Release 4.6.0 - Alpha 1 - E2E UX tests - RBAC

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, or Docker) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Communicate these to QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/framework team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Deployment requirements

Component	Installation	Type	OS
Indexer	Step by step	Single node	Alma Linux 8 x86_64
Server	Step by step	Multi node	Alma Linux 8 x86_64
Dashboard	Step by step	-	Alma Linux 8 x86_64
Agent	Wazuh WUI one-liner deploy using IP	-	Alma Linux 8 x86_64

Test description

Follow and complete the documentation steps and the examples, ensuring the access is adequate based on each requirement:

https://documentation-dev.wazuh.com/v4.6.0-alpha1/user-manual/user-administration/rbac.html?highlight=RBAC

Testing outline

• Environment architecture
• Wazuh Indexer - Step-by-step
• Wazuh Manager - Step-by-step - Multinode (Wazuh Cluster)
• Wazuh Dashboard - Step-by-step
• Wazuh Agent installation - Wazuh WUI one-liner deploy using IP
• Wazuh environment exploratory
• Wazuh RBAC - How to create and map internal users

Known issues

There are no known issues.

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below, removing current examples:

Status	Test	Failure type	Notes
🔴	Wazuh Indexer - Step-by-step installation	Wrong URL	New issue opened: https://github.com/wazuh/wazuh-documentation/issues/6455. Saw in the next comments https://github.com/wazuh/wazuh/issues/18851#issuecomment-1712050925 https://github.com/wazuh/wazuh/issues/18851#issuecomment-1712052573 https://github.com/wazuh/wazuh/issues/18851#issuecomment-1712965781
🔴	Wazuh Stack - Exploratory	Cannot see/fetch Wazuh Manager logs	New issue opened: Wazuh API is not capable of fetching Wazuh Manager logs #18939

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? YES
• Were there any ambiguities?NO
• Did you face any challenges not covered by the guideline? NO
• Suggestions for improvement:

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [x] @davidjiglesias
• [x] @wazuh/framework

[jnasselle]

Environment architecture

• Wazuh Indexer + Wazuh Dashboard running on the same VM https://app.vagrantup.com/almalinux/boxes/8/versions/8.8.20230606
• Wazuh Managers running on https://app.vagrantup.com/almalinux/boxes/8/versions/8.8.20230606 individually
  • Master node
  • Worker node

Vagrantfile for Managers, Indexer and Dashboard

Vagrant.configure("2") do |config|
  config.vm.define "master" do |node|
    node.vm.box = "almalinux/8"
    node.vm.box_version = "8.8.20230606"
    node.vm.hostname = 'manager'

    node.vm.network :private_network, ip: "192.168.56.101"

    node.vm.provider :virtualbox do |v|
        v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
        v.customize ["modifyvm", :id, "--memory", 1024]
        v.customize ["modifyvm", :id, "--cpus", 2]
        v.customize ["modifyvm", :id, "--name", "master"]
    end
  end

    config.vm.define "worker" do |node|
    node.vm.box = "almalinux/8"
    node.vm.box_version = "8.8.20230606"
    node.vm.hostname = 'worker'

    node.vm.network :private_network, ip: "192.168.56.102"

    node.vm.provider :virtualbox do |v|
        v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
        v.customize ["modifyvm", :id, "--memory", 1024]
        v.customize ["modifyvm", :id, "--cpus", 2]
        v.customize ["modifyvm", :id, "--name", "worker"]
    end
  end

  config.vm.define "indexerdashboard" do |node|
    node.vm.box = "almalinux/8"
    node.vm.box_version = "8.8.20230606"
    node.vm.hostname = 'indexerdashboard'

    node.vm.network :private_network, ip: "192.168.56.103"

    node.vm.provider :virtualbox do |v|
        v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
        v.customize ["modifyvm", :id, "--memory", 4096]
        v.customize ["modifyvm", :id, "--cpus", 4]
        v.customize ["modifyvm", :id, "--name", "indexerdashboard"]
    end
  end
end

• Agents running on almalinux:8.8-20230718 container
  • Agent 1 pointing to the Wazuh Master node
  • Agent 2 pointing to the Wazuh Worker node

[jnasselle]

Wazuh Indexer - Step-by-step :yellow_circle:

Affected by https://github.com/wazuh/wazuh-documentation/issues/6455, but changing URL with propper one allows me to continue the testing

