Securing your infrastructure is paramount in today’s digital landscape, and implementing a robust security monitoring solution is a critical step. Wazuh stands out as a powerful, open-source platform offering extensive capabilities for threat detection, security monitoring, incident response, and compliance. This guide provides a detailed walkthrough for installing and setting up the Wazuh Server component on popular Linux distributions like CentOS 8 and Fedora 32, enabling you to centralize security data from your endpoints.
Before beginning the installation, ensure your system meets the minimum requirements for the Wazuh Server, including adequate CPU, RAM, and disk space, particularly considering integration with the Elastic Stack or Open Distro for Elasticsearch for data visualization and analysis.
The installation process typically involves adding the necessary Wazuh repository to your system package manager. This allows you to download and install the Wazuh Manager package and its dependencies easily using standard commands. You will need to import the repository’s PGP key to verify the integrity of the downloaded packages. Commands for adding the repository and importing the key are specific to your distribution’s package manager, often involving tools like yum-config-manager or creating .repo files in the /etc/yum.repos.d/ directory and using rpm --import.
Once the repository is configured, you can proceed to install the main Wazuh Manager package. This is usually done with a simple yum install wazuh-manager command. The system will automatically resolve and install any required dependencies.
For full functionality, particularly data visualization, Wazuh integrates seamlessly with the Elastic Stack (Elasticsearch, Kibana) or the Open Distro for Elasticsearch. Installing these components is a crucial next step. This involves adding the repositories for Elasticsearch and Kibana, installing the respective packages (elasticsearch, kibana), and also installing Filebeat. Filebeat acts as a lightweight shipper that forwards logs and alerts generated by Wazuh to Elasticsearch.
After installing the Elastic Stack components, specific configuration is required. You need to configure Filebeat to work with Wazuh. This involves locating the Filebeat configuration file (commonly located at /etc/filebeat/filebeat.yml), modifying settings to point to your Elasticsearch instance, and enabling the Wazuh module. The Wazuh Filebeat module is essential as it comes with pre-configured pipelines to parse Wazuh alerts and includes the necessary index templates and Kibana dashboards to visualize the data effectively. After enabling the module, you typically run a command like filebeat setup to load the index templates and dashboards into Elasticsearch and Kibana.
With the components installed and configured, the final steps involve starting and enabling the services. You should start Elasticsearch, then Kibana, followed by the Wazuh Manager, and finally Filebeat. Using systemctl commands like systemctl enable servicename and systemctl start servicename is the standard method on CentOS 8 and Fedora 32 to ensure services start automatically on boot and are running currently. Verify the status of each service using systemctl status servicename.
Accessing the Kibana web interface is the final verification step. Once Kibana is running and configured correctly with the Wazuh dashboards loaded, you should be able to log in and see the Wazuh plugin providing visibility into security events and agent status.
This completes the core installation and setup of the Wazuh Server on your chosen CentOS 8 or Fedora 32 system, providing a solid foundation for your security monitoring efforts. You can now proceed to deploy and enroll Wazuh agents on the endpoints you wish to monitor.
Source: https://kifarunix.com/install-and-setup-wazuh-server-in-centos-8-fedora-32/
