Closed AdriiiPRodri closed 2 years ago
Each component was installed using the Installation assistant
.
🟢 wazuh-install.sh
curl -sO https://packages-dev.wazuh.com/4.3/wazuh-install.sh
🟢 config.yml
curl -sO https://packages-dev.wazuh.com/4.3/config.yml
[root@localhost ~]# cat config.yml
nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: <indexer-node-ip>
# - name: node-2
# ip: <indexer-node-ip>
# - name: node-3
# ip: <indexer-node-ip>
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh-1
ip: <wazuh-manager-ip>
# node_type: master
# - name: wazuh-2
# ip: <wazuh-manager-ip>
# node_type: worker
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: <dashboard-node-ip>
🟢 bash wazuh-install.sh --generate-config-files
[root@localhost ~]# bash wazuh-install.sh --generate-config-files
16/08/2022 14:18:24 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:18:24 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:18:27 INFO: --- Configuration files ---
16/08/2022 14:18:27 INFO: Generating configuration files.
16/08/2022 14:18:28 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
🟢 Wazuh-install-file.tar generated
[root@localhost ~]# ls -l
total 160
-rw------- 1 root root 10677 ago 16 14:18 wazuh-install-files.tar
-rw-r--r-- 1 root root 148481 ago 16 14:16 wazuh-install.sh
🟢 Wazuh indexer installation
[root@localhost ~]# bash wazuh-install.sh --wazuh-indexer node-1
16/08/2022 14:29:39 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:29:39 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:29:45 INFO: Wazuh development repository added.
16/08/2022 14:29:45 INFO: --- Wazuh indexer ---
16/08/2022 14:29:45 INFO: Starting Wazuh indexer installation.
16/08/2022 14:30:36 INFO: Wazuh indexer installation finished.
16/08/2022 14:30:36 INFO: Wazuh indexer post-install configuration finished.
16/08/2022 14:30:36 INFO: Starting service wazuh-indexer.
16/08/2022 14:30:52 INFO: wazuh-indexer service started.
16/08/2022 14:30:52 INFO: Initializing Wazuh indexer cluster security settings.
16/08/2022 14:30:54 INFO: Wazuh indexer cluster initialized.
16/08/2022 14:30:54 INFO: Installation finished.
[root@localhost ~]# bash wazuh-install.sh --start-cluster
16/08/2022 14:31:27 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:31:27 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:31:37 INFO: Wazuh indexer cluster security configuration initialized.
16/08/2022 14:31:56 INFO: Wazuh indexer cluster started.
Indexer status
[root@localhost ~]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) since mar 2022-08-16 14:30:52 UTC; 4min 50s ago
Docs: https://documentation.wazuh.com
Main PID: 3762 (java)
CGroup: /system.slice/wazuh-indexer.service
└─3762 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t...
ago 16 14:30:36 localhost systemd[1]: Starting Wazuh-indexer...
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: An illegal reflective access operation has occurred
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/...wable.cause
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: All illegal access operations will be denied in a future release
ago 16 14:30:52 localhost systemd[1]: Started Wazuh-indexer.
Hint: Some lines were ellipsized, use -l to show in full.
🟢 Server and filebeat installation
[root@localhost ~]# bash wazuh-install.sh --wazuh-server wazuh-1
16/08/2022 14:36:39 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:36:39 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:36:45 INFO: Wazuh development repository added.
16/08/2022 14:36:45 INFO: --- Wazuh server ---
16/08/2022 14:36:45 INFO: Starting the Wazuh manager installation.
16/08/2022 14:37:06 INFO: Wazuh manager installation finished.
16/08/2022 14:37:06 INFO: Starting service wazuh-manager.
16/08/2022 14:37:21 INFO: wazuh-manager service started.
16/08/2022 14:37:21 INFO: Starting Filebeat installation.
16/08/2022 14:37:32 INFO: Filebeat installation finished.
16/08/2022 14:37:33 INFO: Filebeat post-install configuration finished.
16/08/2022 14:37:42 INFO: Starting service filebeat.
16/08/2022 14:37:43 INFO: filebeat service started.
16/08/2022 14:37:43 INFO: Installation finished.