Environment

[root@indexerdashboard vagrant]# cat /etc/os-release 
NAME="AlmaLinux"
VERSION="8.8 (Sapphire Caracal)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="AlmaLinux 8.8 (Sapphire Caracal)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8"
ALMALINUX_MANTISBT_PROJECT_VERSION="8.8"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.8"
[root@indexerdashboard vagrant]# uname -a
Linux indexerdashboard 4.18.0-477.13.1.el8_8.x86_64 #1 SMP Tue May 30 14:53:41 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

Certs and config generation

[root@indexerdashboard vagrant]# curl -sO https://packages-dev.wazuh.com/4.6/wazuh-certs-tool.sh
[root@indexerdashboard vagrant]# curl -sO https://packages-dev.wazuh.com/4.6/config.yml
[root@indexerdashboard vagrant]# vi config.yml 

config.yml

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "192.168.56.103"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "192.168.56.101"
      node_type: master
    - name: wazuh-2
      ip: "192.168.56.102"
      node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "192.168.56.103"

Certs and config generation (continuation)

[root@indexerdashboard vagrant]# bash ./wazuh-certs-tool.sh -A
08/09/2023 13:26:24 INFO: Admin certificates created.
08/09/2023 13:26:24 INFO: Wazuh indexer certificates created.
08/09/2023 13:26:24 INFO: Wazuh server certificates created.
08/09/2023 13:26:24 INFO: Wazuh dashboard certificates created.
[root@indexerdashboard vagrant]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
./
./root-ca.key
./root-ca.pem
./admin-key.pem
./admin.pem
./node-1-key.pem
./node-1.pem
./wazuh-1-key.pem
./wazuh-1.pem
./wazuh-2-key.pem
./wazuh-2.pem
./dashboard-key.pem
./dashboard.pem
[root@indexerdashboard vagrant]# rm -rf ./wazuh-certificates

Indexer installation

[root@indexerdashboard vagrant]# yum install coreutils
Last metadata expiration check: 0:18:16 ago on Fri 08 Sep 2023 01:10:14 PM UTC.
Package coreutils-8.30-15.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

[root@indexerdashboard vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

[root@indexerdashboard vagrant]# yum -y install wazuh-indexer
EL-8 - Wazuh                                                                                                                                                                       6.6 MB/s |  19 MB     00:02    
Last metadata expiration check: 0:00:05 ago on Fri 08 Sep 2023 01:29:59 PM UTC.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                                 Architecture                                     Version                                            Repository                                       Size
===================================================================================================================================================================================================================
Installing:
 wazuh-indexer                                           x86_64                                           4.6.0-1                                            wazuh                                           673 M

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total download size: 673 M
Installed size: 930 M
Downloading Packages:
wazuh-indexer-4.6.0-1.x86_64.rpm                                                                                                                                                    37 MB/s | 673 MB     00:18    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                               37 MB/s | 673 MB     00:18     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Running scriptlet: wazuh-indexer-4.6.0-1.x86_64                                                                                                                                                              1/1 
  Installing       : wazuh-indexer-4.6.0-1.x86_64                                                                                                                                                              1/1 
  Running scriptlet: wazuh-indexer-4.6.0-1.x86_64                                                                                                                                                              1/1 
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore

  Verifying        : wazuh-indexer-4.6.0-1.x86_64                                                                                                                                                              1/1 

Installed:
  wazuh-indexer-4.6.0-1.x86_64                                                                                                                                                                                     

Complete!

[root@indexerdashboard vagrant]# rpm -qai wazuh-indexer
Name        : wazuh-indexer
Version     : 4.6.0
Release     : 1
Architecture: x86_64
Install Date: Fri 08 Sep 2023 01:31:17 PM UTC
Group       : System Environment/Daemons
Size        : 974896391
License     : GPL
Signature   : RSA/SHA256, Wed 06 Sep 2023 09:58:32 PM UTC, Key ID 96b3ee5f29111145
Source RPM  : wazuh-indexer-4.6.0-1.src.rpm
Build Date  : Wed 06 Sep 2023 08:43:13 PM UTC
Build Host  : ip-172-31-23-228.ec2.internal
Relocations : (not relocatable)
Packager    : Wazuh, Inc <info@wazuh.com>
Vendor      : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Description :
Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html

