Installer for Linux

This document explains how to install Wazuh and Logstash for Linux with Apolo Installer. In case you want to install the application by command line, read section 3, installation by commands.

  • Download the main program called installer. It is recommended to place it in a known and easy access folder:
  • Before proceeding with the installation, execute the following command to install the required dependencies:

> ./prerequisits.sh

If a permission error is encountered, execute the following command:

> chmod 777 prerequisits.sh

And run the prerequisites executable again.

In case you are asked for permission to update the kernel, choose to cancel or press the Esc key.

Wazuh and Logstash installation

  • Open a new terminal and execute the installer file:

> ./installer

If a permission error is encountered, execute the following command:

> chmod 777 installer

And run the installer executable again.

  • You will be asked a few qüestions with identification purposes in order to proceed with the installation. First of all, enter the company username and password for Wazuh.
  • Once you have entered the correct username and password, you will be asked which programs do you want to install. In case you want to install Wazuh, type «Y» for Wazuh, and «N» otherwise. Next, you will be asked the same question for Logstash.

* Note: If incorrect credentials are submitted, it will be necessary to run the application again.

  • If you have chosen to install Wazuh, you will have to choose the agent group for Wazuh. Write «1» to choose PC or «2» for Server.
  • If you have chosen Wazuh, you will have to choose which name do you want to give to the agent. Write the agent name without spaces.
  • If a finish message appears, it means that the installation has been completed successfully. Otherwise, start the installation again from step 1. If you want to do the manual installation by command line, continue reading section 3.

Installation by command line

a. Wazuh

  • First of all, install curl to be able to install Wazuh manager:
>  sudo apt install curl

Next, install Wazuh manager. In the fields defined between <> you must enter the manager’s url, password, if it is PC or SERVER (in uppercase) and the agent name.

  • If the agent architecture is i386, we will type the following command (see note to check which architecture do you have):  
> curl -so wazuh-agent-4.3.9.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.9-1_i386.deb && sudo WAZUH_MANAGER='<<url_wazuh_manager>' WAZUH_REGISTRATION_PASSWORD='<psswd_registre>' WAZUH_AGENT_GROUP='<PC_SERVER>' WAZUH_AGENT_NAME='<AGENT>' dpkg -i ./wazuh-agent-4.3.9.deb
  • For x86_64:
> curl -so wazuh-agent-4.3.9.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.9-1_amd64.deb && sudo WAZUH_MANAGER='<url_wazuh_manager>' WAZUH_REGISTRATION_PASSWORD='<psswd_registre>' WAZUH_AGENT_GROUP='<PC_SERVER>' WAZUH_AGENT_NAME='<AGENT>>' dpkg -i ./wazuh-agent-4.3.9.deb
  • For armhf:
> curl -so wazuh-agent-4.3.9.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.9-1_armhf.deb && sudo WAZUH_MANAGER='<url_wazuh_manager>' WAZUH_REGISTRATION_PASSWORD='<psswd_registre>' WAZUH_AGENT_GROUP='<PC_SERVER>' WAZUH_AGENT_NAME='<AGENT>' dpkg -i ./wazuh-agent-4.3.9.deb
  • For aarch64:
> curl -so wazuh-agent-4.3.9.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.9-1_arm64.deb && sudo WAZUH_MANAGER='<url_wazuh_manager>' WAZUH_REGISTRATION_PASSWORD='<psswd_registre>' WAZUH_AGENT_GROUP='<PC_SERVER>' WAZUH_AGENT_NAME='<AGENT>' dpkg -i ./wazuh-agent-4.3.9.deb

* Note: To check the agent architecture, execute:

> uname -m
  • Next, activate the agent by entering the following commands one by one:
>sudo systemctl daemon-reload
>sudo systemctl enable wazuh-agent
>sudo systemctl start wazuh-agent
  • To get the latest update, change a field of the Wazuh configuration file (located in /var/ossec/etc/internal_options.conf) with the following command:
>sudo sed -i 's/wazuh_command.remote_commands=0/wazuh_command.remote_commands=1/g' /var/ossec/etc/internal_options.conf

If the installation has been completed correctly, by typing the command:

>grep ^status /var/ossec/var/run/wazuh-agentd.state

You should be able to see a message like the following:

*Note: Try this if the previous command hasn’t worked:

>grep ^status /var/ossec/var/run/ossec-agentd.state

b. Logstash

First of all, check which is the architecture of our PC or server. You can do this by opening a terminal and entering the command:

> uname -m 
  • For x86_64 architecture, type:
> curl https://artifacts.elastic.co/downloads/logstash/logstash-8.6.0-linux-x86_64.tar.gz --output logstashTar.tar.gz
  • For aarch64:
> curl https://artifacts.elastic.co/downloads/logstash/logstash-8.6.0-linux-aarch64.tar.gz --output logstash.tar.gz

*Note: If you don’t have curl installled, you should be able to install it with the command:

> apt install curl

Or similars (yum install curl, pacman -S curl…).

Unzip the downloaded tar with the following command:

> tar -xvf logstash.tar.gz

Once you have unzipped the file, edit the logstash configuration file to adapt it to Apolo Application.

To do this, let’s navigate into the losgstash folder. Inside this folder, go to the conf folder and create a file called logstash.conf. Copy this code into the file:

input {
    udp {  
        port => 5144
    }
}
filter {
}
output { 
    stdout{
        codec => "line"
    }
    tcp {
        codec => "line"
        port => 514 
        host => "$apolo-wazuh-url-client"
    }
}

Change $apolo-wazuh-url-client for your Wazuh url manager.

Install Logstash with a different architecture from x86_64 and aarch64

If your package manager is apt, run the following commands one by one:

> wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
> sudo apt-get install apt-transport-https
> echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
> sudo apt-get update && sudo apt-get install logstash

For yum, execute the following command:

> sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Add the following to a file in the directory /etc/yum.repos.d/ and name the file with a .repo extension, for example logstash.repo:

[logstash-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Lastly, install the repository with the following command:

> sudo yum install logstash

And change the configuration file as explained here.

Updated on febrero 15, 2023