Server status
[root@localhost ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: active (running) since mar 2022-08-16 17:58:31 UTC; 25s ago
CGroup: /system.slice/wazuh-manager.service
├─7023 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─7065 /var/ossec/bin/wazuh-authd
├─7087 /var/ossec/bin/wazuh-db
├─7099 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─7102 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─7117 /var/ossec/bin/wazuh-execd
├─7132 /var/ossec/bin/wazuh-analysisd
├─7176 /var/ossec/bin/wazuh-syscheckd
├─7191 /var/ossec/bin/wazuh-remoted
├─7224 /var/ossec/bin/wazuh-logcollector
├─7247 /var/ossec/bin/wazuh-monitord
└─7270 /var/ossec/bin/wazuh-modulesd
ago 16 17:58:22 localhost env[6967]: Started wazuh-execd...
ago 16 17:58:23 localhost env[6967]: Started wazuh-analysisd...
ago 16 17:58:25 localhost env[6967]: Started wazuh-syscheckd...
ago 16 17:58:26 localhost env[6967]: Started wazuh-remoted...
ago 16 17:58:27 localhost env[6967]: Started wazuh-logcollector...
ago 16 17:58:28 localhost env[6967]: Started wazuh-monitord...
ago 16 17:58:29 localhost crontab[7351]: (root) LIST (root)
ago 16 17:58:29 localhost env[6967]: Started wazuh-modulesd...
ago 16 17:58:31 localhost env[6967]: Completed.
ago 16 17:58:31 localhost systemd[1]: Started Wazuh manager.
Filebeat status
[root@localhost ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since mar 2022-08-16 14:37:40 UTC; 1min 18s ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 7494 (filebeat)
CGroup: /system.slice/filebeat.service
└─7494 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /va...
ago 16 14:37:40 localhost systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
🟢 Wazuh dashboard installation
[root@localhost ~]# bash wazuh-install.sh --wazuh-dashboard dashboard
16/08/2022 18:00:45 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 18:00:45 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 18:00:51 INFO: Wazuh development repository added.
dashboard
16/08/2022 18:00:51 INFO: --- Wazuh dashboard ----
16/08/2022 18:00:51 INFO: Starting Wazuh dashboard installation.
16/08/2022 18:01:43 INFO: Wazuh dashboard installation finished.
16/08/2022 18:01:43 INFO: Wazuh dashboard post-install configuration finished.
16/08/2022 18:01:43 INFO: Starting service wazuh-dashboard.
16/08/2022 18:01:43 INFO: wazuh-dashboard service started.
16/08/2022 18:02:04 INFO: Initializing Wazuh dashboard web application.
16/08/2022 18:02:05 INFO: Wazuh dashboard web application initialized.
16/08/2022 18:02:05 INFO: --- Summary ---
16/08/2022 18:02:05 INFO: You can access the web interface https://<private_ip>
User: <user>
Password: <password>
16/08/2022 18:02:05 INFO: Installation finished.
Wazuh dashboard status
[root@localhost ~]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
Active: active (running) since mar 2022-08-16 18:01:49 UTC; 2min 38s ago
Main PID: 9357 (node)
CGroup: /system.slice/wazuh-dashboard.service
└─9357 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/...