Indexer configuration

[root@indexerdashboard vagrant]# vi /etc/wazuh-indexer/opensearch.yml
[root@indexerdashboard vagrant]# NODE_NAME=node-1
[root@indexerdashboard vagrant]# mkdir /etc/wazuh-indexer/certs
[root@indexerdashboard vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
[root@indexerdashboard vagrant]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
[root@indexerdashboard vagrant]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
[root@indexerdashboard vagrant]# chmod 500 /etc/wazuh-indexer/certs
[root@indexerdashboard vagrant]# chmod 400 /etc/wazuh-indexer/certs/*
[root@indexerdashboard vagrant]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
[root@indexerdashboard vagrant]# systemctl daemon-reload
[root@indexerdashboard vagrant]# systemctl enable wazuh-indexer
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service.
[root@indexerdashboard vagrant]# systemctl start wazuh-indexer
[root@indexerdashboard vagrant]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2023-09-08 13:36:52 UTC; 4s ago
     Docs: https://documentation.wazuh.com
 Main PID: 5147 (java)
    Tasks: 60 (limit: 24873)
   Memory: 1.2G
   CGroup: /system.slice/wazuh-indexer.service
           └─5147 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=tru>

Sep 08 13:36:40 indexerdashboard systemd[1]: Starting Wazuh-indexer...
Sep 08 13:36:42 indexerdashboard systemd-entrypoint[5147]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 08 13:36:42 indexerdashboard systemd-entrypoint[5147]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
Sep 08 13:36:42 indexerdashboard systemd-entrypoint[5147]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Sep 08 13:36:42 indexerdashboard systemd-entrypoint[5147]: WARNING: System::setSecurityManager will be removed in a future release
Sep 08 13:36:43 indexerdashboard systemd-entrypoint[5147]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 08 13:36:43 indexerdashboard systemd-entrypoint[5147]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
Sep 08 13:36:43 indexerdashboard systemd-entrypoint[5147]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Sep 08 13:36:43 indexerdashboard systemd-entrypoint[5147]: WARNING: System::setSecurityManager will be removed in a future release
Sep 08 13:36:52 indexerdashboard systemd[1]: Started Wazuh-indexer.
[root@indexerdashboard vagrant]# scp wazuh-certificates.tar root@192.168.56.101:
[root@indexerdashboard vagrant]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 192.168.56.103:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
[root@indexerdashboard vagrant]# curl -k -u admin:admin https://192.168.56.103:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "4SWkUxKiRTCz0QWT0BFd5g",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

[jnasselle]

Wazuh Manager - Step-by-step - Multinode (Wazuh Cluster) :yellow_circle:

Affected by https://github.com/wazuh/wazuh-documentation/issues/6455, but changing URL with propper one allows me to continue the testing

Master node :green_circle:

[root@manager vagrant]# cat /etc/os-release 
NAME="AlmaLinux"
VERSION="8.8 (Sapphire Caracal)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="AlmaLinux 8.8 (Sapphire Caracal)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8"
ALMALINUX_MANTISBT_PROJECT_VERSION="8.8"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.8"
[root@manager vagrant]# uname -a
Linux manager 4.18.0-477.13.1.el8_8.x86_64 #1 SMP Tue May 30 14:53:41 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

[root@manager vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@manager vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
[root@manager vagrant]# yum -y install wazuh-manager
EL-8 - Wazuh                                                                                                                                                                       6.4 MB/s |  19 MB     00:03    
Last metadata expiration check: 0:00:05 ago on Fri 08 Sep 2023 01:47:48 PM UTC.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                                 Architecture                                     Version                                            Repository                                       Size
===================================================================================================================================================================================================================
Installing:
 wazuh-manager                                           x86_64                                           4.6.0-1                                            wazuh                                           165 M

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total download size: 165 M
Installed size: 599 M
Downloading Packages:
wazuh-manager-4.6.0-1.x86_64.rpm                                                                                                                                                    14 MB/s | 165 MB     00:11    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                               14 MB/s | 165 MB     00:11     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Running scriptlet: wazuh-manager-4.6.0-1.x86_64                                                                                                                                                              1/1 
  Installing       : wazuh-manager-4.6.0-1.x86_64                                                                                                                                                              1/1 
  Running scriptlet: wazuh-manager-4.6.0-1.x86_64                                                                                                                                                              1/1 
  Verifying        : wazuh-manager-4.6.0-1.x86_64                                                                                                                                                              1/1 

Installed:
  wazuh-manager-4.6.0-1.x86_64                                                                                                                                                                                     

Complete!

