当前位置: 首页>编程语言>正文

wazuh 4.7.2部署

wazuh最新版本部署

以下配置适用于centos7以上与redhat 与 aws内核操作系统

一 . 安装Wazuh indexer

官方文档参考:
https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html

1. 下载 Wazuh 安装助手和配置文件
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.7/config.yml
2. vi ./config.yml

根据自有环境, 配置indexer: server: dashboard: 三段中的name名称与ip

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"
3. 使用选项 --generate-config-files 运行 Wazuh 安装助手,以生成安装所需的 Wazuh 集群密钥、证书和密码, 您可以在 ./wazuh-install-files.tar 中找到这些文件。
bash wazuh-install.sh --generate-config-files
4. 安装wazuh-indexer服务
bash wazuh-install.sh --wazuh-indexer node-1

–wazuh-indexer 参数后面node-1为config.yml定义的indexer的name名称

4.初始化Wazuh集群
bash wazuh-install.sh --start-cluster
5. 运行以下命令以获取管理员密码
tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
6. 查看集群信息

替换 <ADMIN_PASSWORD>为从上一个命令的输出中获取的admin用户的密码,
替换<WAZUH_INDEXER_IP>为配置的 Wazuh indexer的 IP 地址

curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200

输出样例:

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}
7.检查集群工作是否正常:
curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v
systemctl status wazuh-indexer

二. wazuh-server 组件安装:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
bash wazuh-install.sh --wazuh-server wazuh-1
systemctl status wazuh-manager

三. Wazuh dashboard安装(可选)

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
bash wazuh-install.sh --wazuh-dashboard dashboard

输出web访问的地址相关信息:

INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>
   User: admin
   Password: <ADMIN_PASSWORD>

INFO: Installation finished.

查看wazuh-dashboard服务状态:

systemctl status wazuh-dashboard 

您现在已安装并配置了 Wazuh
查找 Wazuh 安装助手在存档中的文件中生成的所有密码, 请运行以下命令:

tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

wazuh服务端要与wazuh agent正常通信需要开放以下端口:

1514/TCP 用于代理通信。
1515/TCP 用于通过自动代理请求进行注册。
55000/TCP,用于通过管理器 API 进行注册。
四. wazuh-agent安装

官方参考文档: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html

curl -o wazuh-agent-4.7.2-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.2-1.x86_64.rpm \
&& sudo WAZUH_MANAGER='wazuh server的通信ip' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='自定义的agent名称' rpm -ihv wazuh-agent-4.7.2-1.x86_64.rpm

查看wazuh-agent服务状态并配置开机启动:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo systemctl restart wazuh-agent
sudo systemctl status wazuh-agent
五. Wazuh server端配置邮件告警(踩过不少坑总结的经验笔记)

参考链接:https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html

postfix3安装环境配置:

yum update && yum install mailx cyrus-sasl cyrus-sasl-plain
1. 安装postfix3
yum install http://mirror.ghettoforge.org/distributions/gf/el/7/plus/x86_64/postfix3-3.8.5-1.gf.el7.x86_64.rpm
2. vi /etc/postfix/main.cf

一定要在main.cf基础配置上编辑进行追加

relayhost = [smtp.qiye.aliyun.com]:465
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes

邮箱账号密码等信息配置:

注意:邮箱验证密码必须是三方客户端安全密码(不是邮箱直接登录密码)

echo [smtp.qiye.aliyun.com]:465 邮箱账号:邮箱安全密码 > /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
chmod 400 /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

systemctl restart postfix
systemctl status postfix
systemctl enable postfix
3. 发送邮件进行测试
echo "Test mail from postfix" | mail -s "Test Sendmail" -r "代理发送的测试邮箱账户" 准备接收测试内容的邮箱账户

查看邮件队列的状态, 运行以下命令:

postqueue -p

清除所有待发送的邮件:

postsuper -d ALL
4. 最后, 在 Wazuh server服务器的配置文件中,配置电子邮件通知

vim /var/ossec/etc/ossec.conf

<global>
  <email_notification>yes</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from>USERNAME@gmail.com</email_from>
  <email_to>you@example.com</email_to>
</global>

重启服务:

systemctl restart wazuh-manager
systemctl status wazuh-manager

https://www.xamrdz.com/lan/5b81849073.html

相关文章: