yum upgrade wazuh-dashboard rm: remove regular file '/etc/wazuh-dashboard/opensearch_dashboards.yml'? y Last metadata expiration check: 0:10:00 ago on Fri 06 Sep 2024 04:33:43 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Upgrading: wazuh-dashboard x86_64 4.9.0-2 wazuh 253 M Transaction Summary ============================================================================================================================================================= Upgrade 1 Package Total download size: 253 M Is this ok [y/N]: y Downloading Packages: wazuh-dashboard-4.9.0-2.x86_64.rpm 19 MB/s | 253 MB 00:12 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 19 MB/s | 253 MB 00:12 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 1/2 Upgrading : wazuh-dashboard-4.9.0-2.x86_64 1/2 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 1/2 Running scriptlet: wazuh-dashboard-4.8.2-1.x86_64 2/2 Cleanup : wazuh-dashboard-4.8.2-1.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.8.2-1.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.9.0-2.x86_64 2/2 Running scriptlet: wazuh-dashboard-4.8.2-1.x86_64 2/2 Verifying : wazuh-dashboard-4.9.0-2.x86_64 1/2 Verifying : wazuh-dashboard-4.8.2-1.x86_64 2/2 Installed products updated. Upgraded: wazuh-dashboard-4.9.0-2.x86_64 Complete! [root@rhel9 ~]# systemctl daemon-reload systemctl enable wazuh-dashboard systemctl start wazuh-dashboard [root@rhel9 ~]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:01:92:11 brd ff:ff:ff:ff:ff:ff inet 172.27.253.149/20 brd 172.27.255.255 scope global dynamic noprefixroute eth0 valid_lft 83706sec preferred_lft 83706sec [root@rhel9 ~]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled) Active: active (running) since Fri 2024-09-06 16:45:03 UTC; 4min 39s ago Main PID: 15159 (node) Tasks: 11 (limit: 48952) Memory: 221.6M CPU: 7.248s CGroup: /system.slice/wazuh-dashboard.service └─15159 /usr/share/wazuh-dashboard/node/bin/node /usr/share/wazuh-dashboard/src/cli/dist Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"get",> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"get",> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"post"> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"get",> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"get",> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"post"> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"post"> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"post"> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"post"> Sep 06 16:46:28 rhel9.localdomain opensearch-dashboards[15159]: {"type":"response","@timestamp":"2024-09-06T16:46:28Z","tags":[],"pid":15159,"method":"get",> [root@rhel9 ~]# ```

havidarou commented 1 month ago

Initial deployment

Vagrant Ubuntu 20.04

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|

    config.vm.box = "bento/ubuntu-20.04"
    config.vm.synced_folder ".", "/vagrant", group:"root", owner:"root", mount_options: ["dmode=777,fmode=777"]

    config.vm.network "private_network", ip: "********"

    config.vm.define "10-ubuntu-20.04"

    config.vm.provider "virtualbox" do |vb|
        vb.memory = "8192"
        vb.cpus = "4"
        vb.name = "opensearch-10-ubuntu-20.04"
        vb.customize ["setextradata", :id, "VBoxInternal2/SharedFoldersEnableSymlinksCreate//vagrant", "1"]
        #vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
    end

    config.vm.hostname = "opensearch-10-ubuntu-20.04"
end

Quickstart logs

vagrant@opensearch-10-ubuntu-20:~$ sudo su
root@opensearch-10-ubuntu-20:/home/vagrant# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
06/09/2024 16:24:45 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.5
06/09/2024 16:24:45 INFO: Verbose logging redirected to /var/log/wazuh-install.log
06/09/2024 16:24:58 INFO: Wazuh web interface port will be 443.
06/09/2024 16:25:01 INFO: --- Dependencies ----
06/09/2024 16:25:01 INFO: Installing apt-transport-https.
06/09/2024 16:25:05 INFO: Wazuh repository added.
06/09/2024 16:25:05 INFO: --- Configuration files ---
06/09/2024 16:25:05 INFO: Generating configuration files.
06/09/2024 16:25:06 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
06/09/2024 16:25:06 INFO: --- Wazuh indexer ---
06/09/2024 16:25:06 INFO: Starting Wazuh indexer installation.
06/09/2024 16:26:31 INFO: Wazuh indexer installation finished.
06/09/2024 16:26:31 INFO: Wazuh indexer post-install configuration finished.
06/09/2024 16:26:31 INFO: Starting service wazuh-indexer.
06/09/2024 16:26:48 INFO: wazuh-indexer service started.
06/09/2024 16:26:48 INFO: Initializing Wazuh indexer cluster security settings.
06/09/2024 16:26:59 INFO: Wazuh indexer cluster initialized.
06/09/2024 16:26:59 INFO: --- Wazuh server ---
06/09/2024 16:26:59 INFO: Starting the Wazuh manager installation.
06/09/2024 16:28:30 INFO: Wazuh manager installation finished.
06/09/2024 16:28:30 INFO: Starting service wazuh-manager.
06/09/2024 16:28:50 INFO: wazuh-manager service started.
06/09/2024 16:28:50 INFO: Starting Filebeat installation.
06/09/2024 16:28:55 INFO: Filebeat installation finished.
06/09/2024 16:28:56 INFO: Filebeat post-install configuration finished.
06/09/2024 16:28:56 INFO: Starting service filebeat.
06/09/2024 16:28:57 INFO: filebeat service started.
06/09/2024 16:28:57 INFO: --- Wazuh dashboard ---
06/09/2024 16:28:57 INFO: Starting Wazuh dashboard installation.
06/09/2024 16:30:35 INFO: Wazuh dashboard installation finished.
06/09/2024 16:30:35 INFO: Wazuh dashboard post-install configuration finished.
06/09/2024 16:30:35 INFO: Starting service wazuh-dashboard.
06/09/2024 16:30:36 INFO: wazuh-dashboard service started.
06/09/2024 16:30:55 INFO: Initializing Wazuh dashboard web application.
06/09/2024 16:30:55 INFO: Wazuh dashboard web application initialized.
06/09/2024 16:30:55 INFO: --- Summary ---
06/09/2024 16:30:55 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: *
06/09/2024 16:30:55 INFO: Installation finished.

Upgrade to 4.9.0

root@opensearch-10-ubuntu-20:/home/vagrant# systemctl stop filebeat
root@opensearch-10-ubuntu-20:/home/vagrant# systemctl stop wazuh-dashboard
root@opensearch-10-ubuntu-20:/home/vagrant# curl -X DELETE "https://localhost:9200/_index_template/ss4o_*_template" -u admin:* -k
{"acknowledged":true}root@opensearch-10-ubuntu-20:/home/vagrant# curl -X PUT "https://localhost:9200/_cluster/settings"  -u admin:* -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "primaries"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}root@opensearch-10-
root@opensearch-10-ubuntu-20:/home/vagrant# curl -X POST "https://localhost:9200/_flush/synced" -u admin:* -k
{"_shards":{"total":8,"successful":8,"failed":0}}root@opensearch-10-ubuntu-20:/home/vagrant# systemctl stop wazuh-indexer
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# apt-get install wazuh-indexer
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  wazuh-indexer
1 upgraded, 0 newly installed, 0 to remove and 128 not upgraded.
Need to get 850 MB of archives.
After this operation, 107 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.9.0-1 [850 MB]
Fetched 850 MB in 36s (23.4 MB/s)
(Reading database ... 162831 files and directories currently installed.)
Preparing to unpack .../wazuh-indexer_4.9.0-1_amd64.deb ...
Running Wazuh Indexer Pre-Installation Script
Unpacking wazuh-indexer (4.9.0-1) over (4.7.5-1) ...
Setting up wazuh-indexer (4.9.0-1) ...
Installing new version of config file /etc/default/wazuh-indexer ...

Configuration file '/etc/init.d/wazuh-indexer'
 ==> Deleted (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** wazuh-indexer (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/init.d/wazuh-indexer ...

Configuration file '/etc/wazuh-indexer/jvm.options'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** jvm.options (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/wazuh-indexer/jvm.options ...
Installing new version of config file /etc/wazuh-indexer/log4j2.properties ...
Installing new version of config file /etc/wazuh-indexer/opensearch-notifications-core/notifications-core.yml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca_cluster_manager.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca_idle_cluster_manager.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/supervisord.conf ...

Configuration file '/etc/wazuh-indexer/opensearch-security/internal_users.yml'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** internal_users.yml (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/wazuh-indexer/opensearch-security/internal_users.yml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles.yml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles_mapping.yml ...
Running Wazuh Indexer Post-Installation Script
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service
Processing triggers for systemd (245.4-4ubuntu3.22) ...
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# systemctl daemon-reload
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# systemctl enable wazuh-indexer
Synchronizing state of wazuh-indexer.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable wazuh-indexer
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# systemctl start wazuh-indexer
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# curl -k -u admin:* https://localhost:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles
    cluster_manager name
127.0.0.1           37          83  15    0.49    0.25     0.30 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# curl -X PUT "https://localhost:9200/_cluster/settings" -u admin:* -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "all"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d#
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# apt-get install wazuh-manager
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  expect
The following packages will be upgraded:
  wazuh-manager
1 upgraded, 0 newly installed, 0 to remove and 127 not upgraded.
Need to get 322 MB of archives.
After this operation, 260 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.9.0-1 [322 MB]
Fetched 322 MB in 16s (20.2 MB/s)
(Reading database ... 162890 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_4.9.0-1_amd64.deb ...
Unpacking wazuh-manager (4.9.0-1) over (4.7.5-1) ...
Setting up wazuh-manager (4.9.0-1) ...
Processing triggers for systemd (245.4-4ubuntu3.22) ...
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# chmod go+r /etc/filebeat/wazuh-template.json
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# systemctl daemon-reload
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# systemctl enable filebeat
Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable filebeat
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# systemctl start filebeat
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# filebeat setup --pipelines
Loaded Ingest pipelines
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# filebeat setup --index-management -E output.logstash.enabled=false
ILM policy and write alias loading not enabled.
Index setup finished.
root@opensearch-10-ubuntu-20:/etc/apt/sources.list.d# apt-get install wazuh-dashboard
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  wazuh-dashboard
1 upgraded, 0 newly installed, 0 to remove and 126 not upgraded.
Need to get 166 MB of archives.
After this operation, 41.2 MB disk space will be freed.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.9.0-2 [166 MB]
Fetched 166 MB in 9s (18.0 MB/s)
(Reading database ... 165523 files and directories currently installed.)
Preparing to unpack .../wazuh-dashboard_4.9.0-2_amd64.deb ...
Unpacking wazuh-dashboard (4.9.0-2) over (4.7.5-1) ...
Setting up wazuh-dashboard (4.9.0-2) ...
Installing new version of config file /etc/default/wazuh-dashboard ...
Installing new version of config file /etc/systemd/system/wazuh-dashboard ...
Installing new version of config file /etc/systemd/system/wazuh-dashboard.service ...
Installing new version of config file /etc/wazuh-dashboard/node.options ...

Configuration file '/etc/wazuh-dashboard/opensearch_dashboards.yml'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** opensearch_dashboards.yml (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/wazuh-dashboard/opensearch_dashboards.yml ...

UI validation (plus some new alerts generated)

Tostti commented 1 month ago

Upgrade test 🟢

Operating system: Ubuntu 22.04 From: Wazuh v4.8.0 To: Wazuh v4.9.0

Install/Upgrade process

```console root@vagrant:/home/vagrant# bash wazuh-install.sh -u 06/09/2024 16:41:14 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.2 06/09/2024 16:41:14 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 16:41:15 INFO: Removing Wazuh manager. 06/09/2024 16:41:28 INFO: Wazuh manager removed. 06/09/2024 16:41:28 INFO: Removing Wazuh indexer. 06/09/2024 16:41:29 INFO: Wazuh indexer removed. 06/09/2024 16:41:29 INFO: Removing Filebeat. 06/09/2024 16:41:30 INFO: Filebeat removed. 06/09/2024 16:41:30 INFO: Removing Wazuh dashboard. 06/09/2024 16:41:35 INFO: Wazuh dashboard removed. root@vagrant:/home/vagrant# bash wazuh-install.sh -a 06/09/2024 16:41:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.2 06/09/2024 16:41:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 16:41:46 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 16:41:51 INFO: Wazuh web interface port will be 443. 06/09/2024 16:41:55 INFO: Wazuh repository added. 06/09/2024 16:41:55 INFO: --- Configuration files --- 06/09/2024 16:41:55 INFO: Generating configuration files. 06/09/2024 16:41:55 INFO: Generating the root certificate. 06/09/2024 16:41:55 INFO: Generating Admin certificates. 06/09/2024 16:41:55 INFO: Generating Wazuh indexer certificates. 06/09/2024 16:41:56 INFO: Generating Filebeat certificates. 06/09/2024 16:41:56 INFO: Generating Wazuh dashboard certificates. 06/09/2024 16:41:56 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 16:41:56 INFO: --- Wazuh indexer --- 06/09/2024 16:41:56 INFO: Starting Wazuh indexer installation. 06/09/2024 16:42:29 INFO: Wazuh indexer installation finished. 06/09/2024 16:42:29 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 16:42:29 INFO: Starting service wazuh-indexer. 06/09/2024 16:42:35 INFO: wazuh-indexer service started. 06/09/2024 16:42:35 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 16:42:47 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 16:42:47 INFO: Wazuh indexer cluster initialized. 06/09/2024 16:42:47 INFO: --- Wazuh server --- 06/09/2024 16:42:47 INFO: Starting the Wazuh manager installation. 06/09/2024 16:43:25 INFO: Wazuh manager installation finished. 06/09/2024 16:43:25 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 16:43:25 INFO: Starting service wazuh-manager. 06/09/2024 16:43:39 INFO: wazuh-manager service started. 06/09/2024 16:43:39 INFO: Starting Filebeat installation. 06/09/2024 16:43:47 INFO: Filebeat installation finished. 06/09/2024 16:43:48 INFO: Filebeat post-install configuration finished. 06/09/2024 16:43:48 INFO: Starting service filebeat. 06/09/2024 16:43:49 INFO: filebeat service started. 06/09/2024 16:43:49 INFO: --- Wazuh dashboard --- 06/09/2024 16:43:49 INFO: Starting Wazuh dashboard installation. 06/09/2024 16:45:36 INFO: Wazuh dashboard installation finished. 06/09/2024 16:45:36 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 16:45:36 INFO: Starting service wazuh-dashboard. 06/09/2024 16:45:37 INFO: wazuh-dashboard service started. 06/09/2024 16:45:37 INFO: Updating the internal users. 06/09/2024 16:45:39 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 16:46:13 INFO: Initializing Wazuh dashboard web application. 06/09/2024 16:46:14 INFO: Wazuh dashboard web application initialized. 06/09/2024 16:46:14 INFO: --- Summary --- 06/09/2024 16:46:14 INFO: You can access the web interface https://:443 User: admin Password: pu+MkkRPr76q3aCr?3CX7H2+5jXOSOy+ 06/09/2024 16:46:14 INFO: Installation finished. root@vagrant:/home/vagrant# ^C root@vagrant:/home/vagrant# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:06:e8:56 brd ff:ff:ff:ff:ff:ff altname enp0s3 inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0 valid_lft 66321sec preferred_lft 66321sec inet6 fe80::a00:27ff:fe06:e856/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:0a:7f:75 brd ff:ff:ff:ff:ff:ff altname enp0s8 inet 192.168.0.142/24 metric 100 brd 192.168.0.255 scope global dynamic eth1 valid_lft 3331sec preferred_lft 3331sec inet6 fe80::a00:27ff:fe0a:7f75/64 scope link valid_lft forever preferred_lft forever root@vagrant:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main root@vagrant:/home/vagrant# apt-get update Hit:1 https://packages.wazuh.com/4.x/apt stable InRelease Hit:2 http://security.ubuntu.com/ubuntu jammy-security InRelease Hit:3 http://us.archive.ubuntu.com/ubuntu jammy InRelease Get:4 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB] Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Hit:6 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease Get:7 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1,988 kB] Get:8 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [40.5 kB] Fetched 2,174 kB in 3s (780 kB/s) Reading package lists... Done root@vagrant:/home/vagrant# systemctl stop filebeat systemctl stop wazuh-dashboard root@vagrant:/home/vagrant# systemctl stop wazuh-indexer root@vagrant:/home/vagrant# apt-get install wazuh-indexer Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages will be upgraded: wazuh-indexer 1 upgraded, 0 newly installed, 0 to remove and 86 not upgraded. Need to get 0 B/850 MB of archives. After this operation, 26.6 MB of additional disk space will be used. (Reading database ... 159323 files and directories currently installed.) Preparing to unpack .../wazuh-indexer_4.9.0-1_amd64.deb ... Running Wazuh Indexer Pre-Installation Script Unpacking wazuh-indexer (4.9.0-1) over (4.8.2-1) ... Setting up wazuh-indexer (4.9.0-1) ... Installing new version of config file /etc/default/wazuh-indexer ... Configuration file '/etc/init.d/wazuh-indexer' ==> Deleted (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** wazuh-indexer (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/init.d/wazuh-indexer ... Configuration file '/etc/wazuh-indexer/jvm.options' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** jvm.options (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-indexer/jvm.options ... Installing new version of config file /etc/wazuh-indexer/log4j2.properties ... Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ... Configuration file '/etc/wazuh-indexer/opensearch-security/internal_users.yml' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** internal_users.yml (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-indexer/opensearch-security/internal_users.yml ... Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles.yml ... Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles_mapping.yml ... Running Wazuh Indexer Post-Installation Script ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@vagrant:/home/vagrant# systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer Synchronizing state of wazuh-indexer.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable wazuh-indexer root@vagrant:/home/vagrant# curl -k -u 'admin:pu+MkkRPr76q3aCr?3CX7H2+5jXOSOy+' https://127.0.0.1:9200/_cat/nodes?v OpenSearch Security not initialized.root@vagrant:/home/vagrant# curl -k -u 'admin:pu+MkkRPr76q3aCr?3CX7H2+5jXOSOy+' https://127.0.0.1:9200/_cat/nodes?v OpenSearch Security not initialized.root@vagrant:/home/vagrant# curl -k -u 'admin:pu+MkkRPr76q3aCr?3CX7H2+5jXOSOy+' https://127.0.0.1:9200/_cat/nodes?v root@vagrant:/home/vagrant# apt-get install wazuh-indexer Reading package lists... Done Building dependency tree... Done Reading state information... Done wazuh-indexer is already the newest version (4.9.0-1). 0 upgraded, 0 newly installed, 0 to remove and 86 not upgraded. root@vagrant:/home/vagrant# systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer Synchronizing state of wazuh-indexer.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable wazuh-indexer root@vagrant:/home/vagrant# systemctl start wazuh-indexer root@vagrant:/home/vagrant# curl -k -u 'admin:pu+MkkRPr76q3aCr?3CX7H2+5jXOSOy+' https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 47 96 9 1.54 1.55 1.17 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 root@vagrant:/home/vagrant# apt-get install wazuh-manager Reading package lists... Done Building dependency tree... Done Reading state information... Done Suggested packages: expect The following packages will be upgraded: wazuh-manager 1 upgraded, 0 newly installed, 0 to remove and 85 not upgraded. Need to get 0 B/322 MB of archives. After this operation, 24.2 MB disk space will be freed. (Reading database ... 159336 files and directories currently installed.) Preparing to unpack .../wazuh-manager_4.9.0-1_amd64.deb ... Unpacking wazuh-manager (4.9.0-1) over (4.8.2-1) ... Setting up wazuh-manager (4.9.0-1) ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@vagrant:/home/vagrant# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin root@vagrant:/home/vagrant# /var/ossec/bin/wazuh-keystore -f indexer -k password -v pu+MkkRPr76q3aCr?3CX7H2+5jXOSOy+ root@vagrant:/home/vagrant# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json root@vagrant:/home/vagrant# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json chmod go+r /etc/filebeat/wazuh-template.json root@vagrant:/home/vagrant# systemctl daemon-reload systemctl enable filebeat systemctl start filebeat Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat root@vagrant:/home/vagrant# filebeat setup --pipelines filebeat setup --index-management -E output.logstash.enabled=false Loaded Ingest pipelines ILM policy and write alias loading not enabled. Index setup finished. root@vagrant:/home/vagrant# apt-get install wazuh-dashboard Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages will be upgraded: wazuh-dashboard 1 upgraded, 0 newly installed, 0 to remove and 84 not upgraded. Need to get 166 MB of archives. After this operation, 64.3 MB disk space will be freed. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.9.0-2 [166 MB] Fetched 166 MB in 11s (15.0 MB/s) (Reading database ... 161283 files and directories currently installed.) Preparing to unpack .../wazuh-dashboard_4.9.0-2_amd64.deb ... Unpacking wazuh-dashboard (4.9.0-2) over (4.8.2-1) ... Setting up wazuh-dashboard (4.9.0-2) ... Installing new version of config file /etc/systemd/system/wazuh-dashboard ... Installing new version of config file /etc/wazuh-dashboard/node.options ... Configuration file '/etc/wazuh-dashboard/opensearch_dashboards.yml' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** opensearch_dashboards.yml (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-dashboard/opensearch_dashboards.yml ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@vagrant:/home/vagrant# systemctl daemon-reload systemctl enable wazuh-dashboard systemctl start wazuh-dashboard ```

Verify files

```console root@vagrant:/home/vagrant# cat /etc/default/wazuh-dashboard user="wazuh-dashboard" group="wazuh-dashboard" chroot="/" chdir="/" nice="" KILL_ON_STOP_TIMEOUT=0 OSD_PATH_CONF="/etc/wazuh-dashboard" root@vagrant:/home/vagrant# cat /usr/share/wazuh-dashboard/bin/opensearch-dashboards #!/bin/sh # # SPDX-License-Identifier: Apache-2.0 # # The OpenSearch Contributors require contributions made to # this file be licensed under the Apache-2.0 license or a # compatible open source license. # # Any modifications Copyright OpenSearch Contributors. See # GitHub history for details. # SCRIPT="$0" # SCRIPT may be an arbitrarily deep series of symlinks. Loop until we have the concrete path. while [ -h "$SCRIPT" ] ; do loc=$(ls -ld "$SCRIPT") # Drop everything prior to -> link=$(expr "$loc" : '.*-> $.*$$') if expr "$link" : '/.*' > /dev/null; then SCRIPT="$link" else SCRIPT=$(dirname "$SCRIPT")/"$link" fi done # Get an absolute path for OSD_HOME OSD_HOME="$(cd "$(dirname "${SCRIPT}")/.."; pwd)" OSD_PATH_CONF="/etc/wazuh-dashboard" OSD_NODE_OPTS_PREFIX="--no-warnings --max-http-header-size=65536" OSD_USE_NODE_JS_FILE_PATH=/src/cli/dist NODE_ENV=production exec ${OSD_HOME}/bin/use_node "${@}" root@vagrant:/home/vagrant# ls -l /etc/wazuh-dashboard/ total 20 dr-x------ 2 wazuh-dashboard wazuh-dashboard 4096 Sep 6 16:45 certs -rw-r----- 1 wazuh-dashboard wazuh-dashboard 312 May 5 2023 node.options -rw-r----- 1 wazuh-dashboard wazuh-dashboard 254 Sep 6 16:46 opensearch_dashboards.keystore -rw-r----- 1 wazuh-dashboard wazuh-dashboard 642 May 5 2023 opensearch_dashboards.yml -rw-r----- 1 wazuh-dashboard wazuh-dashboard 714 Sep 6 16:45 opensearch_dashboards.yml.dpkg-old root@vagrant:/home/vagrant# ls -l /usr/share/wazuh-dashboard/config/ total 8 -rw-r----- 1 wazuh-dashboard wazuh-dashboard 312 May 5 2023 node.options -rw-r----- 1 wazuh-dashboard wazuh-dashboard 642 May 5 2023 opensearch_dashboards.yml ```

rauldpm commented 1 month ago

RPM testing

Step-by-Step 4.9.0 RPM :green_circle:

- Wazuh indexer install ``` [root@centos7 vagrant]# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-certs-tool.sh [root@centos7 vagrant]# curl -sO https://packages-dev.wazuh.com/4.9/config.yml [root@centos7 vagrant]# nano config.yml bash: nano: command not found [root@centos7 vagrant]# yum install nano -y Loaded plugins: fastestmirror Determining fastest mirrors base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 153 kB 00:00:00 (2/4): extras/7/x86_64/primary_db | 253 kB 00:00:00 (3/4): base/7/x86_64/primary_db | 6.1 MB 00:00:00 (4/4): updates/7/x86_64/primary_db | 27 MB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package nano.x86_64 0:2.3.1-10.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Installing: nano x86_64 2.3.1-10.el7 base 440 k Transaction Summary =================================================================================================================================================================================================================== Install 1 Package Total download size: 440 k Installed size: 1.6 M Downloading packages: warning: /var/cache/yum/x86_64/7/base/packages/nano-2.3.1-10.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY Public key for nano-2.3.1-10.el7.x86_64.rpm is not installed nano-2.3.1-10.el7.x86_64.rpm | 440 kB 00:00:00 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) " Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package : centos-release-7-8.2003.0.el7.centos.x86_64 (@anaconda) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : nano-2.3.1-10.el7.x86_64 1/1 Verifying : nano-2.3.1-10.el7.x86_64 1/1 Installed: nano.x86_64 0:2.3.1-10.el7 Complete! [root@centos7 vagrant]# nano config.yml [root@centos7 vagrant]# nano config.yml [root@centos7 vagrant]# bash ./wazuh-certs-tool.sh -A 06/09/2024 21:10:31 INFO: Verbose logging redirected to /home/vagrant/wazuh-certificates-tool.log 06/09/2024 21:10:31 INFO: Generating the root certificate. 06/09/2024 21:10:31 INFO: Generating Admin certificates. 06/09/2024 21:10:31 INFO: Admin certificates created. 06/09/2024 21:10:31 INFO: Generating Wazuh indexer certificates. 06/09/2024 21:10:31 INFO: Wazuh indexer certificates created. 06/09/2024 21:10:31 INFO: Generating Filebeat certificates. 06/09/2024 21:10:31 INFO: Wazuh Filebeat certificates created. 06/09/2024 21:10:31 INFO: Generating Wazuh dashboard certificates. 06/09/2024 21:10:31 INFO: Wazuh dashboard certificates created. [root@centos7 vagrant]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.key ./root-ca.pem ./admin-key.pem ./admin.pem ./node-1-key.pem ./node-1.pem ./wazuh-1-key.pem ./wazuh-1.pem ./dashboard-key.pem ./dashboard.pem [root@centos7 vagrant]# yum install coreutils Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package coreutils.x86_64 0:8.22-24.el7 will be updated ---> Package coreutils.x86_64 0:8.22-24.el7_9.2 will be an update --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Updating: coreutils x86_64 8.22-24.el7_9.2 updates 3.3 M Transaction Summary =================================================================================================================================================================================================================== Upgrade 1 Package Total download size: 3.3 M Is this ok [y/d/N]: y Downloading packages: No Presto metadata available for updates coreutils-8.22-24.el7_9.2.x86_64.rpm | 3.3 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : coreutils-8.22-24.el7_9.2.x86_64 1/2 Cleanup : coreutils-8.22-24.el7.x86_64 2/2 Verifying : coreutils-8.22-24.el7_9.2.x86_64 1/2 Verifying : coreutils-8.22-24.el7.x86_64 2/2 Updated: coreutils.x86_64 0:8.22-24.el7_9.2 Complete! [root@centos7 vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@centos7 vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@centos7 vagrant]# yum -y install wazuh-indexer Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile wazuh | 3.5 kB 00:00:00 wazuh/primary_db | 531 kB 00:00:02 Resolving Dependencies --> Running transaction check ---> Package wazuh-indexer.x86_64 0:4.9.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Installing: wazuh-indexer x86_64 4.9.0-1 wazuh 813 M Transaction Summary =================================================================================================================================================================================================================== Install 1 Package Total download size: 813 M Installed size: 1.0 G Downloading packages: wazuh-indexer-4.9.0-1.x86_64.rpm | 813 MB 00:00:38 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-indexer-4.9.0-1.x86_64 1/1 ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Verifying : wazuh-indexer-4.9.0-1.x86_64 1/1 Installed: wazuh-indexer.x86_64 0:4.9.0-1 Complete! [root@centos7 vagrant]# nano /etc/wazuh-indexer/opensearch.yml [root@centos7 vagrant]# NODE_NAME=node-1 [root@centos7 vagrant]# mkdir /etc/wazuh-indexer/certs [root@centos7 vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem [root@centos7 vagrant]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem [root@centos7 vagrant]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem [root@centos7 vagrant]# chmod 500 /etc/wazuh-indexer/certs [root@centos7 vagrant]# chmod 400 /etc/wazuh-indexer/certs/* [root@centos7 vagrant]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-indexer Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service. [root@centos7 vagrant]# systemctl start wazuh-indexer [root@centos7 vagrant]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.13.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success [root@centos7 vagrant]# curl -k -u admin:admin https://192.168.56.4:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "95rLiEZFQsey84MiDnaiPw", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "9fd1835bba77ae04d48550eb4dc9be4787070806", "build_date" : "2024-08-30T10:04:33.447803Z", "build_snapshot" : false, "lucene_version" : "9.10.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@centos7 vagrant]# curl -k -u admin:admin https://192.168.56.4:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 10.0.2.15 54 87 3 0.19 0.14 0.06 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 ``` - Wazuh manager and Filebeat ``` [root@centos7 vagrant]# yum -y install wazuh-manager Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-manager.x86_64 0:4.9.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Installing: wazuh-manager x86_64 4.9.0-1 wazuh 303 M Transaction Summary =================================================================================================================================================================================================================== Install 1 Package Total download size: 303 M Installed size: 857 M Downloading packages: wazuh-manager-4.9.0-1.x86_64.rpm | 303 MB 00:00:16 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-manager-4.9.0-1.x86_64 1/1 Verifying : wazuh-manager-4.9.0-1.x86_64 1/1 Installed: wazuh-manager.x86_64 0:4.9.0-1 Complete! [root@centos7 vagrant]# yum -y install filebeat Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package filebeat.x86_64 0:7.10.2-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary =================================================================================================================================================================================================================== Install 1 Package Total download size: 21 M Installed size: 70 M Downloading packages: filebeat-oss-7.10.2-x86_64.rpm | 21 MB 00:00:02 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed: filebeat.x86_64 0:7.10.2-1 Complete! [root@centos7 vagrant]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml [root@centos7 vagrant]# nano /etc/filebeat/filebeat.yml [root@centos7 vagrant]# filebeat keystore create Created filebeat keystore [root@centos7 vagrant]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@centos7 vagrant]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore [root@centos7 vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json [root@centos7 vagrant]# chmod go+r /etc/filebeat/wazuh-template.json [root@centos7 vagrant]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json [root@centos7 vagrant]# NODE_NAME=wazuh-1 [root@centos7 vagrant]# nano config.yml [root@centos7 vagrant]# mkdir /etc/filebeat/certs [root@centos7 vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@centos7 vagrant]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem [root@centos7 vagrant]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem [root@centos7 vagrant]# chmod 500 /etc/filebeat/certs [root@centos7 vagrant]# chmod 400 /etc/filebeat/certs/* [root@centos7 vagrant]# chown -R root:root /etc/filebeat/certs [root@centos7 vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin [root@centos7 vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin [root@centos7 vagrant]# nano /var/ossec/etc/ossec.conf [root@centos7 vagrant]# nano /var/ossec/etc/ossec.conf [root@centos7 vagrant]# ls -l /etc/filebeat/certs/ total 12 -r--------. 1 root root 1704 Sep 6 21:10 filebeat-key.pem -r--------. 1 root root 1220 Sep 6 21:10 filebeat.pem -r--------. 1 root root 1184 Sep 6 21:10 root-ca.pem [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-manager Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service. [root@centos7 vagrant]# systemctl start wazuh-manager [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-manager [root@centos7 vagrant]# systemctl start wazuh-manager [root@centos7 vagrant]# systemctl enable filebeat Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service. [root@centos7 vagrant]# systemctl start filebeat [root@centos7 vagrant]# filebeat test output elasticsearch: https://192.168.56.4:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.56.4 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` - Wazuh dashboard ``` [root@centos7 vagrant]# yum install libcap Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Package libcap-2.22-11.el7.x86_64 already installed and latest version Nothing to do [root@centos7 vagrant]# yum -y install wazuh-dashboard Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-dashboard.x86_64 0:4.9.0-2 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: wazuh-dashboard x86_64 4.9.0-2 wazuh 253 M Transaction Summary ============================================================================================================================================================================================================================================= Install 1 Package Total download size: 253 M Installed size: 848 M Downloading packages: wazuh-dashboard-4.9.0-2.x86_64.rpm | 253 MB 00:00:13 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-dashboard-4.9.0-2.x86_64 1/1 Verifying : wazuh-dashboard-4.9.0-2.x86_64 1/1 Installed: wazuh-dashboard.x86_64 0:4.9.0-2 Complete! [root@centos7 vagrant]# nano /etc/wazuh-dashboard/opensearch_dashboards.yml [root@centos7 vagrant]# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home [root@centos7 vagrant]# nano /etc/wazuh-dashboard/opensearch_dashboards.yml [root@centos7 vagrant]# NODE_NAME=dashboard [root@centos7 vagrant]# mkdir /etc/wazuh-dashboard/certs [root@centos7 vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@centos7 vagrant]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem mv: ‘/etc/wazuh-dashboard/certs/dashboard.pem’ and ‘/etc/wazuh-dashboard/certs/dashboard.pem’ are the same file [root@centos7 vagrant]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem mv: ‘/etc/wazuh-dashboard/certs/dashboard-key.pem’ and ‘/etc/wazuh-dashboard/certs/dashboard-key.pem’ are the same file [root@centos7 vagrant]# chmod 500 /etc/wazuh-dashboard/certs [root@centos7 vagrant]# chmod 400 /etc/wazuh-dashboard/certs/* [root@centos7 vagrant]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-dashboard Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service to /etc/systemd/system/wazuh-dashboard.service. [root@centos7 vagrant]# systemctl start wazuh-dashboard ``` ![image](https://github.com/user-attachments/assets/d363d097-b6db-48e3-a4f1-297ddcfa7833)

