參考連結

前言

請注意,我的安裝教學不是用正式環境,因為certs都是使用相同的,僅供教學快速安裝使用

注意:目前教學內所使用的wazuh-manager版本是4.4.4,所以如果你的wazuh-manager是其他版本像是4.5,請務必修改以下所有含有4.4的script內容為4.5

1
2
3
4
5
# 原本為4.4 
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.4/tpl/elastic-basic/elasticsearch_all_in_one.yml

# 請更正為4.5
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml

使用Proxmox開兩台VM規格如下:

ElasticStack 安裝

filebeat是跟wazuh安裝在一起

  1. 安裝需要一些額外的包,例如curl或unzip,將在後續步驟中使用。
1
apt-get install apt-transport-https zip unzip lsb-release curl gnupg
  1. Adding the Elastic Stack repository:這兩個指令是用於將Elasticsearch的GPG公鑰導入到系統中,以便於系統驗證Elasticsearch的APT軟件包。具體來說,這兩個指令完成了以下操作:
1
2
3
4
5
6
7
# 第一個指令使用curl命令下載Elasticsearch的GPG公鑰,然後使用gpg命令將其導入到系統的密鑰環中。其中,--no-default-keyring選項表示不使用默認的密鑰環,--keyring選項表示將GPG公鑰導入到指定的密鑰環中,chmod命令用於修改/elasticsearch.gpg文件的權限,以使其只允許root用戶和群組讀取。
curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg

# 第二個指令使用echo命令在/etc/apt/sources.list.d/目錄下創建一個名為elastic-7.x.list的文件,並在該文件中寫入APT存儲庫的URL。其中,[signed-by=/usr/share/keyrings/elasticsearch.gpg]表示使用先前導入的Elasticsearch GPG公鑰對APT存儲庫進行數字簽名驗證,以確保軟件包的完整性和安全性。通過執行這兩個指令,系統可以驗證Elasticsearch APT存儲庫中的軟件包,確保其來源可信且未被修改。
echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

apt-get update
  1. 安裝elasticSearch package
1
apt-get install elasticsearch=7.17.6
  1. Download the configuration file /etc/elasticsearch/elasticsearch.yml as follows:
    如果要開放給外面的人使用要記得使用network.host=0.0.0.0,否則預設會拒絕一切非127.0.0.1的使用者
1
2
3
4
5
6
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.4/tpl/elastic-basic/elasticsearch_all_in_one.yml

# 進去修改elasticsearch.yml 
vim /etc/elasticsearch/elasticsearch.yml
# 設定如下
# network.host=0.0.0.0
  1. Download the configuration file for creating the certificates:
    instances.yml裡面的ip記得要改成自己的實體ip,否則跨機器的連線會出錯
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 這個命令是在Linux環境中使用curl命令下載名為"instances_aio.yml"的文件並將其保存到"/usr/share/elasticsearch/instances.yml"路徑中。
# "-s"表示"silent"模式,即curl命令不會顯示任何進度或錯誤信息
# "-o"表示指定輸出文件的位置和名稱,"/usr/share/elasticsearch/instances.yml"是指定的路徑和文件名
curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.4/tpl/elastic-basic/instances_aio.yml

# 修正 isntance.yml 
vim /usr/share/elasticsearch/instances.yml
# 如下
instances:
- name: "elasticsearch"
  ip:
  - "<elastic-ip>" # 改這裡


# 具體地說,命令中的"cert"表示要生成一個自簽名憑證
# "ca"表示該憑證是一個CA憑證
# "--pem"表示生成PEM格式的憑證
# "--in instances.yml"表示要使用先前下載的instances.yml文件作為證書的配置文件
# "--keep-ca-key"表示保留CA憑證的私鑰
# "--out ~/certs.zip"表示將生成的證書和密鑰存儲在一個名為certs.zip的壓縮文件中,並存儲在當前用戶的家目錄中。
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip


# 解壓縮
unzip ~/certs.zip -d ~/certs
  1. The next step is to create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key there:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# mkdir是一個用於在Linux中創建新目錄的命令,"-p"選項表示創建多層目錄,即如果上級目錄不存在,則會自動創建。
mkdir /etc/elasticsearch/certs/ca -p
# 將~/certs/ca/和~/certs/elasticsearch/中的所有文件和目錄複製到"/etc/elasticsearch/certs/"目錄中
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/

# "-R"選項表示遞歸更改所有權和群組,"elasticsearch"表示新擁有者的用戶名,":"表示分隔符,最後"/etc/elasticsearch/certs"是要更改所有權和群組的目標目錄。
chown -R elasticsearch: /etc/elasticsearch/certs

# "500"是要設置的權限值,其中"5"表示所有者有可執行和可讀權限,但沒有寫權限,其他用戶沒有任何權限。
chmod -R 500 /etc/elasticsearch/certs

# "chmod 400"通常用於限制敏感文件的訪問權限,只允許文件所有者讀取,其他人無權限訪問;而"chmod 500"通常用於限制目錄的訪問權限,只允許目錄所有者進入目錄,其他人無權限訪問。
chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*

# 把檔案移除
rm -rf ~/certs/ ~/certs.zip
  1. 啟動服務並且Generate credentials for all the Elastic Stack pre-built roles and users:
1
2
3
4
5
6
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

# create pwd and role 
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
  1. 就會看到以下角色與密碼被建立,類似下面的結果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Changed password for user apm_system
PASSWORD apm_system = rj5cEOP5ahI5lNNDVuG6

Changed password for user kibana_system
PASSWORD kibana_system = Jqi6Q0UKiOkntBikCBSe

Changed password for user kibana
PASSWORD kibana = Jqi6Q0UKiOkntBikCBSe

Changed password for user logstash_system
PASSWORD logstash_system = Y6NzFN8qelmUjEXIsBtr

Changed password for user beats_system
PASSWORD beats_system = 8Y7JmIyfgyfBvUduyYiM

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = XBXvJEu2PG5dD8H8L9X7

Changed password for user elastic
PASSWORD elastic = dWAntWBQeyMIuPNFxydS
  1. To check that the installation was made successfully, run the following command replacing <elastic_password> with the password generated in the previous step for elastic user:
1
2
3
4
5
6
curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k

# example 
# 使用-u選項指定了用戶名和密碼
# -k 表示忽略SSL證書驗證
curl -XGET https://localhost:9200 -u elastic:dWAntWBQeyMIuPNFxydS -k

安裝Wazuh

  1. adding wazuh repository
1
2
3
4
5
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

apt-get update
  1. 安裝wazuh manager
1
2
3
4
5
6
7
8
9
apt-get install wazuh-manager

# 重新啟動
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

# 確認版本 是否為 4.4.4,如果不是請記得更新所有4.4的相關包
/var/ossec/bin/wazuh-control -j info
  1. 檢查服務是否有起來
1
systemctl status wazuh-manager

安裝Filebeat

  1. 安裝filebeat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

sudo apt-get install apt-transport-https

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

sudo apt-get update 


apt-get install filebeat=7.17.6

# filebeat 傳送至 elasticSearch的設定
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.4/tpl/elastic-basic/filebeat_all_in_one.yml

  1. Download the alerts template for Elasticsearch:
1
2
3
4
5
6
7
# filebeat 傳送wazuh相關訊息的json
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.4/extensions/elasticsearch/7.x/wazuh-template.json