ago 16 18:01:55 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:55Z","tags":["info","plugins-system"],"pid":9357,"message":"Starting [42] plug...able,expres
ago 16 18:01:55 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:55Z","tags":["listening","info"],"pid":9357,"message":"Server running at https...24.20:443"}
ago 16 18:01:56 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:56Z","tags":["info","http","server","OpenSearchDashboards"],"pid":9357,"messag...24.20:443"}
ago 16 18:01:56 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:56Z","tags":["error","opensearch","data"],"pid":9357,"message":"[ResponseError...nse Error"}
ago 16 18:01:56 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:56Z","tags":["error","opensearch","data"],"pid":9357,"message":"[ResponseError...nse Error"}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"logo default config is n... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"mark default config is n... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"loadingLogo default conf... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"favicon config is not fo... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"response","@timestamp":"2022-08-16T18:02:04Z","tags":[],"pid":9357,"method":"get","statusCode":200,"req":{"url":"/status","me...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# rpm -qa | grep wazuh-indexer
wazuh-indexer-4.3.7-1.x86_64
[root@localhost ~]# rpm -qi wazuh-indexer-4.3.7-1.x86_64
Name : wazuh-indexer
Version : 4.3.7
Release : 1
Architecture: x86_64
Install Date: mar 16 ago 2022 17:56:12 UTC
Group : System Environment/Daemons
Size : 644015829
License : GPL
Signature : RSA/SHA256, vie 12 ago 2022 17:32:16 UTC, Key ID 96b3ee5f29111145
Source RPM : wazuh-indexer-4.3.7-1.src.rpm
Build Date : vie 12 ago 2022 17:23:30 UTC
Build Host : ip-172-31-38-74.ec2.internal
Relocations : (not relocatable)
Packager : Wazuh, Inc <info@wazuh.com>
Vendor : Wazuh, Inc <info@wazuh.com>
URL : https://www.wazuh.com/
Summary : Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Description :
Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Installed size: 614 M
[root@localhost lib]# rpm -qa --queryformat '%{SIZE} %{NAME} \n' | grep indexer
644015829 wazuh-indexer
Summary : Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Description :
Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
[root@localhost /]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH && rpm -Kv wazuh-indexer-4.3.7-1.x86_64.rpm
wazuh-indexer-4.3.7-1.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID 29111145: OK
Header SHA1 digest: OK (0e7f7259fc8bb65a8876964a726c5054e03e6dcc)
V3 RSA/SHA256 Signature, key ID 29111145: OK
MD5 digest: OK (71c008fa6c7cf9bbef92654fc3bc2c50)
No files with changed ownership could be found.
[root@localhost /]# find /etc -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /usr -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /var -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /bin -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /etc -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /usr -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /var -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /bin -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]#
The service was correctly installed, enabled and started.
[root@localhost /]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) since mar 2022-08-16 17:56:35 UTC; 1h 8min ago
Docs: https://documentation.wazuh.com
Main PID: 4832 (java)
CGroup: /system.slice/wazuh-indexer.service
└─4832 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=1...
ago 16 17:56:20 localhost systemd[1]: Starting Wazuh-indexer...
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: An illegal reflective access operation has occurred
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableS....cause
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runti...Schema
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflecti...ations
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: All illegal access operations will be denied in a future release
ago 16 17:56:35 localhost systemd[1]: Started Wazuh-indexer.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost /]# systemctl is-enabled wazuh-indexer
enabled
[root@localhost /]# systemctl cat wazuh-indexer.service
# /usr/lib/systemd/system/wazuh-indexer.service
[Unit]
Description=Wazuh-indexer
Documentation=https://documentation.wazuh.com
Wants=network-online.target
After=network-online.target
[Service]
Type=notify
RuntimeDirectory=wazuh-indexer
PrivateTmp=yes
Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
Environment=PID_DIR=/run/wazuh-indexer
Environment=OPENSEARCH_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/wazuh-indexer
WorkingDirectory=/usr/share/wazuh-indexer
User=wazuh-indexer
Group=wazuh-indexer
ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# wazuh-indexer logging system is initialized. Elasticsearch
# stores its logs in /var/log/wazuh-indexer and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=75
[Install]
WantedBy=multi-user.target
No error was reported.
[root@localhost /]# cat /var/log/wazuh-install.log
16/08/2022 19:19:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 19:19:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
16/08/2022 19:19:51 INFO: Wazuh development repository added.
16/08/2022 19:19:51 INFO: --- Wazuh indexer ---
16/08/2022 19:19:51 INFO: Starting Wazuh indexer installation.
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package wazuh-indexer.x86_64 0:4.3.7-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-indexer x86_64 4.3.7-1 wazuh 361 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 361 M
Installed size: 614 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-indexer-4.3.7-1.x86_64 1/1
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
Verifying : wazuh-indexer-4.3.7-1.x86_64 1/1
Installed:
wazuh-indexer.x86_64 0:4.3.7-1
Complete!
16/08/2022 19:20:50 INFO: Wazuh indexer installation finished.
16/08/2022 19:20:50 INFO: Wazuh indexer post-install configuration finished.
16/08/2022 19:20:50 INFO: Starting service wazuh-indexer.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
16/08/2022 19:21:04 INFO: wazuh-indexer service started.
16/08/2022 19:21:04 INFO: Initializing Wazuh indexer cluster security settings.
16/08/2022 19:21:07 INFO: Wazuh indexer cluster initialized.
