部署wazuh server/agent以及生命週期策略

Deploy wazuh server/agent and life cycle policy

首先附上官方教學

Wazuh Docker deployment - Deployment on Docker · Wazuh documentation

硬體規格

Quickstart · Wazuh documentation

安裝步驟

#下載資源，注意版本號
git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.0

#移動到腳本路徑底下
cd ~/wazuh-docker/single-node

#產生自簽證書
docker compose -f generate-indexer-certs.yml run --rm generator

#檢查或配置docker-compose腳本

docker-compose.yml運行腳本（需修改帳號密碼）

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.8.0
    hostname: wazuh.manager
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=<INDEXER_帳號>
      - INDEXER_PASSWORD=<INDEXER_密碼>
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.8.0
    hostname: wazuh.indexer
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.8.0
    hostname: wazuh.dashboard
    restart: always
    ports:
      - 443:5601
    environment:
      - INDEXER_USERNAME=<INDEXER_帳號>
      - INDEXER_PASSWORD=<INDEXER_密碼>
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=<DASHBOARD_帳號>
      - DASHBOARD_PASSWORD=<DASHBOARD_密碼>
      - API_USERNAME=<API_帳號>
      - API_PASSWORD=<API_密碼>
    volumes:
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
    depends_on:
      - wazuh.indexer
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager

volumes:
  wazuh_api_configuration:
  wazuh_etc:
  wazuh_logs:
  wazuh_queue:
  wazuh_var_multigroups:
  wazuh_integrations:
  wazuh_active_response:
  wazuh_agentless:
  wazuh_wodles:
  filebeat_etc:
  filebeat_var:
  wazuh-indexer-data:
  wazuh-dashboard-config:
  wazuh-dashboard-custom:

建議修改的部分有以下（相關組件的密碼，以及是否將掛載目錄映射出來）

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.8.0
    hostname: wazuh.manager
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=<INDEXER_帳號>
      - INDEXER_PASSWORD=<INDEXER_密碼>
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.8.0
    hostname: wazuh.indexer
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      #這裡把wazuh-indexer-data資料掛載出來
      - ./volumes/wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.8.0
    hostname: wazuh.dashboard
    restart: always
    ports:
      - 443:5601
    environment:
      - INDEXER_USERNAME=<INDEXER_帳號>
      - INDEXER_PASSWORD=<INDEXER_密碼>
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=<DASHBOARD_帳號>
      - DASHBOARD_PASSWORD=<DASHBOARD_密碼>
      - API_USERNAME=<API_帳號>
      - API_PASSWORD=<API_密碼>
    volumes:
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
    depends_on:
      - wazuh.indexer
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager

volumes:
  wazuh_api_configuration:
  wazuh_etc:
  wazuh_logs:
  wazuh_queue:
  wazuh_var_multigroups:
  wazuh_integrations:
  wazuh_active_response:
  wazuh_agentless:
  wazuh_wodles:
  filebeat_etc:
  filebeat_var:
  #因為掛載出來了所以這裡可以註解掉
  #wazuh-indexer-data:
  wazuh-dashboard-config:
  wazuh-dashboard-custom:

密碼規範及功能說明請參考這裡

Password management - User administration · Wazuh documentation

確認好配置之後就可以直接運行

#運行wazuh
docker compose -f docker-compose.yml up -d

• 確認wazuh-indexer服務是否存活

訪問 https://<host ip>:9200/ 需要輸入帳號密碼

帳號密碼有寫在docker-compose.yml裡面配置

  - INDEXER_USERNAME=<你的帳號>
  - INDEXER_PASSWORD=<你的密碼>

• 確認wazuh-dashboard服務是否存活

訪問 https://<host ip>:443/ 需要輸入帳號密碼

帳號密碼有寫在docker-compose.yml裡面配置

  - DASHBOARD_USERNAME=<你的帳號>
  - DASHBOARD_PASSWORD=<你的密碼>

• 登入畫面

• 檢查畫面

• 後台主頁

• 查看剛才寫進來的log

監控節點

將需要被監控的主機加入群組

按照步驟操作，依序填入：

• wazuh-manager所在主機ip或域名（伺服器端）
• 主機名稱代號（目標客戶端）

並在該主機上執行頁面生成好的安裝指令

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='<主機ip或域名>' WAZUH_AGENT_NAME='<主機代號>' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb

啟用及運行

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

查看進程

sudo systemctl status wazuh-agent

確認日誌

journalctl -u wazuh-agent.service

一開始會看到這樣

連接之後轉綠燈

加入兩台之後

資料清理

最後記得建立ILM生命週期政策…被ES坑過之後知道放任不管會讓磁碟爆炸

Index life management - Wazuh indexer · Wazuh documentation

建立好之後記得去indices區套用即可

如果查看沒有indices是因爲用kibanaserver這個預設帳號登入，這個帳號是用於組件內部通訊用，因此沒有相關權限，登入admin帳號，或為新帳號賦予相關權限即可。

排錯步驟

• 全部跑不起來

注意不能只是單一個docker-compose.yml腳本

需要整包從github上面clone下來才會包含conf文件跟證書生成腳本喔

• 後台（dashboard）跑不起來

因為indexer還沒起來，稍等一下或檢查indexer的log

• 確認服務運行的端口

排查之後發現9200的indexer有起來，卻無法訪問後台dashboard

上網查才發現端口並非映射在5601，而是直接通過443訪問

• indexer報錯（有改到indexer的host導致）

[2024–07–02T07:48:07,707][WARN ][o.o.h.AbstractHttpServerTransport] [wazuh.indexer] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/172.20.0.2:9200, remoteAddress=/192.168.10.200:54608}
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

• indexer報錯（有改到indexer的host導致）

[2024–07–02T08:17:37,229][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [wazuh.indexer] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

• dashboard報錯（有改到dashboard的server.host導致，應為0.0.0.0）

Error: listen EADDRNOTAVAIL: address not available.

• 看不到indices（不能用kibanaserver帳號，要用admin帳號，或為指定的新帳號賦予權限）

[security_exception] no permissions for [indices:monitor/settings/get] and User [name=kibanaserver, backend_roles=[], requestedTenant=null]

• 移除agent

#停止服務
sudo systemctl stop wazuh-agent

#找到安裝包
dpkg -l | grep 'wazuh'

#移除
sudo dpkg -P wazuh-agent

參考文件：

• 安裝

iT 邦幫忙::一起幫忙解決難題，拯救 IT 人的一天

• 架構

iT 邦幫忙::一起幫忙解決難題，拯救 IT 人的一天