[root@manager vagrant]# systemctl daemon-reload
[root@manager vagrant]# systemctl enable wazuh-manager
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service.
[root@manager vagrant]# systemctl start wazuh-manager
[root@manager vagrant]# rpm -qai wazuh-manager
Name        : wazuh-manager
Version     : 4.6.0
Release     : 1
Architecture: x86_64
Install Date: Fri 08 Sep 2023 01:48:25 PM UTC
Group       : System Environment/Daemons
Size        : 628581219
License     : GPL
Signature   : RSA/SHA256, Wed 06 Sep 2023 10:02:42 PM UTC, Key ID 96b3ee5f29111145
Source RPM  : wazuh-manager-4.6.0-1.src.rpm
Build Date  : Wed 06 Sep 2023 08:21:54 PM UTC
Build Host  : ip-172-31-39-252.ec2.internal
Relocations : (not relocatable)
Packager    : Wazuh, Inc <info@wazuh.com>
Vendor      : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
Description :
Wazuh helps you to gain security visibility into your infrastructure by monitoring
hosts at an operating system and application level. It provides the following capabilities:
log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
[root@manager vagrant]# 

[root@manager vagrant]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.6/tpl/wazuh/filebeat/filebeat.yml
[root@manager vagrant]# vi /etc/filebeat/filebeat.yml
[root@manager vagrant]# cat /etc/filebeat/filebeat.yml 
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["192.168.56.103:9200"]
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

[root@manager vagrant]# filebeat keystore create
Created filebeat keystore
[root@manager vagrant]# echo admin | filebeat keystore add username --stdin --force
Successfully updated the keystore
[root@manager vagrant]# echo admin | filebeat keystore add password --stdin --force
Successfully updated the keystore
[root@manager vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.6.0/extensions/elasticsearch/7.x/wazuh-template.json
[root@manager vagrant]# chmod go+r /etc/filebeat/wazuh-template.json
[root@manager vagrant]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/archives/manifest.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/alerts/manifest.yml
wazuh/_meta/
wazuh/_meta/config.yml
wazuh/_meta/fields.yml
wazuh/_meta/docs.asciidoc

[root@manager vagrant]# NODE_NAME=wazuh-1
[root@manager vagrant]# ls
VBoxGuestAdditions.iso
[root@manager vagrant]# ls /root/
wazuh-certificates.tar
[root@manager vagrant]# cd /root/
[root@manager ~]# mkdir /etc/filebeat/certs
[root@manager ~]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
[root@manager ~]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
[root@manager ~]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
[root@manager ~]# chmod 500 /etc/filebeat/certs
[root@manager ~]# chmod 400 /etc/filebeat/certs/*
[root@manager ~]# chown -R root:root /etc/filebeat/certs
[root@manager ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: https://www.elastic.co/products/beats/filebeat
[root@manager ~]# systemctl daemon-reload
[root@manager ~]# systemctl enable filebeat
Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.
[root@worker ~]# systemctl start filebeat

[root@manager ~]# filebeat test output
elasticsearch: https://192.168.56.103:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.56.103
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Worker node :green_circle:

[root@worker vagrant]# cat /etc/os-release 
NAME="AlmaLinux"
VERSION="8.8 (Sapphire Caracal)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="AlmaLinux 8.8 (Sapphire Caracal)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8"
ALMALINUX_MANTISBT_PROJECT_VERSION="8.8"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.8"
[root@worker vagrant]# uname -a
Linux worker 4.18.0-477.13.1.el8_8.x86_64 #1 SMP Tue May 30 14:53:41 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
[root@worker vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@worker vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
[root@worker vagrant]# yum -y install wazuh-manager
EL-8 - Wazuh                                    4.2 MB/s |  19 MB     00:04    
Last metadata expiration check: 0:00:06 ago on Fri 08 Sep 2023 05:59:18 PM UTC.
Dependencies resolved.
================================================================================
 Package                Architecture    Version            Repository      Size
================================================================================
Installing:
 wazuh-manager          x86_64          4.6.0-1            wazuh          165 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 165 M
Installed size: 599 M
Downloading Packages:
wazuh-manager-4.6.0-1.x86_64.rpm                 32 MB/s | 165 MB     00:05    
--------------------------------------------------------------------------------
Total                                            32 MB/s | 165 MB     00:05     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: wazuh-manager-4.6.0-1.x86_64                           1/1 
  Installing       : wazuh-manager-4.6.0-1.x86_64                           1/1 
  Running scriptlet: wazuh-manager-4.6.0-1.x86_64                           1/1 
  Verifying        : wazuh-manager-4.6.0-1.x86_64                           1/1 