16/08/2022 19:21:07 INFO: Installation finished.
[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cat/indices?v=true
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open wazuh-alerts-4.x-2022.08.17 XWwkR_iwSheRZlD_5hDhLg 3 0 201 0 626.7kb 626.7kb
green open wazuh-monitoring-2022.33w QhhGn80wSSKs2owCJtS8FA 1 0 0 0 208b 208b
green open wazuh-statistics-2022.33w JuR3NzFSSbKVJOaJtiTpDQ 1 0 2 0 22.8kb 22.8kb
green open .kibana_1 Y03aGc5BQIC6CMZ78Og2OQ 1 0 4 1 45kb 45kb
green open .opendistro_security rhr7JXH_T9GxwHUUyds9Dw 1 0 9 8 91.1kb 91.1kb
[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cat/templates?pretty
wazuh-statistics [wazuh-statistics-*] 0
wazuh-agent [wazuh-monitoring-*] 0
wazuh [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0 1
opensearch.yml
file[root@localhost /]# cat /etc/wazuh-indexer/opensearch.yml
node.master: true
node.data: true
node.ingest: true
cluster.name: wazuh-indexer-cluster
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/node-1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/node-1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/node-1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/node-1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.ssl.http.enabled_ciphers:
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
- "TLSv1.2"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true
node.name: node-1
network.host: 172.31.24.20
cluster.initial_master_nodes: node-1
plugins.security.nodes_dn:
- CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US
[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cat/shards?v=true
index shard prirep state docs store ip node
wazuh-monitoring-2022.33w 0 p STARTED 0 208b <private-ip> node-1
wazuh-alerts-4.x-2022.08.17 1 p STARTED 50 203.7kb <private-ip> node-1
wazuh-alerts-4.x-2022.08.17 2 p STARTED 78 210.6kb <private-ip> node-1
wazuh-alerts-4.x-2022.08.17 0 p STARTED 73 212.3kb <private-ip> node-1
.kibana_1 0 p STARTED 4 45kb <private-ip> node-1
.opendistro_security 0 p STARTED 9 91.1kb <private-ip> node-1
wazuh-statistics-2022.33w 0 p STARTED 2 22.8kb <private-ip> node-1
Too long output.
curl -u <user>:<password> -k https://<private-ip>:9200/_nodes?pretty
[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cluster/state/nodes?pretty
{
"cluster_name" : "wazuh-indexer-cluster",
"cluster_uuid" : "GIHlmd2_Tlmdh2pBlC7-dQ",
"nodes" : {
"5_h_MYEGRMeje22s3jyccQ" : {
"name" : "node-1",
"ephemeral_id" : "7q5bRtSqTaGwl8m0zSo9iQ",
"transport_address" : "<private-ip>:9300",
"attributes" : {
"shard_indexing_pressure_enabled" : "true"
}
}
}
}
[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cluster/health?pretty
{
"cluster_name" : "wazuh-indexer-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"active_primary_shards" : 6,
"active_shards" : 6,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
[root@localhost /]# bash wazuh-install.sh -u
16/08/2022 19:52:56 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 19:52:56 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 19:52:59 INFO: Removing Wazuh manager.
16/08/2022 19:53:06 INFO: Wazuh manager removed.
16/08/2022 19:53:06 INFO: Removing Wazuh indexer.
16/08/2022 19:53:08 INFO: Wazuh indexer removed.
16/08/2022 19:53:08 INFO: Removing Filebeat.
16/08/2022 19:53:09 INFO: Filebeat removed.
16/08/2022 19:53:09 INFO: Removing Wazuh dashboard.
16/08/2022 19:53:18 INFO: Wazuh dashboard removed.
[root@localhost /]# systemctl status wazuh-indexer
Unit wazuh-indexer.service could not be found.
[root@localhost /]# rpm -qa | grep wazuh
[root@localhost /]#
Everything worked correctly without any issue.
The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.
Test information
Environment
Test description
Best effort to test Wazuh indexer package. Think critically and at least review/test:
Test report procedure
Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.
An extended report of the test results must be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.
Conclusions
All tests have been executed and the results can be found here.
Auditors validation
The definition of done for this one is the validation of the conclusions and the test results from all auditors.
All checks from below must be accepted in order to close this issue.