Wazuh installation assistant 4.9.0 RPM :green_circle:

``` [root@centos7 vagrant]# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 21:29:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0 06/09/2024 21:29:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 21:29:49 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 21:29:49 INFO: Wazuh web interface port will be 443. 06/09/2024 21:29:49 INFO: --- Dependencies --- 06/09/2024 21:29:49 INFO: Installing lsof. 06/09/2024 21:29:56 INFO: Wazuh development repository added. 06/09/2024 21:29:56 INFO: --- Configuration files --- 06/09/2024 21:29:56 INFO: Generating configuration files. 06/09/2024 21:29:56 INFO: Generating the root certificate. 06/09/2024 21:29:56 INFO: Generating Admin certificates. 06/09/2024 21:29:56 INFO: Generating Wazuh indexer certificates. 06/09/2024 21:29:56 INFO: Generating Filebeat certificates. 06/09/2024 21:29:56 INFO: Generating Wazuh dashboard certificates. 06/09/2024 21:29:57 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 21:29:57 INFO: --- Wazuh indexer --- 06/09/2024 21:29:57 INFO: Starting Wazuh indexer installation. 06/09/2024 21:30:26 INFO: Wazuh indexer installation finished. 06/09/2024 21:30:26 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 21:30:26 INFO: Starting service wazuh-indexer. 06/09/2024 21:30:33 INFO: wazuh-indexer service started. 06/09/2024 21:30:33 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 21:30:36 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 21:30:36 INFO: Wazuh indexer cluster initialized. 06/09/2024 21:30:36 INFO: --- Wazuh server --- 06/09/2024 21:30:36 INFO: Starting the Wazuh manager installation. 06/09/2024 21:31:11 INFO: Wazuh manager installation finished. 06/09/2024 21:31:11 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 21:31:11 INFO: Starting service wazuh-manager. 06/09/2024 21:31:22 INFO: wazuh-manager service started. 06/09/2024 21:31:22 INFO: Starting Filebeat installation. 06/09/2024 21:31:26 INFO: Filebeat installation finished. 06/09/2024 21:31:28 INFO: Filebeat post-install configuration finished. 06/09/2024 21:31:28 INFO: Starting service filebeat. 06/09/2024 21:31:28 INFO: filebeat service started. 06/09/2024 21:31:28 INFO: --- Wazuh dashboard --- 06/09/2024 21:31:28 INFO: Starting Wazuh dashboard installation. 06/09/2024 21:32:21 INFO: Wazuh dashboard installation finished. 06/09/2024 21:32:21 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 21:32:21 INFO: Starting service wazuh-dashboard. 06/09/2024 21:32:21 INFO: wazuh-dashboard service started. 06/09/2024 21:32:21 INFO: Updating the internal users. 06/09/2024 21:32:23 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 21:32:29 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password. 06/09/2024 21:32:59 INFO: Initializing Wazuh dashboard web application. 06/09/2024 21:32:59 INFO: Wazuh dashboard web application initialized. 06/09/2024 21:32:59 INFO: --- Summary --- 06/09/2024 21:32:59 INFO: You can access the web interface https://:443 User: admin Password: hMLJ+k4TtD3pAY8*9GVSVhSf?vcX6QND 06/09/2024 21:32:59 INFO: --- Dependencies --- 06/09/2024 21:32:59 INFO: Removing lsof. 06/09/2024 21:33:00 INFO: Installation finished. [root@centos7 vagrant]# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 opensearch.hosts: https://127.0.0.1:9200 server.port: 443 opensearch.ssl.verificationMode: certificate # opensearch.username: kibanaserver # opensearch.password: kibanaserver opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home opensearch_security.cookie.secure: true ``` ![image](https://github.com/user-attachments/assets/f4688db8-3747-4d12-ba10-780866a78691)

Step-by-Step Upgrade 4.8.2 - 4.9.0 RPM :green_circle:

- Install indexer 4.8.2 ``` [root@centos7 vagrant]# curl -sO https://packages.wazuh.com/4.8/wazuh-certs-tool.sh [root@centos7 vagrant]# curl -sO https://packages.wazuh.com/4.8/config.yml [root@centos7 vagrant]# nano config.yml [root@centos7 vagrant]# nano config.yml [root@centos7 vagrant]# bash ./wazuh-certs-tool.sh -A 06/09/2024 22:46:46 INFO: Generating the root certificate. 06/09/2024 22:46:47 INFO: Generating Admin certificates. 06/09/2024 22:46:47 INFO: Admin certificates created. 06/09/2024 22:46:47 INFO: Generating Wazuh indexer certificates. 06/09/2024 22:46:47 INFO: Wazuh indexer certificates created. 06/09/2024 22:46:47 INFO: Generating Filebeat certificates. 06/09/2024 22:46:47 INFO: Wazuh Filebeat certificates created. 06/09/2024 22:46:47 INFO: Generating Wazuh dashboard certificates. 06/09/2024 22:46:47 INFO: Wazuh dashboard certificates created. [root@centos7 vagrant]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.key ./root-ca.pem ./admin-key.pem ./admin.pem ./node-1-key.pem ./node-1.pem ./wazuh-1-key.pem ./wazuh-1.pem ./dashboard-key.pem ./dashboard.pem [root@centos7 vagrant]# yum install coreutils Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package coreutils.x86_64 0:8.22-24.el7 will be updated ---> Package coreutils.x86_64 0:8.22-24.el7_9.2 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Updating: coreutils x86_64 8.22-24.el7_9.2 updates 3.3 M Transaction Summary ============================================================================================================================================================================================================================================= Upgrade 1 Package Total download size: 3.3 M Is this ok [y/d/N]: y Downloading packages: No Presto metadata available for updates coreutils-8.22-24.el7_9.2.x86_64.rpm | 3.3 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : coreutils-8.22-24.el7_9.2.x86_64 1/2 Cleanup : coreutils-8.22-24.el7.x86_64 2/2 Verifying : coreutils-8.22-24.el7_9.2.x86_64 1/2 Verifying : coreutils-8.22-24.el7.x86_64 2/2 Updated: coreutils.x86_64 0:8.22-24.el7_9.2 Complete! [root@centos7 vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@centos7 vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 [root@centos7 vagrant]# yum -y install wazuh-indexer Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile wazuh | 3.4 kB 00:00:00 wazuh/primary_db | 526 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package wazuh-indexer.x86_64 0:4.8.2-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: wazuh-indexer x86_64 4.8.2-1 wazuh 743 M Transaction Summary ============================================================================================================================================================================================================================================= Install 1 Package Total download size: 743 M Installed size: 1.0 G Downloading packages: wazuh-indexer-4.8.2-1.x86_64.rpm | 743 MB 00:00:10 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-indexer-4.8.2-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.8.2-1.x86_64 1/1 Installed: wazuh-indexer.x86_64 0:4.8.2-1 Complete! [root@centos7 vagrant]# nano /etc/wazuh-indexer/opensearch.yml [root@centos7 vagrant]# NODE_NAME=node-1 [root@centos7 vagrant]# mkdir /etc/wazuh-indexer/certs [root@centos7 vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem [root@centos7 vagrant]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem [root@centos7 vagrant]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem [root@centos7 vagrant]# chmod 500 /etc/wazuh-indexer/certs [root@centos7 vagrant]# chmod 400 /etc/wazuh-indexer/certs/* [root@centos7 vagrant]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-indexer Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service. [root@centos7 vagrant]# systemctl start wazuh-indexer /usr/share/wazuh-indexer/bin/indexer-security-init.sh[root@centos7 vagrant]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success [root@centos7 vagrant]# curl -k -u admin:admin https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "3-0UrnjsSimaQLJOiafAHg", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@centos7 vagrant]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 10.0.2.15 45 86 4 0.14 0.14 0.10 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 ``` - Install server 4.8.2 ``` [root@centos7 vagrant]# yum -y install wazuh-manager Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-manager.x86_64 0:4.8.2-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: wazuh-manager x86_64 4.8.2-1 wazuh 295 M Transaction Summary ============================================================================================================================================================================================================================================= Install 1 Package Total download size: 295 M Installed size: 885 M Downloading packages: wazuh-manager-4.8.2-1.x86_64.rpm | 295 MB 00:00:04 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-manager-4.8.2-1.x86_64 1/1 Verifying : wazuh-manager-4.8.2-1.x86_64 1/1 Installed: wazuh-manager.x86_64 0:4.8.2-1 Complete! [root@centos7 vagrant]# yum -y install filebeat Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package filebeat.x86_64 0:7.10.2-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ============================================================================================================================================================================================================================================= Install 1 Package Total download size: 21 M Installed size: 70 M Downloading packages: filebeat-oss-7.10.2-x86_64.rpm | 21 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed: filebeat.x86_64 0:7.10.2-1 Complete! [root@centos7 vagrant]# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml [root@centos7 vagrant]# filebeat keystore create Created filebeat keystore [root@centos7 vagrant]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@centos7 vagrant]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore [root@centos7 vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.2/extensions/elasticsearch/7.x/wazuh-template.json [root@centos7 vagrant]# chmod go+r /etc/filebeat/wazuh-template.json [root@centos7 vagrant]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json [root@centos7 vagrant]# NODE_NAME=wazuh-1 [root@centos7 vagrant]# mkdir /etc/filebeat/certs [root@centos7 vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@centos7 vagrant]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem [root@centos7 vagrant]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem [root@centos7 vagrant]# chmod 500 /etc/filebeat/certs [root@centos7 vagrant]# chmod 400 /etc/filebeat/certs/* [root@centos7 vagrant]# chown -R root:root /etc/filebeat/certs [root@centos7 vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin [root@centos7 vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin [root@centos7 vagrant]# nano /var/ossec/etc/ossec.conf [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-manager Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service. [root@centos7 vagrant]# systemctl start wazuh-manager [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable filebeat Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service. [root@centos7 vagrant]# systemctl start filebeat [root@centos7 vagrant]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` - Install dashboard 4.8.2 ``` [root@centos7 vagrant]# yum -y install wazuh-dashboard Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-dashboard.x86_64 0:4.8.2-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: wazuh-dashboard x86_64 4.8.2-1 wazuh 275 M Transaction Summary ============================================================================================================================================================================================================================================= Install 1 Package Total download size: 275 M Installed size: 911 M Downloading packages: wazuh-dashboard-4.8.2-1.x86_64.rpm | 275 MB 00:00:04 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-dashboard-4.8.2-1.x86_64 1/1 Verifying : wazuh-dashboard-4.8.2-1.x86_64 1/1 Installed: wazuh-dashboard.x86_64 0:4.8.2-1 Complete! [root@centos7 vagrant]# nano /etc/wazuh-dashboard/opensearch_dashboards.yml [root@centos7 vagrant]# NODE_NAME=dashboard [root@centos7 vagrant]# mkdir /etc/wazuh-dashboard/certs [root@centos7 vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@centos7 vagrant]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem mv: ‘/etc/wazuh-dashboard/certs/dashboard.pem’ and ‘/etc/wazuh-dashboard/certs/dashboard.pem’ are the same file [root@centos7 vagrant]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem mv: ‘/etc/wazuh-dashboard/certs/dashboard-key.pem’ and ‘/etc/wazuh-dashboard/certs/dashboard-key.pem’ are the same file [root@centos7 vagrant]# chmod 500 /etc/wazuh-dashboard/certs [root@centos7 vagrant]# chmod 400 /etc/wazuh-dashboard/certs/* [root@centos7 vagrant]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-dashboard Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service to /etc/systemd/system/wazuh-dashboard.service. [root@centos7 vagrant]# systemctl start wazuh-dashboard [root@centos7 vagrant]# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-dashboard [root@centos7 vagrant]# systemctl start wazuh-dashboard ``` ![image](https://github.com/user-attachments/assets/cf8c3188-ad8a-46b9-aab4-4ba579ca6549) - Upgrade indexer ``` [root@centos7 vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@centos7 vagrant]# systemctl stop filebeat [root@centos7 vagrant]# systemctl stop wazuh-dashboard [root@centos7 vagrant]# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u admin:admin -k {"acknowledged":true}[root@centos7 vagrant]# [root@centos7 vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:admin -k -H 'Content-Type: application/json' -d' > { > "persistent": { > "cluster.routing.allocation.enable": "primaries" > } > } > ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}[root@centos7 vagrant]# [root@centos7 vagrant]# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:admin -k {"_shards":{"total":10,"successful":10,"failed":0}}[root@centos7 vagrant]# [root@centos7 vagrant]# systemctl stop wazuh-indexer [root@centos7 vagrant]# yum upgrade wazuh-indexer -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile wazuh | 3.5 kB 00:00:00 wazuh/primary_db | 531 kB 00:00:01 Resolving Dependencies --> Running transaction check ---> Package wazuh-indexer.x86_64 0:4.8.2-1 will be updated ---> Package wazuh-indexer.x86_64 0:4.9.0-1 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Updating: wazuh-indexer x86_64 4.9.0-1 wazuh 813 M Transaction Summary ============================================================================================================================================================================================================================================= Upgrade 1 Package Total download size: 813 M Downloading packages: wazuh/prestodelta | 75 B 00:00:00 wazuh-indexer-4.9.0-1.x86_64.rpm | 813 MB 00:00:12 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : wazuh-indexer-4.9.0-1.x86_64 1/2 ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Cleanup : wazuh-indexer-4.8.2-1.x86_64 2/2 Verifying : wazuh-indexer-4.9.0-1.x86_64 1/2 Verifying : wazuh-indexer-4.8.2-1.x86_64 2/2 Updated: wazuh-indexer.x86_64 0:4.9.0-1 Complete! [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-indexer [root@centos7 vagrant]# systemctl start wazuh-indexer [root@centos7 vagrant]# curl -k -u : https://127.0.0.1:9200/_cat/nodes?v bash: USERNAME: No such file or directory [root@centos7 vagrant]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 10.0.2.15 46 97 6 0.36 0.44 0.51 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@centos7 vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:admin -k -H 'Content-Type: application/json' -d' > { > "persistent": { > "cluster.routing.allocation.enable": "all" > } > } > ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}[root@centos7 vagrant]# [root@centos7 vagrant]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 10.0.2.15 56 97 0 0.20 0.40 0.49 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 ``` - Upgrade server ``` [root@centos7 vagrant]# yum upgrade wazuh-manager -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-manager.x86_64 0:4.8.2-1 will be updated ---> Package wazuh-manager.x86_64 0:4.9.0-1 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Updating: wazuh-manager x86_64 4.9.0-1 wazuh 303 M Transaction Summary ============================================================================================================================================================================================================================================= Upgrade 1 Package Total download size: 303 M Downloading packages: wazuh-manager-4.9.0-1.x86_64.rpm | 303 MB 00:00:05 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : wazuh-manager-4.9.0-1.x86_64 1/2 warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew Cleanup : wazuh-manager-4.8.2-1.x86_64 2/2 Verifying : wazuh-manager-4.9.0-1.x86_64 1/2 Verifying : wazuh-manager-4.8.2-1.x86_64 2/2 Updated: wazuh-manager.x86_64 0:4.9.0-1 Complete! [root@centos7 vagrant]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json [root@centos7 vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json [root@centos7 vagrant]# chmod go+r /etc/filebeat/wazuh-template.json [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable filebeat [root@centos7 vagrant]# systemctl start filebeat [root@centos7 vagrant]# filebeat setup --pipelines Loaded Ingest pipelines [root@centos7 vagrant]# filebeat setup --index-management -E output.logstash.enabled=false ILM policy and write alias loading not enabled. Index setup finished. ``` - Upgrade dashboard ``` [root@centos7 vagrant]# cp /etc/wazuh-dashboard/opensearch_dashboards.yml . [root@centos7 vagrant]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml rm: remove regular file ‘/etc/wazuh-dashboard/opensearch_dashboards.yml’? y [root@centos7 vagrant]# yum upgrade wazuh-dashboard -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-dashboard.x86_64 0:4.8.2-1 will be updated ---> Package wazuh-dashboard.x86_64 0:4.9.0-2 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Updating: wazuh-dashboard x86_64 4.9.0-2 wazuh 253 M Transaction Summary ============================================================================================================================================================================================================================================= Upgrade 1 Package Total download size: 253 M Downloading packages: wazuh-dashboard-4.9.0-2.x86_64.rpm | 253 MB 00:00:04 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : wazuh-dashboard-4.9.0-2.x86_64 1/2 Cleanup : wazuh-dashboard-4.8.2-1.x86_64 2/2 Verifying : wazuh-dashboard-4.9.0-2.x86_64 1/2 Verifying : wazuh-dashboard-4.8.2-1.x86_64 2/2 Updated: wazuh-dashboard.x86_64 0:4.9.0-2 Complete! [root@centos7 vagrant]# nano /etc/wazuh-dashboard/opensearch_dashboards.yml [root@centos7 vagrant]# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home [root@centos7 vagrant]# cat opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://127.0.0.1:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home [root@centos7 vagrant]# nano /etc/wazuh-dashboard/opensearch_dashboards.yml [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-dashboard [root@centos7 vagrant]# systemctl start wazuh-dashboard ``` ![image](https://github.com/user-attachments/assets/3c5a1e15-deab-45a8-aade-05386520e44c)

Wazuh installation assistant Upgrade 4.8.2 - 4.9.0 RPM :green_circle:

``` [root@centos7 vagrant]# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 21:45:25 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.2 06/09/2024 21:45:25 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 21:45:27 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 21:45:30 INFO: --- Dependencies --- 06/09/2024 21:45:30 INFO: Installing lsof. 06/09/2024 21:45:35 INFO: Wazuh web interface port will be 443. 06/09/2024 21:45:36 INFO: Wazuh repository added. 06/09/2024 21:45:36 INFO: --- Configuration files --- 06/09/2024 21:45:36 INFO: Generating configuration files. 06/09/2024 21:45:36 INFO: Generating the root certificate. 06/09/2024 21:45:36 INFO: Generating Admin certificates. 06/09/2024 21:45:36 INFO: Generating Wazuh indexer certificates. 06/09/2024 21:45:36 INFO: Generating Filebeat certificates. 06/09/2024 21:45:36 INFO: Generating Wazuh dashboard certificates. 06/09/2024 21:45:36 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 21:45:36 INFO: --- Wazuh indexer --- 06/09/2024 21:45:36 INFO: Starting Wazuh indexer installation. 06/09/2024 21:46:26 INFO: Wazuh indexer installation finished. 06/09/2024 21:46:26 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 21:46:26 INFO: Starting service wazuh-indexer. 06/09/2024 21:46:33 INFO: wazuh-indexer service started. 06/09/2024 21:46:33 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 21:46:43 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 21:46:43 INFO: Wazuh indexer cluster initialized. 06/09/2024 21:46:43 INFO: --- Wazuh server --- 06/09/2024 21:46:43 INFO: Starting the Wazuh manager installation. 06/09/2024 21:47:15 INFO: Wazuh manager installation finished. 06/09/2024 21:47:15 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 21:47:15 INFO: Starting service wazuh-manager. 06/09/2024 21:47:27 INFO: wazuh-manager service started. 06/09/2024 21:47:27 INFO: Starting Filebeat installation. 06/09/2024 21:47:31 INFO: Filebeat installation finished. 06/09/2024 21:47:33 INFO: Filebeat post-install configuration finished. 06/09/2024 21:47:33 INFO: Starting service filebeat. 06/09/2024 21:47:33 INFO: filebeat service started. 06/09/2024 21:47:33 INFO: --- Wazuh dashboard --- 06/09/2024 21:47:33 INFO: Starting Wazuh dashboard installation. 06/09/2024 21:48:33 INFO: Wazuh dashboard installation finished. 06/09/2024 21:48:33 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 21:48:33 INFO: Starting service wazuh-dashboard. 06/09/2024 21:48:33 INFO: wazuh-dashboard service started. 06/09/2024 21:48:34 INFO: Updating the internal users. 06/09/2024 21:48:36 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 21:49:15 INFO: Initializing Wazuh dashboard web application. 06/09/2024 21:49:16 INFO: Wazuh dashboard web application initialized. 06/09/2024 21:49:16 INFO: --- Summary --- 06/09/2024 21:49:16 INFO: You can access the web interface https://:443 User: admin Password: h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB* 06/09/2024 21:49:16 INFO: --- Dependencies --- 06/09/2024 21:49:16 INFO: Removing lsof. 06/09/2024 21:49:16 INFO: Installation finished. ``` ![image](https://github.com/user-attachments/assets/b2b5c175-49bb-4d84-9ab2-7756bed39b08) ``` [root@centos7 vagrant]# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 21:45:25 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.2 06/09/2024 21:45:25 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 21:45:27 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 21:45:30 INFO: --- Dependencies --- 06/09/2024 21:45:30 INFO: Installing lsof. 06/09/2024 21:45:35 INFO: Wazuh web interface port will be 443. 06/09/2024 21:45:36 INFO: Wazuh repository added. 06/09/2024 21:45:36 INFO: --- Configuration files --- 06/09/2024 21:45:36 INFO: Generating configuration files. 06/09/2024 21:45:36 INFO: Generating the root certificate. 06/09/2024 21:45:36 INFO: Generating Admin certificates. 06/09/2024 21:45:36 INFO: Generating Wazuh indexer certificates. 06/09/2024 21:45:36 INFO: Generating Filebeat certificates. 06/09/2024 21:45:36 INFO: Generating Wazuh dashboard certificates. 06/09/2024 21:45:36 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 21:45:36 INFO: --- Wazuh indexer --- 06/09/2024 21:45:36 INFO: Starting Wazuh indexer installation. 06/09/2024 21:46:26 INFO: Wazuh indexer installation finished. 06/09/2024 21:46:26 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 21:46:26 INFO: Starting service wazuh-indexer. 06/09/2024 21:46:33 INFO: wazuh-indexer service started. 06/09/2024 21:46:33 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 21:46:43 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 21:46:43 INFO: Wazuh indexer cluster initialized. 06/09/2024 21:46:43 INFO: --- Wazuh server --- 06/09/2024 21:46:43 INFO: Starting the Wazuh manager installation. 06/09/2024 21:47:15 INFO: Wazuh manager installation finished. 06/09/2024 21:47:15 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 21:47:15 INFO: Starting service wazuh-manager. 06/09/2024 21:47:27 INFO: wazuh-manager service started. 06/09/2024 21:47:27 INFO: Starting Filebeat installation. 06/09/2024 21:47:31 INFO: Filebeat installation finished. 06/09/2024 21:47:33 INFO: Filebeat post-install configuration finished. 06/09/2024 21:47:33 INFO: Starting service filebeat. 06/09/2024 21:47:33 INFO: filebeat service started. 06/09/2024 21:47:33 INFO: --- Wazuh dashboard --- 06/09/2024 21:47:33 INFO: Starting Wazuh dashboard installation. 06/09/2024 21:48:33 INFO: Wazuh dashboard installation finished. 06/09/2024 21:48:33 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 21:48:33 INFO: Starting service wazuh-dashboard. 06/09/2024 21:48:33 INFO: wazuh-dashboard service started. 06/09/2024 21:48:34 INFO: Updating the internal users. 06/09/2024 21:48:36 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 21:49:15 INFO: Initializing Wazuh dashboard web application. 06/09/2024 21:49:16 INFO: Wazuh dashboard web application initialized. 06/09/2024 21:49:16 INFO: --- Summary --- 06/09/2024 21:49:16 INFO: You can access the web interface https://:443 User: admin Password: h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB* 06/09/2024 21:49:16 INFO: --- Dependencies --- 06/09/2024 21:49:16 INFO: Removing lsof. 06/09/2024 21:49:16 INFO: Installation finished. ``` ``` [root@centos7 vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@centos7 vagrant]# systemctl stop filebeat [root@centos7 vagrant]# systemctl stop wazuh-dashboard [root@centos7 vagrant]# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u admin:h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB* -k {"acknowledged":true} [root@centos7 vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB*-k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}} [root@centos7 vagrant]# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB* -k {"_shards":{"total":10,"successful":10,"failed":0}}[root@centos7 vagrant]# [root@centos7 vagrant]# yum upgrade wazuh-indexer Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile wazuh | 3.5 kB 00:00:00 wazuh/primary_db | 531 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package wazuh-indexer.x86_64 0:4.8.2-1 will be updated ---> Package wazuh-indexer.x86_64 0:4.9.0-1 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Updating: wazuh-indexer x86_64 4.9.0-1 wazuh 813 M Transaction Summary ============================================================================================================================================================================================================================================= Upgrade 1 Package Total download size: 813 M Is this ok [y/d/N]: y Downloading packages: wazuh/prestodelta | 75 B 00:00:00 wazuh-indexer-4.9.0-1.x86_64.rpm | 813 MB 00:00:17 Running transaction check Running transaction test Transaction test succeeded Running transaction Stop existing wazuh-indexer.service Updating : wazuh-indexer-4.9.0-1.x86_64 1/2 warning: /etc/wazuh-indexer/jvm.options created as /etc/wazuh-indexer/jvm.options.rpmnew warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml saved as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmsave ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Cleanup : wazuh-indexer-4.8.2-1.x86_64 2/2 Verifying : wazuh-indexer-4.9.0-1.x86_64 1/2 Verifying : wazuh-indexer-4.8.2-1.x86_64 2/2 Updated: wazuh-indexer.x86_64 0:4.9.0-1 Complete! [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-indexer [root@centos7 vagrant]# systemctl start wazuh-indexer [root@centos7 vagrant]# curl -k -u admin:h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB* https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 37 97 1 0.06 0.26 0.44 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@centos7 vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB* -k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "all" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}[root@centos7 vagrant]# [root@centos7 vagrant]# curl -k -u admin:h*S3+k5D7aSlt7iyH0QDz2e4P6h*dnB* https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 47 96 0 0.04 0.22 0.41 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@centos7 vagrant]# yum upgrade wazuh-manager Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-manager.x86_64 0:4.8.2-1 will be updated ---> Package wazuh-manager.x86_64 0:4.9.0-1 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Updating: wazuh-manager x86_64 4.9.0-1 wazuh 303 M Transaction Summary ============================================================================================================================================================================================================================================= Upgrade 1 Package Total download size: 303 M Is this ok [y/d/N]: y Downloading packages: wazuh-manager-4.9.0-1.x86_64.rpm | 303 MB 00:00:06 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : wazuh-manager-4.9.0-1.x86_64 1/2 warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew Cleanup : wazuh-manager-4.8.2-1.x86_64 2/2 Verifying : wazuh-manager-4.9.0-1.x86_64 1/2 Verifying : wazuh-manager-4.8.2-1.x86_64 2/2 Updated: wazuh-manager.x86_64 0:4.9.0-1 Complete! [root@centos7 vagrant]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json [root@centos7 vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json [root@centos7 vagrant]# chmod go+r /etc/filebeat/wazuh-template.json [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable filebeat [root@centos7 vagrant]# systemctl start filebeat [root@centos7 vagrant]# filebeat setup --pipelines Loaded Ingest pipelines [root@centos7 vagrant]# filebeat setup --index-management -E output.logstash.enabled=false ILM policy and write alias loading not enabled. Index setup finished. [root@centos7 vagrant]# cp /etc/wazuh-dashboard/opensearch_dashboards.yml . [root@centos7 vagrant]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml rm: remove regular file ‘/etc/wazuh-dashboard/opensearch_dashboards.yml’? y [root@centos7 vagrant]# yum upgrade wazuh-dashboard Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package wazuh-dashboard.x86_64 0:4.8.2-1 will be updated ---> Package wazuh-dashboard.x86_64 0:4.9.0-2 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Updating: wazuh-dashboard x86_64 4.9.0-2 wazuh 253 M Transaction Summary ============================================================================================================================================================================================================================================= Upgrade 1 Package Total download size: 253 M Is this ok [y/d/N]: y Downloading packages: wazuh-dashboard-4.9.0-2.x86_64.rpm | 253 MB 00:00:05 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : wazuh-dashboard-4.9.0-2.x86_64 1/2 Cleanup : wazuh-dashboard-4.8.2-1.x86_64 2/2 Verifying : wazuh-dashboard-4.9.0-2.x86_64 1/2 Verifying : wazuh-dashboard-4.8.2-1.x86_64 2/2 Updated: wazuh-dashboard.x86_64 0:4.9.0-2 Complete! [root@centos7 vagrant]# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home [root@centos7 vagrant]# cat opensearch_dashboards.yml server.host: 0.0.0.0 opensearch.hosts: https://127.0.0.1:9200 server.port: 443 opensearch.ssl.verificationMode: certificate # opensearch.username: kibanaserver # opensearch.password: kibanaserver opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home opensearch_security.cookie.secure: true [root@centos7 vagrant]# vi /etc/wazuh-dashboard/opensearch_dashboards.yml [root@centos7 vagrant]# systemctl daemon-reload [root@centos7 vagrant]# systemctl enable wazuh-dashboard [root@centos7 vagrant]# systemctl start wazuh-dashboard [root@centos7 vagrant]# ``` ![image](https://github.com/user-attachments/assets/a6757f44-7c9e-4758-b699-fd0b7c90acdd)

