ELK+Wazuh搭建笔记

 

本文借鉴https://www.cnblogs.com/backlion/p/10394369.html，在此谢谢大佬指明方向！！

本人又总结了wazuh界面上opencat，Vulnerabilities的后台配置情况，以及agent版本升级情况，

系统为：Centos7

建议搭建分布式，本文是单主机架构

系统处于联网状态下

Manager-ip: 10.0.0.50

Agent-ip：    10.0.0.51

Agent2-ip：    10.0.0.52（Windows）

注：elk搭建时。版本问题必须匹配！！！

        wazuh-manager wazuh-api版本必须相同

登录Manager-ip

1.安装Wazuh-Manager

cat > /etc/yum.repos.d/wazuh.repo <<\EOF

[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF

2. yum -y install wazuh-manager

执行安装结束后，可以查看到wazuh-manager的状态（正常情况已经running）

3. systemctl  status  wazuh-manager

4. 安装 Wazuh api

 要运行Wazuh API，需要NodeJS> = 4.6.1,如果您没有安装NodeJS或者您的版本低于4.6.1

curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -

最后提示

## Run `sudo yum install -y nodejs` to install Node.js 8.x LTS Carbon and npm.
## You may also need development tools to build native addons:
     sudo yum install gcc-c++ make
## To install the Yarn package manager, run:
     curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
     sudo yum install yarn

建议先安装上面所提的软件：（若已安装可略过）

yum install gcc-c++ make

curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo

yum install yarn

yum install nodejs.x86_64

4.1.验证安装情况

node -v

v8.15.1

4.2  

yum install wazuh-api  -y

查看api状态

systemctl  status  wazuh-api

防止自动升级

sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

5.安装ELK

安装es

Logstash和Elasticsearch需要Oracle Java JRE 8

cd /opt

curl -Lo jre-8-linux-x64.rpm --header "Cookie: oraclelicense=accept-securebackup-cookie" "https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm"

rpm -qlp jre-8-linux-x64.rpm > /dev/null 2>&1 && echo "Java package downloaded successfully" || echo "Java package did not download successfully"

Java package downloaded successfully （提示成功）

yum -y install jre-8-linux-x64.rpm

java -version

java version "1.8.0_202"
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

显示安装成功

然后：

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

然后安装elasticsearch

如果没有epel库，自己装，否则yum会提示没有elas*的包

wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

rpm -ivh epel-release-latest-7.noarch.rpm