Wazuh - Monitoring dan Log Management

update & install repo

yum update -y
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF

install nodejs

curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
yum install nodejs

install wazuh-api

yum install wazuh-api

install wazuh manager

yum install wazuh-manager
systemctl status wazuh-manager
systemctl enable wazuh-manager

install filebeat

yum install filebeat-7.6.0

setting config filebeat

curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/filebeat/7.x/filebeat.yml
chmod go+r /etc/filebeat/filebeat.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

filebeat config

# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.hosts: ['http://10.148.0.9:9200']

restart filebeat service

systemctl daemon-reload
systemctl enable filebeat.service
systemctl start filebeat.service

install elastic repo

cat > /etc/yum.repos.d/elastic.repo << EOF

[elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF

yum install elasticsearch-7.6.0

konfigurasi elasticsearch.yml

node.name: wazuh-node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 10.148.0.9
cluster.initial_master_nodes: ["wazuh-node-1"]

enable services elastic

systemctl daemon-reload systemctl enable elasticsearch.service systemctl start elasticsearch.service

filebeat setup

filebeat setup --index-management -E setup.template.json.enabled=false

install kibana

yum install kibana-7.6.0

konfig kibana

nano /etc/kibana/kibana.yml
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://10.148.0.9:9200"]

enable service kibana

systemctl daemon-reload
systemctl enable kibana.service
systemctl start kibana.service
sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.4_7.6.0.zip
systemctl restart kibana

install elastalert

cd /usr/local/etc/
git clone https://github.com/Yelp/elastalert.git

vim config.yml

rules_folder: rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: 10.148.0.9
es_port: 9200
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
  days: 2
use_local_time: true

custom /lib/systemd/system/elastalert.service

[Unit]
Description=Severe_logalerts
After=elasticsearch.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/elastalert
ExecStart=/usr/local/bin/elastalert --verbose --config /usr/local/etc/elastalert/config.yaml

[Install]
WantedBy=multi-user.target

start enable services

systemctl start elastalert.service
systemctl enable elastalert.service