rauldpm commented 1 month ago

DEB testing

Wazuh installation assistant 4.9.0 DEB :green_circle:

``` root@ubuntu18stack:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 21:30:27 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0 06/09/2024 21:30:27 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 21:30:38 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 21:30:38 INFO: Wazuh web interface port will be 443. 06/09/2024 21:30:44 INFO: --- Dependencies ---- 06/09/2024 21:30:44 INFO: Installing apt-transport-https. 06/09/2024 21:30:47 INFO: Installing debhelper. 06/09/2024 21:31:33 INFO: Wazuh development repository added. 06/09/2024 21:31:33 INFO: --- Configuration files --- 06/09/2024 21:31:33 INFO: Generating configuration files. 06/09/2024 21:31:34 INFO: Generating the root certificate. 06/09/2024 21:31:34 INFO: Generating Admin certificates. 06/09/2024 21:31:34 INFO: Generating Wazuh indexer certificates. 06/09/2024 21:31:34 INFO: Generating Filebeat certificates. 06/09/2024 21:31:34 INFO: Generating Wazuh dashboard certificates. 06/09/2024 21:31:34 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 21:31:34 INFO: --- Wazuh indexer --- 06/09/2024 21:31:34 INFO: Starting Wazuh indexer installation. 06/09/2024 21:32:18 INFO: Wazuh indexer installation finished. 06/09/2024 21:32:18 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 21:32:18 INFO: Starting service wazuh-indexer. 06/09/2024 21:32:26 INFO: wazuh-indexer service started. 06/09/2024 21:32:26 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 21:32:29 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 21:32:29 INFO: Wazuh indexer cluster initialized. 06/09/2024 21:32:29 INFO: --- Wazuh server --- 06/09/2024 21:32:29 INFO: Starting the Wazuh manager installation. 06/09/2024 21:33:21 INFO: Wazuh manager installation finished. 06/09/2024 21:33:21 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 21:33:21 INFO: Starting service wazuh-manager. 06/09/2024 21:33:36 INFO: wazuh-manager service started. 06/09/2024 21:33:36 INFO: Starting Filebeat installation. 06/09/2024 21:33:46 INFO: Filebeat installation finished. 06/09/2024 21:33:48 INFO: Filebeat post-install configuration finished. 06/09/2024 21:33:48 INFO: Starting service filebeat. 06/09/2024 21:33:49 INFO: filebeat service started. 06/09/2024 21:33:49 INFO: --- Wazuh dashboard --- 06/09/2024 21:33:49 INFO: Starting Wazuh dashboard installation. 06/09/2024 21:34:32 INFO: Wazuh dashboard installation finished. 06/09/2024 21:34:32 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 21:34:32 INFO: Starting service wazuh-dashboard. 06/09/2024 21:34:32 INFO: wazuh-dashboard service started. 06/09/2024 21:34:34 INFO: Updating the internal users. 06/09/2024 21:34:35 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 21:34:41 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password. 06/09/2024 21:35:07 INFO: Initializing Wazuh dashboard web application. 06/09/2024 21:35:08 INFO: Wazuh dashboard web application initialized. 06/09/2024 21:35:08 INFO: --- Summary --- 06/09/2024 21:35:08 INFO: You can access the web interface https://:443 User: admin Password: BmF*lcfn2*B9oiod1do*WcNmo.068*hB 06/09/2024 21:35:08 INFO: Installation finished. root@ubuntu18stack:/home/vagrant# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 opensearch.hosts: https://127.0.0.1:9200 server.port: 443 opensearch.ssl.verificationMode: certificate # opensearch.username: kibanaserver # opensearch.password: kibanaserver opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home opensearch_security.cookie.secure: true ``` ![image](https://github.com/user-attachments/assets/d6a42e25-3002-457a-9116-966adbfa3f8e)

Step-by-Step Upgrade 4.8.2 - 4.9.0 DEB :green_circle:

- Install indexer 4.8.2 ``` root@ubuntu18stack:/home/vagrant# curl -sO https://packages.wazuh.com/4.8/wazuh-certs-tool.sh root@ubuntu18stack:/home/vagrant# curl -sO https://packages.wazuh.com/4.8/config.yml root@ubuntu18stack:/home/vagrant# nano config.yml root@ubuntu18stack:/home/vagrant# bash ./wazuh-certs-tool.sh -A 06/09/2024 22:46:44 INFO: Generating the root certificate. 06/09/2024 22:46:44 INFO: Generating Admin certificates. 06/09/2024 22:46:44 INFO: Admin certificates created. 06/09/2024 22:46:44 INFO: Generating Wazuh indexer certificates. 06/09/2024 22:46:44 INFO: Wazuh indexer certificates created. 06/09/2024 22:46:44 INFO: Generating Filebeat certificates. 06/09/2024 22:46:44 INFO: Wazuh Filebeat certificates created. 06/09/2024 22:46:44 INFO: Generating Wazuh dashboard certificates. 06/09/2024 22:46:44 INFO: Wazuh dashboard certificates created. root@ubuntu18stack:/home/vagrant# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.pem ./root-ca.key ./wazuh-1.pem ./node-1.pem ./node-1-key.pem ./dashboard-key.pem ./wazuh-1-key.pem ./dashboard.pem ./admin-key.pem ./admin.pem root@ubuntu18stack:/home/vagrant# apt-get install debconf adduser procps Reading package lists... Done Building dependency tree Reading state information... Done adduser is already the newest version (3.116ubuntu1). debconf is already the newest version (1.5.66ubuntu1). procps is already the newest version (2:3.3.12-3ubuntu1.2). 0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. root@ubuntu18stack:/home/vagrant# apt-get install gnupg apt-transport-https Reading package lists... Done Building dependency tree Reading state information... Done gnupg is already the newest version (2.2.4-1ubuntu1.6). The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded. Need to get 1,692 B of archives. After this operation, 155 kB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.17 [1,692 B] Fetched 1,692 B in 0s (4,451 B/s) Selecting previously unselected package apt-transport-https. (Reading database ... 106174 files and directories currently installed.) Preparing to unpack .../apt-transport-https_1.6.17_all.deb ... Unpacking apt-transport-https (1.6.17) ... Setting up apt-transport-https (1.6.17) ... root@ubuntu18stack:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 root@ubuntu18stack:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main root@ubuntu18stack:/home/vagrant# apt-get update Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease Hit:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease Hit:4 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease Get:5 https://packages.wazuh.com/4.x/apt stable InRelease [17.3 kB] Get:6 https://packages.wazuh.com/4.x/apt stable/main i386 Packages [12.1 kB] Get:7 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages [42.6 kB] Fetched 72.0 kB in 1s (85.9 kB/s) Reading package lists... Done root@ubuntu18stack:/home/vagrant# apt-get -y install wazuh-indexer Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: wazuh-indexer 0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded. Need to get 753 MB of archives. After this operation, 1,050 MB of additional disk space will be used. Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-indexer amd64 4.8.2-1 [753 MB] Fetched 753 MB in 17s (44.7 MB/s) Selecting previously unselected package wazuh-indexer. (Reading database ... 106178 files and directories currently installed.) Preparing to unpack .../wazuh-indexer_4.8.2-1_amd64.deb ... Creating wazuh-indexer group... OK Creating wazuh-indexer user... OK Unpacking wazuh-indexer (4.8.2-1) ... Setting up wazuh-indexer (4.8.2-1) ... Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Processing triggers for systemd (237-3ubuntu10.57) ... Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for libc-bin (2.27-3ubuntu1.6) ... root@ubuntu18stack:/home/vagrant# nano /etc/wazuh-indexer/opensearch.yml root@ubuntu18stack:/home/vagrant# NODE_NAME=node-1 root@ubuntu18stack:/home/vagrant# mkdir /etc/wazuh-indexer/certs root@ubuntu18stack:/home/vagrant# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem root@ubuntu18stack:/home/vagrant# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem root@ubuntu18stack:/home/vagrant# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem root@ubuntu18stack:/home/vagrant# chmod 500 /etc/wazuh-indexer/certs root@ubuntu18stack:/home/vagrant# chmod 400 /etc/wazuh-indexer/certs/* root@ubuntu18stack:/home/vagrant# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-indexer Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. root@ubuntu18stack:/home/vagrant# systemctl start wazuh-indexer /usr/share/wazuh-indexer/bin/indexer-security-init.shroot@ubuntu18stack:/home/vagrant# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated curl -k -u admin:admin https://:9200^[[D^[[SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success root@ubuntu18stack:/home/vagrant# curl -k -u admin:admin https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "euSVdteQT3i3x8j89ljg0g", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ubuntu18stack:/home/vagrant# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 10.0.2.15 34 51 6 0.47 0.23 0.09 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 ``` - Install server 4.8.2 ``` root@ubuntu18stack:/home/vagrant# apt-get -y install wazuh-manager Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: expect The following NEW packages will be installed: wazuh-manager 0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded. Need to get 314 MB of archives. After this operation, 915 MB of additional disk space will be used. Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-manager amd64 4.8.2-1 [314 MB] Fetched 314 MB in 8s (38.8 MB/s) Selecting previously unselected package wazuh-manager. (Reading database ... 107351 files and directories currently installed.) Preparing to unpack .../wazuh-manager_4.8.2-1_amd64.deb ... Unpacking wazuh-manager (4.8.2-1) ... Setting up wazuh-manager (4.8.2-1) ... Processing triggers for systemd (237-3ubuntu10.57) ... Processing triggers for ureadahead (0.100.0-21) ... root@ubuntu18stack:/home/vagrant# apt-get -y install filebeat Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded. Need to get 22.1 MB of archives. After this operation, 73.6 MB of additional disk space will be used. Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 filebeat amd64 7.10.2 [22.1 MB] Fetched 22.1 MB in 1s (21.0 MB/s) Selecting previously unselected package filebeat. (Reading database ... 129382 files and directories currently installed.) Preparing to unpack .../filebeat_7.10.2_amd64.deb ... Unpacking filebeat (7.10.2) ... Setting up filebeat (7.10.2) ... Processing triggers for systemd (237-3ubuntu10.57) ... Processing triggers for ureadahead (0.100.0-21) ... root@ubuntu18stack:/home/vagrant# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml root@ubuntu18stack:/home/vagrant# nano /etc/filebeat/filebeat.yml root@ubuntu18stack:/home/vagrant# filebeat keystore create Created filebeat keystore root@ubuntu18stack:/home/vagrant# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore root@ubuntu18stack:/home/vagrant# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore root@ubuntu18stack:/home/vagrant# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.2/extensions/elasticsearch/7.x/wazuh-template.json root@ubuntu18stack:/home/vagrant# chmod go+r /etc/filebeat/wazuh-template.json root@ubuntu18stack:/home/vagrant# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json root@ubuntu18stack:/home/vagrant# NODE_NAME=wazuh-1 root@ubuntu18stack:/home/vagrant# mkdir /etc/filebeat/certs root@ubuntu18stack:/home/vagrant# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem root@ubuntu18stack:/home/vagrant# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem root@ubuntu18stack:/home/vagrant# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem root@ubuntu18stack:/home/vagrant# chmod 500 /etc/filebeat/certs root@ubuntu18stack:/home/vagrant# chmod 400 /etc/filebeat/certs/* root@ubuntu18stack:/home/vagrant# chown -R root:root /etc/filebeat/certs root@ubuntu18stack:/home/vagrant# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin root@ubuntu18stack:/home/vagrant# /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin root@ubuntu18stack:/home/vagrant# nano /var/ossec/etc/ossec.conf root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. root@ubuntu18stack:/home/vagrant# systemctl start wazuh-manager root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat root@ubuntu18stack:/home/vagrant# systemctl start filebeat root@ubuntu18stack:/home/vagrant# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` - Install dashboard 4.8.2 ``` root@ubuntu18stack:/home/vagrant# apt-get -y install wazuh-dashboard Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: wazuh-dashboard 0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded. Need to get 186 MB of archives. After this operation, 999 MB of additional disk space will be used. Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-dashboard amd64 4.8.2-1 [186 MB] Fetched 186 MB in 7s (28.3 MB/s) Selecting previously unselected package wazuh-dashboard. (Reading database ... 129701 files and directories currently installed.) Preparing to unpack .../wazuh-dashboard_4.8.2-1_amd64.deb ... Creating wazuh-dashboard group... OK Creating wazuh-dashboard user... OK Unpacking wazuh-dashboard (4.8.2-1) ... Setting up wazuh-dashboard (4.8.2-1) ... root@ubuntu18stack:/home/vagrant# nano /etc/wazuh-dashboard/opensearch_dashboards.yml root@ubuntu18stack:/home/vagrant# NODE_NAME=dashboard root@ubuntu18stack:/home/vagrant# mkdir /etc/wazuh-dashboard/certs root@ubuntu18stack:/home/vagrant# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem root@ubuntu18stack:/home/vagrant# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem mv: '/etc/wazuh-dashboard/certs/dashboard.pem' and '/etc/wazuh-dashboard/certs/dashboard.pem' are the same file root@ubuntu18stack:/home/vagrant# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem mv: '/etc/wazuh-dashboard/certs/dashboard-key.pem' and '/etc/wazuh-dashboard/certs/dashboard-key.pem' are the same file root@ubuntu18stack:/home/vagrant# chmod 500 /etc/wazuh-dashboard/certs root@ubuntu18stack:/home/vagrant# chmod 400 /etc/wazuh-dashboard/certs/* root@ubuntu18stack:/home/vagrant# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-dashboard Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. root@ubuntu18stack:/home/vagrant# systemctl start wazuh-dashboard root@ubuntu18stack:/home/vagrant# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + root@ubuntu18stack:/home/vagrant# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-dashboard root@ubuntu18stack:/home/vagrant# systemctl start wazuh-dashboard ``` ![image](https://github.com/user-attachments/assets/4f348077-bb42-4117-9059-26df7d643566) - Upgrade indexer ``` root@ubuntu18stack:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main root@ubuntu18stack:/home/vagrant# apt-get update Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease Hit:3 https://packages.wazuh.com/4.x/apt stable InRelease Hit:4 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:7 https://packages-dev.wazuh.com/pre-release/apt unstable/main i386 Packages [11.7 kB] Get:8 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [40.5 kB] Fetched 69.5 kB in 3s (20.5 kB/s) Reading package lists... Done root@ubuntu18stack:/home/vagrant# systemctl stop filebeat root@ubuntu18stack:/home/vagrant# systemctl stop wazuh-dashboard root@ubuntu18stack:/home/vagrant# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u admin:admin -k {"acknowledged":true}root@ubuntu18stack:/home/vagrant# root@ubuntu18stack:/home/vagrant# curl -X PUT "https://:9200/_cluster/settings" -u : -k -H 'Content-Type: application/json' -d' > { > "persistent": { > "cluster.routing.allocation.enable": "primaries" > } > } > '^C root@ubuntu18stack:/home/vagrant# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:admin -k -H 'Content-Type: application/json' -d' > { > "persistent": { > "cluster.routing.allocation.enable": "primaries" > } > } > ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}root@ubuntu18stack:/home/vagrant# root@ubuntu18stack:/home/vagrant# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:admin -k {"_shards":{"total":10,"successful":10,"failed":0}}root@ubuntu18stack:/home/vagrant# root@ubuntu18stack:/home/vagrant# systemctl stop wazuh-indexer root@ubuntu18stack:/home/vagrant# apt-get install wazuh-indexer Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: wazuh-indexer 1 upgraded, 0 newly installed, 0 to remove and 10 not upgraded. Need to get 850 MB of archives. After this operation, 26.6 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.9.0-1 [850 MB] Fetched 850 MB in 39s (21.9 MB/s) (Reading database ... 220693 files and directories currently installed.) Preparing to unpack .../wazuh-indexer_4.9.0-1_amd64.deb ... Running Wazuh Indexer Pre-Installation Script Unpacking wazuh-indexer (4.9.0-1) over (4.8.2-1) ... Setting up wazuh-indexer (4.9.0-1) ... Installing new version of config file /etc/default/wazuh-indexer ... Configuration file '/etc/init.d/wazuh-indexer' ==> Deleted (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** wazuh-indexer (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/init.d/wazuh-indexer ... Configuration file '/etc/wazuh-indexer/jvm.options' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** jvm.options (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-indexer/jvm.options ... Installing new version of config file /etc/wazuh-indexer/log4j2.properties ... Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ... Installing new version of config file /etc/wazuh-indexer/opensearch-security/internal_users.yml ... Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles.yml ... Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles_mapping.yml ... Running Wazuh Indexer Post-Installation Script ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Processing triggers for systemd (237-3ubuntu10.57) ... Processing triggers for ureadahead (0.100.0-21) ... root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-indexer Synchronizing state of wazuh-indexer.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable wazuh-indexer root@ubuntu18stack:/home/vagrant# systemctl start wazuh-indexer root@ubuntu18stack:/home/vagrant# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 10.0.2.15 37 92 8 0.61 0.53 0.55 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 root@ubuntu18stack:/home/vagrant# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:admin -k -H 'Content-Type: application/json' -d' > { > "persistent": { > "cluster.routing.allocation.enable": "all" > } > } > ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}root@ubuntu18stack:/home/vagrant# root@ubuntu18stack:/home/vagrant# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 10.0.2.15 45 92 1 0.67 0.55 0.56 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 ``` - Upgrade server ``` root@ubuntu18stack:/home/vagrant# apt-get install wazuh-manager Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: expect The following packages will be upgraded: wazuh-manager 1 upgraded, 0 newly installed, 0 to remove and 9 not upgraded. Need to get 322 MB of archives. After this operation, 24.2 MB disk space will be freed. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.9.0-1 [322 MB] Fetched 322 MB in 16s (20.5 MB/s) (Reading database ... 220706 files and directories currently installed.) Preparing to unpack .../wazuh-manager_4.9.0-1_amd64.deb ... Unpacking wazuh-manager (4.9.0-1) over (4.8.2-1) ... Setting up wazuh-manager (4.9.0-1) ... Processing triggers for systemd (237-3ubuntu10.57) ... Processing triggers for ureadahead (0.100.0-21) ... root@ubuntu18stack:/home/vagrant# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json root@ubuntu18stack:/home/vagrant# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json root@ubuntu18stack:/home/vagrant# chmod go+r /etc/filebeat/wazuh-template.json root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat root@ubuntu18stack:/home/vagrant# systemctl start filebeat root@ubuntu18stack:/home/vagrant# filebeat setup --pipelines Loaded Ingest pipelines root@ubuntu18stack:/home/vagrant# filebeat setup --index-management -E output.logstash.enabled=false ILM policy and write alias loading not enabled. Index setup finished. ``` - Upgrade dashboard ``` root@ubuntu18stack:/home/vagrant# cp /etc/wazuh-dashboard/opensearch_dashboards.yml . root@ubuntu18stack:/home/vagrant# apt-get install wazuh-dashboard Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: wazuh-dashboard 1 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. Need to get 166 MB of archives. After this operation, 64.3 MB disk space will be freed. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.9.0-2 [166 MB] Fetched 166 MB in 4s (45.2 MB/s) (Reading database ... 222653 files and directories currently installed.) Preparing to unpack .../wazuh-dashboard_4.9.0-2_amd64.deb ... Unpacking wazuh-dashboard (4.9.0-2) over (4.8.2-1) ... Setting up wazuh-dashboard (4.9.0-2) ... Installing new version of config file /etc/systemd/system/wazuh-dashboard ... Installing new version of config file /etc/wazuh-dashboard/node.options ... Configuration file '/etc/wazuh-dashboard/opensearch_dashboards.yml' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** opensearch_dashboards.yml (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-dashboard/opensearch_dashboards.yml ... root@ubuntu18stack:/home/vagrant# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home root@ubuntu18stack:/home/vagrant# cat opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://127.0.0.1:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home root@ubuntu18stack:/home/vagrant# nano /etc/wazuh-dashboard/opensearch_dashboards.yml root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-dashboard root@ubuntu18stack:/home/vagrant# systemctl start wazuh-dashboard ``` ![image](https://github.com/user-attachments/assets/f85142f3-090a-43af-814e-3b78087671d3)

Wazuh installation assistant Upgrade 4.8.2 - 4.9.0 DEB :green_circle:

``` root@ubuntu18stack:/home/vagrant# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 21:45:11 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.2 06/09/2024 21:45:11 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 21:45:12 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 21:45:22 INFO: Wazuh web interface port will be 443. 06/09/2024 21:45:26 INFO: --- Dependencies ---- 06/09/2024 21:45:26 INFO: Installing apt-transport-https. 06/09/2024 21:45:31 INFO: Wazuh repository added. 06/09/2024 21:45:31 INFO: --- Configuration files --- 06/09/2024 21:45:31 INFO: Generating configuration files. 06/09/2024 21:45:31 INFO: Generating the root certificate. 06/09/2024 21:45:31 INFO: Generating Admin certificates. 06/09/2024 21:45:31 INFO: Generating Wazuh indexer certificates. 06/09/2024 21:45:31 INFO: Generating Filebeat certificates. 06/09/2024 21:45:31 INFO: Generating Wazuh dashboard certificates. 06/09/2024 21:45:31 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 21:45:31 INFO: --- Wazuh indexer --- 06/09/2024 21:45:31 INFO: Starting Wazuh indexer installation. 06/09/2024 21:46:28 INFO: Wazuh indexer installation finished. 06/09/2024 21:46:28 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 21:46:28 INFO: Starting service wazuh-indexer. 06/09/2024 21:46:37 INFO: wazuh-indexer service started. 06/09/2024 21:46:37 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 21:46:48 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 21:46:48 INFO: Wazuh indexer cluster initialized. 06/09/2024 21:46:48 INFO: --- Wazuh server --- 06/09/2024 21:46:48 INFO: Starting the Wazuh manager installation. 06/09/2024 21:47:27 INFO: Wazuh manager installation finished. 06/09/2024 21:47:27 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 21:47:27 INFO: Starting service wazuh-manager. 06/09/2024 21:47:41 INFO: wazuh-manager service started. 06/09/2024 21:47:41 INFO: Starting Filebeat installation. 06/09/2024 21:47:50 INFO: Filebeat installation finished. 06/09/2024 21:47:51 INFO: Filebeat post-install configuration finished. 06/09/2024 21:47:51 INFO: Starting service filebeat. 06/09/2024 21:47:52 INFO: filebeat service started. 06/09/2024 21:47:52 INFO: --- Wazuh dashboard --- 06/09/2024 21:47:52 INFO: Starting Wazuh dashboard installation. 06/09/2024 21:48:34 INFO: Wazuh dashboard installation finished. 06/09/2024 21:48:34 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 21:48:34 INFO: Starting service wazuh-dashboard. 06/09/2024 21:48:34 INFO: wazuh-dashboard service started. 06/09/2024 21:48:35 INFO: Updating the internal users. 06/09/2024 21:48:40 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 21:49:10 INFO: Initializing Wazuh dashboard web application. 06/09/2024 21:49:11 INFO: Wazuh dashboard web application initialized. 06/09/2024 21:49:11 INFO: --- Summary --- 06/09/2024 21:49:11 INFO: You can access the web interface https://:443 User: admin Password: 8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY 06/09/2024 21:49:11 INFO: Installation finished. ``` ![image](https://github.com/user-attachments/assets/a51fcb35-cfe8-413d-a57f-f41b8e31d4de) ``` root@ubuntu18stack:/home/vagrant# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 06/09/2024 21:45:11 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.2 06/09/2024 21:45:11 INFO: Verbose logging redirected to /var/log/wazuh-install.log 06/09/2024 21:45:12 INFO: Verifying that your system meets the recommended minimum hardware requirements. 06/09/2024 21:45:22 INFO: Wazuh web interface port will be 443. 06/09/2024 21:45:26 INFO: --- Dependencies ---- 06/09/2024 21:45:26 INFO: Installing apt-transport-https. 06/09/2024 21:45:31 INFO: Wazuh repository added. 06/09/2024 21:45:31 INFO: --- Configuration files --- 06/09/2024 21:45:31 INFO: Generating configuration files. 06/09/2024 21:45:31 INFO: Generating the root certificate. 06/09/2024 21:45:31 INFO: Generating Admin certificates. 06/09/2024 21:45:31 INFO: Generating Wazuh indexer certificates. 06/09/2024 21:45:31 INFO: Generating Filebeat certificates. 06/09/2024 21:45:31 INFO: Generating Wazuh dashboard certificates. 06/09/2024 21:45:31 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 06/09/2024 21:45:31 INFO: --- Wazuh indexer --- 06/09/2024 21:45:31 INFO: Starting Wazuh indexer installation. 06/09/2024 21:46:28 INFO: Wazuh indexer installation finished. 06/09/2024 21:46:28 INFO: Wazuh indexer post-install configuration finished. 06/09/2024 21:46:28 INFO: Starting service wazuh-indexer. 06/09/2024 21:46:37 INFO: wazuh-indexer service started. 06/09/2024 21:46:37 INFO: Initializing Wazuh indexer cluster security settings. 06/09/2024 21:46:48 INFO: Wazuh indexer cluster security configuration initialized. 06/09/2024 21:46:48 INFO: Wazuh indexer cluster initialized. 06/09/2024 21:46:48 INFO: --- Wazuh server --- 06/09/2024 21:46:48 INFO: Starting the Wazuh manager installation. 06/09/2024 21:47:27 INFO: Wazuh manager installation finished. 06/09/2024 21:47:27 INFO: Wazuh manager vulnerability detection configuration finished. 06/09/2024 21:47:27 INFO: Starting service wazuh-manager. 06/09/2024 21:47:41 INFO: wazuh-manager service started. 06/09/2024 21:47:41 INFO: Starting Filebeat installation. 06/09/2024 21:47:50 INFO: Filebeat installation finished. 06/09/2024 21:47:51 INFO: Filebeat post-install configuration finished. 06/09/2024 21:47:51 INFO: Starting service filebeat. 06/09/2024 21:47:52 INFO: filebeat service started. 06/09/2024 21:47:52 INFO: --- Wazuh dashboard --- 06/09/2024 21:47:52 INFO: Starting Wazuh dashboard installation. 06/09/2024 21:48:34 INFO: Wazuh dashboard installation finished. 06/09/2024 21:48:34 INFO: Wazuh dashboard post-install configuration finished. 06/09/2024 21:48:34 INFO: Starting service wazuh-dashboard. 06/09/2024 21:48:34 INFO: wazuh-dashboard service started. 06/09/2024 21:48:35 INFO: Updating the internal users. 06/09/2024 21:48:40 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 06/09/2024 21:49:10 INFO: Initializing Wazuh dashboard web application. 06/09/2024 21:49:11 INFO: Wazuh dashboard web application initialized. 06/09/2024 21:49:11 INFO: --- Summary --- 06/09/2024 21:49:11 INFO: You can access the web interface https://:443 User: admin Password: 8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY 06/09/2024 21:49:11 INFO: Installation finished. ``` ``` root@ubuntu18stack:/home/vagrant# systemctl stop filebeat root@ubuntu18stack:/home/vagrant# systemctl stop wazuh-dashboard root@ubuntu18stack:/home/vagrant# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u admin:8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY -k {"acknowledged":true} root@ubuntu18stack:/home/vagrant# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY -k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}} root@ubuntu18stack:/home/vagrant# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY -k {"_shards":{"total":10,"successful":10,"failed":0}} root@ubuntu18stack:/home/vagrant# apt-get install wazuh-indexer Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: wazuh-indexer 1 upgraded, 0 newly installed, 0 to remove and 10 not upgraded. Need to get 850 MB of archives. After this operation, 26.6 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.9.0-1 [850 MB] Fetched 850 MB in 37s (23.2 MB/s) (Reading database ... 220693 files and directories currently installed.) Preparing to unpack .../wazuh-indexer_4.9.0-1_amd64.deb ... Running Wazuh Indexer Pre-Installation Script Stop existing wazuh-indexer.service Unpacking wazuh-indexer (4.9.0-1) over (4.8.2-1) ... Setting up wazuh-indexer (4.9.0-1) ... Installing new version of config file /etc/default/wazuh-indexer ... Configuration file '/etc/init.d/wazuh-indexer' ==> Deleted (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** wazuh-indexer (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/init.d/wazuh-indexer ... Configuration file '/etc/wazuh-indexer/jvm.options' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** jvm.options (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-indexer/jvm.options ... Installing new version of config file /etc/wazuh-indexer/log4j2.properties ... Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ... Configuration file '/etc/wazuh-indexer/opensearch-security/internal_users.yml' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** internal_users.yml (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-indexer/opensearch-security/internal_users.yml ... Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles.yml ... Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles_mapping.yml ... Running Wazuh Indexer Post-Installation Script ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Processing triggers for systemd (237-3ubuntu10.57) ... Processing triggers for ureadahead (0.100.0-21) ... root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-indexer Synchronizing state of wazuh-indexer.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable wazuh-indexer root@ubuntu18stack:/home/vagrant# systemctl start wazuh-indexer root@ubuntu18stack:/home/vagrant# curl -k -u admin:8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 40 76 5 0.26 0.34 0.51 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 root@ubuntu18stack:/home/vagrant# curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u admin:8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY -k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "all" } } ' {"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}root@ubuntu18stack:/home/vagrant# root@ubuntu18stack:/home/vagrant# curl -k -u admin:8F0A7glQ*XpA74*vhkAJFD6oNYL*0OJY https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 62 76 0 0.14 0.28 0.47 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 root@ubuntu18stack:/home/vagrant# apt-get install wazuh-manager Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: expect The following packages will be upgraded: wazuh-manager 1 upgraded, 0 newly installed, 0 to remove and 9 not upgraded. Need to get 322 MB of archives. After this operation, 24.2 MB disk space will be freed. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.9.0-1 [322 MB] Fetched 322 MB in 15s (21.1 MB/s) (Reading database ... 220706 files and directories currently installed.) Preparing to unpack .../wazuh-manager_4.9.0-1_amd64.deb ... Unpacking wazuh-manager (4.9.0-1) over (4.8.2-1) ... Setting up wazuh-manager (4.9.0-1) ... Processing triggers for systemd (237-3ubuntu10.57) ... Processing triggers for ureadahead (0.100.0-21) ... root@ubuntu18stack:/home/vagrant# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json root@ubuntu18stack:/home/vagrant# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json root@ubuntu18stack:/home/vagrant# chmod go+r /etc/filebeat/wazuh-template.json root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat root@ubuntu18stack:/home/vagrant# systemctl start filebeat root@ubuntu18stack:/home/vagrant# filebeat setup --pipelines Loaded Ingest pipelines root@ubuntu18stack:/home/vagrant# filebeat setup --index-management -E output.logstash.enabled=false ILM policy and write alias loading not enabled. Index setup finished. root@ubuntu18stack:/home/vagrant# cp /etc/wazuh-dashboard/opensearch_dashboards.yml . root@ubuntu18stack:/home/vagrant# apt-get install wazuh-dashboard Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: wazuh-dashboard 1 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. Need to get 166 MB of archives. After this operation, 64.3 MB disk space will be freed. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.9.0-2 [166 MB] Fetched 166 MB in 9s (18.1 MB/s) (Reading database ... 222653 files and directories currently installed.) Preparing to unpack .../wazuh-dashboard_4.9.0-2_amd64.deb ... Unpacking wazuh-dashboard (4.9.0-2) over (4.8.2-1) ... Setting up wazuh-dashboard (4.9.0-2) ... Installing new version of config file /etc/systemd/system/wazuh-dashboard ... Installing new version of config file /etc/wazuh-dashboard/node.options ... Configuration file '/etc/wazuh-dashboard/opensearch_dashboards.yml' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** opensearch_dashboards.yml (Y/I/N/O/D/Z) [default=N] ? Y Installing new version of config file /etc/wazuh-dashboard/opensearch_dashboards.yml ... root@ubuntu18stack:/home/vagrant# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home root@ubuntu18stack:/home/vagrant# cat opensearch_dashboards.yml server.host: 0.0.0.0 opensearch.hosts: https://127.0.0.1:9200 server.port: 443 opensearch.ssl.verificationMode: certificate # opensearch.username: kibanaserver # opensearch.password: kibanaserver opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home opensearch_security.cookie.secure: true root@ubuntu18stack:/home/vagrant# nano /etc/wazuh-dashboard/opensearch_dashboards.yml root@ubuntu18stack:/home/vagrant# systemctl daemon-reload root@ubuntu18stack:/home/vagrant# systemctl enable wazuh-dashboard root@ubuntu18stack:/home/vagrant# systemctl start wazuh-dashboard root@ubuntu18stack:/home/vagrant# ``` ![image](https://github.com/user-attachments/assets/6871a8f1-d702-4388-b9d5-996ec2caee4a)

juliamagan commented 1 month ago

DEB testing

Step-by-Step 4.9.0 DEB :green_circle:

- Wazuh indexer install ``` root@wazuh-manager:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-certs-tool.sh root@wazuh-manager:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.9/config.yml root@wazuh-manager:/home/vagrant# nano config.yml root@wazuh-manager:/home/vagrant# bash ./wazuh-certs-tool.sh -A 06/09/2024 22:46:18 INFO: Verbose logging redirected to /home/vagrant/wazuh-certificates-tool.log 06/09/2024 22:46:18 INFO: Generating the root certificate. 06/09/2024 22:46:19 INFO: Generating Admin certificates. 06/09/2024 22:46:19 INFO: Admin certificates created. 06/09/2024 22:46:19 INFO: Generating Wazuh indexer certificates. 06/09/2024 22:46:19 INFO: Wazuh indexer certificates created. 06/09/2024 22:46:19 INFO: Generating Filebeat certificates. 06/09/2024 22:46:19 INFO: Wazuh Filebeat certificates created. 06/09/2024 22:46:19 INFO: Generating Wazuh dashboard certificates. 06/09/2024 22:46:19 INFO: Wazuh dashboard certificates created. root@wazuh-manager:/home/vagrant# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./wazuh-1.pem ./wazuh-1-key.pem ./admin-key.pem ./root-ca.pem ./admin.pem ./dashboard-key.pem ./node-1-key.pem ./root-ca.key ./node-1.pem ./dashboard.pem root@wazuh-manager:/home/vagrant# apt-get install debconf adduser procps Reading package lists... Done Building dependency tree... Done Reading state information... Done adduser is already the newest version (3.118ubuntu5). adduser set to manually installed. debconf is already the newest version (1.5.79ubuntu1). debconf set to manually installed. procps is already the newest version (2:3.3.17-6ubuntu2.1). procps set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@wazuh-manager:/home/vagrant# apt-get install gnupg apt-transport-https Reading package lists... Done Building dependency tree... Done Reading state information... Done Note, selecting 'apt' instead of 'apt-transport-https' apt is already the newest version (2.4.11). apt set to manually installed. gnupg is already the newest version (2.2.27-3ubuntu2.1). gnupg set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@wazuh-manager:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: directory '/root/.gnupg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 root@wazuh-manager:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main root@wazuh-manager:/home/vagrant# apt-get update Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease Get:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB] Get:3 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB] Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB] Get:5 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB] Get:6 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1771 kB] Get:7 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [291 kB] Get:8 http://security.ubuntu.com/ubuntu jammy-security/main amd64 c-n-f Metadata [13.3 kB] Get:9 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [2327 kB] Get:10 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [400 kB] Get:11 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 c-n-f Metadata [584 B] Get:12 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [901 kB] Get:13 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [176 kB] Get:14 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 c-n-f Metadata [19.2 kB] Get:15 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [37.2 kB] Get:16 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [7588 B] Get:17 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 c-n-f Metadata [228 B] Get:18 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:19 http://archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB] Get:20 http://archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB] Get:21 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB] Get:22 http://archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB] Get:23 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8372 B] Get:24 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1988 kB] Get:25 http://archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [349 kB] Get:26 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [17.8 kB] Get:27 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [2386 kB] Get:28 http://archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [410 kB] Get:29 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 c-n-f Metadata [616 B] Get:30 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1123 kB] Get:31 http://archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [261 kB] Get:32 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [26.1 kB] Get:33 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [43.3 kB] Get:34 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [10.8 kB] Get:35 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [444 B] Get:36 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [67.8 kB] Get:37 http://archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [11.1 kB] Get:38 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B] Get:39 http://archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B] Get:40 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [28.8 kB] Get:41 http://archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.5 kB] Get:42 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [672 B] Get:43 http://archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B] Get:44 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [40.5 kB] Fetched 33.5 MB in 4s (9387 kB/s) Reading package lists... Done root@wazuh-manager:/home/vagrant# apt-get -y install wazuh-indexer Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: wazuh-indexer 0 upgraded, 1 newly installed, 0 to remove and 154 not upgraded. Need to get 850 MB of archives. After this operation, 1077 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.9.0-1 [850 MB] Fetched 850 MB in 35s (24.2 MB/s) Selecting previously unselected package wazuh-indexer. (Reading database ... 64003 files and directories currently installed.) Preparing to unpack .../wazuh-indexer_4.9.0-1_amd64.deb ... Running Wazuh Indexer Pre-Installation Script Unpacking wazuh-indexer (4.9.0-1) ... Setting up wazuh-indexer (4.9.0-1) ... Running Wazuh Indexer Post-Installation Script ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@wazuh-manager:/home/vagrant# nano /etc/wazuh-indexer/opensearch.yml root@wazuh-manager:/home/vagrant# NODE_NAME=node-1 root@wazuh-manager:/home/vagrant# mkdir /etc/wazuh-indexer/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem chmod 500 /etc/wazuh-indexer/certs chmod 400 /etc/wazuh-indexer/certs/* chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs root@wazuh-manager:/home/vagrant# systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer Synchronizing state of wazuh-indexer.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable wazuh-indexer Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /lib/systemd/system/wazuh-indexer.service. root@wazuh-manager:/home/vagrant# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 172.17.1.20:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.13.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success root@wazuh-manager:/home/vagrant# curl -k -u admin:admin https://172.17.1.20:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "nIDVtWbsTGyVQ2UHRkEchQ", "version" : { "number" : "7.10.2", "build_type" : "deb", "build_hash" : "9fd1835bba77ae04d48550eb4dc9be4787070806", "build_date" : "2024-08-30T10:06:03.028357Z", "build_snapshot" : false, "lucene_version" : "9.10.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@wazuh-manager:/home/vagrant# curl -k -u admin:admin https://172.17.1.20:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.17.1.20 37 94 0 0.47 0.29 0.11 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 ``` - Wazuh manager and Filebeat ``` root@wazuh-manager:/home/vagrant# apt-get -y install wazuh-manager Reading package lists... Done Building dependency tree... Done Reading state information... Done Suggested packages: expect The following NEW packages will be installed: wazuh-manager 0 upgraded, 1 newly installed, 0 to remove and 154 not upgraded. Need to get 322 MB of archives. After this operation, 891 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.9.0-1 [322 MB] Fetched 322 MB in 15s (21.3 MB/s) Selecting previously unselected package wazuh-manager. (Reading database ... 65189 files and directories currently installed.) Preparing to unpack .../wazuh-manager_4.9.0-1_amd64.deb ... Unpacking wazuh-manager (4.9.0-1) ... Setting up wazuh-manager (4.9.0-1) ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@wazuh-manager:/home/vagrant# apt-get -y install filebeat Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 154 not upgraded. Need to get 22.1 MB of archives. After this operation, 73.6 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 filebeat amd64 7.10.2 [22.1 MB] Fetched 22.1 MB in 3s (7471 kB/s) Selecting previously unselected package filebeat. (Reading database ... 89167 files and directories currently installed.) Preparing to unpack .../filebeat_7.10.2_amd64.deb ... Unpacking filebeat (7.10.2) ... Setting up filebeat (7.10.2) ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@wazuh-manager:/home/vagrant# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml root@wazuh-manager:/home/vagrant# nano /etc/filebeat/filebeat.yml root@wazuh-manager:/home/vagrant# filebeat keystore create Created filebeat keystore root@wazuh-manager:/home/vagrant# echo admin | filebeat keystore add username --stdin --force echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore Successfully updated the keystore root@wazuh-manager:/home/vagrant# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json root@wazuh-manager:/home/vagrant# chmod go+r /etc/filebeat/wazuh-template.json root@wazuh-manager:/home/vagrant# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json root@wazuh-manager:/home/vagrant# NODE_NAME=wazuh-1 root@wazuh-manager:/home/vagrant# mkdir /etc/filebeat/certs tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs root@wazuh-manager:/home/vagrant# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin root@wazuh-manager:/home/vagrant# /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin root@wazuh-manager:/home/vagrant# ls /etc/filebeat/certs/ filebeat-key.pem filebeat.pem root-ca.pem root@wazuh-manager:/home/vagrant# nano /var/ossec/etc/ossec.conf root@wazuh-manager:/home/vagrant# systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /lib/systemd/system/wazuh-manager.service. root@wazuh-manager:/home/vagrant# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2024-09-06 22:58:17 UTC; 5s ago Process: 52522 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 143 (limit: 4647) Memory: 1.6G CPU: 20.340s CGroup: /system.slice/wazuh-manager.service ├─52584 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─52624 /var/ossec/bin/wazuh-authd ├─52630 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─52633 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─52636 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─52649 /var/ossec/bin/wazuh-db ├─52674 /var/ossec/bin/wazuh-execd ├─52691 /var/ossec/bin/wazuh-analysisd ├─52734 /var/ossec/bin/wazuh-syscheckd ├─52753 /var/ossec/bin/wazuh-remoted ├─52790 /var/ossec/bin/wazuh-logcollector ├─52830 /var/ossec/bin/wazuh-monitord └─52889 /var/ossec/bin/wazuh-modulesd Sep 06 22:58:10 wazuh-manager env[52522]: Started wazuh-analysisd... Sep 06 22:58:11 wazuh-manager env[52522]: Started wazuh-syscheckd... Sep 06 22:58:12 wazuh-manager env[52522]: Started wazuh-remoted... Sep 06 22:58:13 wazuh-manager env[52522]: Started wazuh-logcollector... Sep 06 22:58:14 wazuh-manager env[52522]: Started wazuh-monitord... Sep 06 22:58:14 wazuh-manager env[52886]: 2024/09/06 22:58:14 wazuh-modulesd:router: INFO: Loaded router module. Sep 06 22:58:14 wazuh-manager env[52886]: 2024/09/06 22:58:14 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Sep 06 22:58:15 wazuh-manager env[52522]: Started wazuh-modulesd... Sep 06 22:58:17 wazuh-manager env[52522]: Completed. Sep 06 22:58:17 wazuh-manager systemd[1]: Started Wazuh manager. root@wazuh-manager:/home/vagrant# systemctl daemon-reload systemctl enable filebeat systemctl start filebeat Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service. root@wazuh-manager:/home/vagrant# filebeat test output elasticsearch: https://172.17.1.20:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.17.1.20 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` - Wazuh dashboard ``` root@wazuh-manager:/home/vagrant# apt-get -y install wazuh-dashboard Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: wazuh-dashboard 0 upgraded, 1 newly installed, 0 to remove and 154 not upgraded. Need to get 166 MB of archives. After this operation, 934 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.9.0-2 [166 MB] Fetched 166 MB in 9s (18.8 MB/s) Selecting previously unselected package wazuh-dashboard. (Reading database ... 89486 files and directories currently installed.) Preparing to unpack .../wazuh-dashboard_4.9.0-2_amd64.deb ... Creating wazuh-dashboard group... OK Creating wazuh-dashboard user... OK Unpacking wazuh-dashboard (4.9.0-2) ... Setting up wazuh-dashboard (4.9.0-2) ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@wazuh-manager:/home/vagrant# cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home root@wazuh-manager:/home/vagrant# nano /etc/wazuh-dashboard/opensearch_dashboards.yml root@wazuh-manager:/home/vagrant# NODE_NAME=dashboard root@wazuh-manager:/home/vagrant# mkdir /etc/wazuh-dashboard/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem chmod 500 /etc/wazuh-dashboard/certs chmod 400 /etc/wazuh-dashboard/certs/* chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs root@wazuh-manager:/home/vagrant# systemctl daemon-reload systemctl enable wazuh-dashboard systemctl start wazuh-dashboard Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. root@wazuh-manager:/home/vagrant# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ``` ![installed](https://github.com/user-attachments/assets/544b1549-ae6a-404b-a9aa-3aea79d7eaab) ![version](https://github.com/user-attachments/assets/9d6c5ff8-6cda-4a06-b101-707668b6ba16) ![threat](https://github.com/user-attachments/assets/bfbe6cd3-36f0-401b-930b-f9daca719e9e) ![dashboard](https://github.com/user-attachments/assets/d7b1c79a-14d2-4fe3-b978-28ae248c7684) ![healthcheck](https://github.com/user-attachments/assets/7fcacfea-d2ac-4b53-b233-c1ee283fca01)

juliamagan commented 1 month ago

AMI 🟢

[root@wazuh-server wazuh-user]# rpm -qa | grep wazuh
wazuh-indexer-4.9.0-1.x86_64
wazuh-manager-4.9.0-1.x86_64
wazuh-dashboard-4.9.0-2.x86_64

[root@wazuh-server wazuh-user]# cat /etc/wazuh-dashboard/opensearch_dashboards.yml 
server.host: 0.0.0.0
opensearch.hosts: https://127.0.0.1:9200
server.port: 443
opensearch.ssl.verificationMode: certificate
# opensearch.username: kibanaserver
# opensearch.password: kibanaserver
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
opensearch_security.cookie.secure: true

[root@wazuh-server wazuh-user]#  cat /etc/default/wazuh-dashboard 
user="wazuh-dashboard"
group="wazuh-dashboard"
chroot="/"
chdir="/"
nice=""
KILL_ON_STOP_TIMEOUT=0

OSD_PATH_CONF="/etc/wazuh-dashboard"

ami_version ami_dashboard

rauldpm commented 1 month ago

As the package has been widely tested and released, we can conclude the testing

wazuh / wazuh-dashboard

Test 4.9.0-2 packages #299

Description

Upgrade test 🟢

Upgrade test

Upgrade test

Initial deployment

Quickstart logs

Upgrade to 4.9.0

UI validation (plus some new alerts generated)

Upgrade test 🟢

RPM testing

DEB testing

DEB testing

AMI 🟢