Installed:
  wazuh-manager-4.6.0-1.x86_64                                                  

Complete!
[root@worker vagrant]# systemctl daemon-reload
[root@worker vagrant]# systemctl enable wazuh-manager
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service.
[root@worker vagrant]# systemctl start wazuh-manager
[root@worker vagrant]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vend>
   Active: active (running) since Fri 2023-09-08 18:02:05 UTC; 1s ago
  Process: 6486 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code>
    Tasks: 118 (limit: 5937)
   Memory: 545.5M
   CGroup: /system.slice/wazuh-manager.service
           ├─6545 /var/ossec/framework/python/bin/python3 /var/ossec/api/script>
           ├─6587 /var/ossec/bin/wazuh-authd
           ├─6604 /var/ossec/bin/wazuh-db
           ├─6617 /var/ossec/framework/python/bin/python3 /var/ossec/api/script>
           ├─6620 /var/ossec/framework/python/bin/python3 /var/ossec/api/script>
           ├─6623 /var/ossec/framework/python/bin/python3 /var/ossec/api/script>
           ├─6638 /var/ossec/bin/wazuh-execd
           ├─6653 /var/ossec/bin/wazuh-analysisd
           ├─6697 /var/ossec/bin/wazuh-syscheckd
           ├─6716 /var/ossec/bin/wazuh-remoted
           ├─6750 /var/ossec/bin/wazuh-logcollector
           ├─6775 /var/ossec/bin/wazuh-monitord
           └─6827 /var/ossec/bin/wazuh-modulesd

Sep 08 18:01:55 worker env[6486]: Started wazuh-db...
Sep 08 18:01:56 worker env[6486]: Started wazuh-execd...
Sep 08 18:01:57 worker env[6486]: Started wazuh-analysisd...
[root@worker vagrant]# yum -y install filebeat
Last metadata expiration check: 0:01:29 ago on Fri 08 Sep 2023 06:00:46 PM UTC.
Dependencies resolved.
================================================================================
 Package            Architecture     Version              Repository       Size
================================================================================
Installing:
 filebeat           x86_64           7.10.2-1             wazuh            21 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 21 M
Installed size: 70 M
Downloading Packages:
filebeat-oss-7.10.2-x86_64.rpm                   12 MB/s |  21 MB     00:01    
--------------------------------------------------------------------------------
Total                                            11 MB/s |  21 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : filebeat-7.10.2-1.x86_64                               1/1 
  Running scriptlet: filebeat-7.10.2-1.x86_64                               1/1 
  Verifying        : filebeat-7.10.2-1.x86_64                               1/1 

Installed:
  filebeat-7.10.2-1.x86_64                                                      

Complete!
[root@worker vagrant]# rpm -qai wazuh-manager
Name        : wazuh-manager
Version     : 4.6.0
Release     : 1
Architecture: x86_64
Install Date: Fri 08 Sep 2023 05:59:49 PM UTC
Group       : System Environment/Daemons
Size        : 628581219
License     : GPL
Signature   : RSA/SHA256, Wed 06 Sep 2023 10:02:42 PM UTC, Key ID 96b3ee5f29111145
Source RPM  : wazuh-manager-4.6.0-1.src.rpm
Build Date  : Wed 06 Sep 2023 08:21:54 PM UTC
Build Host  : ip-172-31-39-252.ec2.internal
Relocations : (not relocatable)
Packager    : Wazuh, Inc <info@wazuh.com>
Vendor      : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
Description :
Wazuh helps you to gain security visibility into your infrastructure by monitoring
hosts at an operating system and application level. It provides the following capabilities:
log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
[root@worker vagrant]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.6/tpl/wazuh/filebeat/filebeat.yml
[root@worker vagrant]# vi /etc/filebeat/filebeat.yml
[root@worker vagrant]# cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["192.168.56.103:9200"]
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
[root@worker vagrant]# filebeat keystore create
Created filebeat keystore
[root@worker vagrant]# echo admin | filebeat keystore add username --stdin --force
Successfully updated the keystore
[root@worker vagrant]# echo admin | filebeat keystore add password --stdin --force
Successfully updated the keystore
[root@worker vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.6.0/extensions/elasticsearch/7.x/wazuh-template.json
[root@worker vagrant]# chmod go+r /etc/filebeat/wazuh-template.json
[root@worker vagrant]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/archives/manifest.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/alerts/manifest.yml
wazuh/_meta/
wazuh/_meta/config.yml
wazuh/_meta/fields.yml
wazuh/_meta/docs.asciidoc
[root@worker vagrant]# NODE_NAME=wazuh-2
[root@worker vagrant]# l
bash: l: command not found
[root@worker vagrant]# cd /root/
[root@worker ~]# mkdir /etc/filebeat/certs
[root@worker ~]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
[root@worker ~]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
[root@worker ~]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
[root@worker ~]# chmod 500 /etc/filebeat/certs
[root@worker ~]# chmod 400 /etc/filebeat/certs/*
[root@worker ~]# chown -R root:root /etc/filebeat/certs
[root@worker ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: https://www.elastic.co/products/beats/filebeat
[root@worker ~]# systemctl daemon-reload
[root@worker ~]# systemctl enable filebeat
Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.
[root@worker ~]# systemctl start filebeat
[root@worker ~]# filebeat test output
elasticsearch: https://192.168.56.103:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.56.103
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Cluster setup

https://documentation-dev.wazuh.com/v4.6.0-alpha1/user-manual/configuring-cluster/index.html#configuring-cluster

[root@manager ~]# openssl rand -hex 16
7637639d8cf681dfc4585fb064560834

• Master config on /var/ossec/etc/ossec.conf

  
  <cluster>
  <name>e2etest</name>
  <node_name>e2emaster</node_name>
  <node_type>master</node_type>
  <key>7637639d8cf681dfc4585fb064560834</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
      <node>192.168.56.101</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
  </cluster>

• Worker config on /var/ossec/etc/ossec.conf

  <cluster>
  <name>e2etest</name>
  <node_name>e2eworker</node_name>
  <node_type>worker</node_type>
  <key>7637639d8cf681dfc4585fb064560834</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
      <node>192.168.56.101</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
  </cluster>

• Restarting wazuh-manager on both nodes

• Checking cluster config master

[root@manager ~]# /var/ossec/bin/cluster_control -l
NAME       TYPE    VERSION  ADDRESS         
e2emaster  master  4.6.0    192.168.56.101  
e2eworker  worker  4.6.0    192.168.56.102  

• Checking cluster config worker

  [root@worker ~]# /var/ossec/bin/cluster_control -l
  NAME       TYPE    VERSION  ADDRESS         
  e2emaster  master  4.6.0    192.168.56.101  
  e2eworker  worker  4.6.0    192.168.56.102  

[jnasselle]

Wazuh Dashboard - Step-by-step:yellow_circle:

Affected by https://github.com/wazuh/wazuh-documentation/issues/6455, but changing URL with propper one allows me to continue the testing

Installation

[root@indexerdashboard vagrant]# yum install libcap
Last metadata expiration check: 0:09:48 ago on Fri 08 Sep 2023 06:31:11 PM UTC.
Package libcap-2.48-4.el8.x86_64 is already installed.
Dependencies resolved.
========================================================================================================
 Package               Architecture          Version                        Repository             Size
========================================================================================================
Upgrading:
 libcap                x86_64                2.48-5.el8_8                   baseos                 73 k

Transaction Summary
========================================================================================================
Upgrade  1 Package

Total download size: 73 k
Is this ok [y/N]: y
Downloading Packages:
libcap-2.48-5.el8_8.x86_64.rpm                                          527 kB/s |  73 kB     00:00    
--------------------------------------------------------------------------------------------------------
Total                                                                    88 kB/s |  73 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                1/1 
  Upgrading        : libcap-2.48-5.el8_8.x86_64                                                     1/2 
  Cleanup          : libcap-2.48-4.el8.x86_64                                                       2/2 
  Running scriptlet: libcap-2.48-4.el8.x86_64                                                       2/2 
  Verifying        : libcap-2.48-5.el8_8.x86_64                                                     1/2 
  Verifying        : libcap-2.48-4.el8.x86_64                                                       2/2 