# g表示群組(group)
# o表示其他人(others)
# 而+r表示添加讀取權限(read)。
chmod go+r /etc/filebeat/wazuh-template.json
  1. Download the Wazuh module for Filebeat:
1
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
  1. 更改filebeat.yaml裡面elastic的ip和帳號密碼
1
2
3
vim /etc/filebeat/filebeat.yml
# Replace elasticsearch_password with the previously generated password for elastic user.
output.elasticsearch.password: <elasticsearch_password>
  1. Copy the certificates into /etc/filebeat/certs/ (我這邊是透過scp把vm2的certs.zip copy過去)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# copy 檔案 從 vm2 到 vm1
scp {vm2_user_name}@{vm2-ip}:/home/user/certs.zip ~/

# 解壓縮
unzip ~/certs.zip -d ~/certs
# mkdir是一個用於在Linux中創建新目錄的命令,"-p"選項表示創建多層目錄,即如果上級目錄不存在,則會自動創建。
mkdir /etc/elasticsearch/certs/ca -p
# 將~/certs/ca/和~/certs/elasticsearch/中的所有文件和目錄複製到"/etc/elasticsearch/certs/"目錄中
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/


# 把ca.crt放入filebeat的certs
cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
# 把elasticSearch的crt, key當作filebeat的 (正常應該要產filebeat的)
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key
  1. Enable and start the Filebeat service:
1
2
3
4
5
6
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

# test
filebeat test output

安裝Kibana

  1. 要先安裝這些repository apt-get才會是安裝特定或是最新版本
1
2
3
4
5
6
7
8
curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg

echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

apt-get update

apt-get install kibana=7.17.6

  1. 這邊我都是使用elasticSearch.key跟crt當作kibana的key還有crt,certs.zip就沿用elasticSearch的
1
2
3
4
5
6
7
8
9
10
11
12

# 把ca.crt放入filebeat的certs
cp -r /etc/elasticsearch/certs/ca/ /etc/kibana/certs/ca/
# 把elasticSearch的crt, key當作filebeat的 (正常應該要產filebeat的)
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt
cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key

# 改變一下檔案權限
chown -R kibana: /etc/kibana/certs
chmod -R 500 /etc/kibana/certs
chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
rm -rf ~/certs ~/certs.zip
  1. 幫kibana下載wazuh的模板
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.4/tpl/elastic-basic/kibana.yml

# Edit the /etc/kibana/kibana.yml file:
server.host: <kibana_ip> # 改成裝kibana的實體機ip
#  # 改成裝elasticsearch的實體機ip或dns name
elasticsearch.hosts: "https://<elasticsearch_DN>:9200"
elasticsearch.password: <elasticsearch_password>

# Create the /usr/share/kibana/data directory:
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana

# Install the Wazuh Kibana plugin:
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.4.4_7.17.6-1.zip

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
  1. 啟動的時候就會開始把/usr/share/kibana裡面所需要的東西wazuh相關的plugin下載
1
2
3
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
  1. 等到啟動之後,就可以去修改wazuh.yml檔案,這樣才會call對,檔案位置在 /usr/share/kibana/data/wazuh/config/wazuh.yml
1
2
3
4
5
6
7
8
9
vim /usr/share/kibana/data/wazuh/config/wazuh.yml
# 修改內容如下
hosts:
  - default:
      url: https://localhost # 把這裡改成 wazuh 的 ip 
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false
  1. Access the web interface using the password generated during the Elasticsearch installation process:
1
2
3
URL: https://<kibana_ip>
user: elastic
password: <PASSWORD_elastic>

踩坑1: wazuh 版本太新 kibana 太舊的問題

wazuh API 4.4.4 但是 App 是 4.3.10 的版本不對,這是因為 kibana 的 wazuh plugin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 先使用 su 權限
sudo su 

# 查看目前 kibana 有安裝的 plugin 看 wazuh 是否為 4.3.10 我們要更新為 4.4.4 
/usr/share/kibana/bin/kibana-plugin list 

# 如果是 4.3 的版本就太舊了,先移除
/usr/share/kibana/bin/kibana-plugin remove wazuh 

# 再重裝
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.4.4_7.17.6-1.zip

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

# 重啟
systemctl restart kibana