Upgraded:
  libcap-2.48-5.el8_8.x86_64                                                                            

Complete!
[root@indexerdashboard vagrant]# yum -y install wazuh-dashboard
Last metadata expiration check: 0:10:03 ago on Fri 08 Sep 2023 06:31:11 PM UTC.
Dependencies resolved.
========================================================================================================
 Package                        Architecture          Version                Repository            Size
========================================================================================================
Installing:
 wazuh-dashboard                x86_64                4.6.0-1                wazuh                262 M

Transaction Summary
========================================================================================================
Install  1 Package

Total download size: 262 M
Installed size: 883 M
Downloading Packages:
wazuh-dashboard-4.6.0-1.x86_64.rpm                                       15 MB/s | 262 MB     00:17    
--------------------------------------------------------------------------------------------------------
Total                                                                    15 MB/s | 262 MB     00:17     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                1/1 
  Running scriptlet: wazuh-dashboard-4.6.0-1.x86_64                                                 1/1 
  Installing       : wazuh-dashboard-4.6.0-1.x86_64                                                 1/1 
  Running scriptlet: wazuh-dashboard-4.6.0-1.x86_64                                                 1/1 
  Verifying        : wazuh-dashboard-4.6.0-1.x86_64                                                 1/1 

Installed:
  wazuh-dashboard-4.6.0-1.x86_64                                                                        

Complete!

Dashboard config

[root@indexerdashboard vagrant]# cat /etc/wazuh-dashboard/opensearch_dashboards.yml

server.host: 192.168.56.103
server.port: 443
opensearch.hosts: https://192.168.56.103:9200
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

Dashboard configuration

[root@indexerdashboard vagrant]# NODE_NAME=dashboard
[root@indexerdashboard vagrant]# mkdir /etc/wazuh-dashboard/certs
[root@indexerdashboard vagrant]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
[root@indexerdashboard vagrant]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
[root@indexerdashboard vagrant]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
[root@indexerdashboard vagrant]# chmod 500 /etc/wazuh-dashboard/certs
[root@indexerdashboard vagrant]# chmod 400 /etc/wazuh-dashboard/certs/*
[root@indexerdashboard vagrant]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
[root@indexerdashboard vagrant]# systemctl daemon-reload
[root@indexerdashboard vagrant]# systemctl enable wazuh-dashboard
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service.
[root@indexerdashboard vagrant]# systemctl start wazuh-dashboard
[root@indexerdashboard vagrant]# vi /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
[root@indexerdashboard vagrant]# systemctl restart wazuh-dashboard
[root@indexerdashboard vagrant]# cat /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
hosts:
  - default:
      url: https://192.168.56.101
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false

[jnasselle]

Wazuh Agent installation - Wazuh WUI one-liner deploy using IP :green_circle:

Agent 1

[root@1b6ebcae8093 /]# curl -o wazuh-agent-4.6.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.6.0-1.x86_64.rpm &&  WAZUH_MANAGER='192.168.56.102' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='agent-to-worker' rpm -ihv wazuh-agent-4.6.0-1.x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9179k  100 9179k    0     0  7290k      0  0:00:01  0:00:01 --:--:-- 7285k
warning: wazuh-agent-4.6.0-1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 29111145: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:wazuh-agent-4.6.0-1              ################################# [100%]
[root@1b6ebcae8093 /]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.6.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Agent 2

[root@ac083c181938 /]# curl -o wazuh-agent-4.6.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.6.0-1.x86_64.rpm && WAZUH_MANAGER='192.168.56.101' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='agent-to-master' rpm -ihv wazuh-agent-4.6.0-1.x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9179k  100 9179k    0     0  7662k      0  0:00:01  0:00:01 --:--:-- 7662k
warning: wazuh-agent-4.6.0-1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 29111145: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:wazuh-agent-4.6.0-1              ################################# [100%]
[root@ac083c181938 /]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.6.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Agent status

[jnasselle]

Wazuh environment exploratory :yellow_circle:

Affected by https://github.com/wazuh/wazuh/issues/18939

• Login page
• Main dashboard before agent's connection
• Managment > Logs
• Wazuh Manager - Cluster status
• Main dashboard after agent's connection

[jnasselle]

Wazuh RBAC - How to create and map internal users :green_circle:

Creating and setting a Wazuh admin user

Creating and setting a Wazuh read-only user

Creating an internal user and mapping it to Wazuh

Use case: Give a user permissions to read and manage a group of agents

[davidjiglesias]

LGTM!