Linux MintUbuntu Based

How To Install Wazuh on Linux Mint 22

r00t

Install Wazuh on Linux Mint 22

Linux Mint 22 users seeking robust security monitoring capabilities will find Wazuh to be an exceptional open-source SIEM (Security Information and Event Management) solution. This comprehensive guide walks through the entire installation process, addressing the unique challenges of deploying Wazuh on Linux Mint 22 systems.

Wazuh provides unified XDR and SIEM protection, offering real-time threat detection, incident response, and compliance monitoring capabilities that rival enterprise-grade security solutions. Unlike commercial alternatives, this powerful platform delivers advanced security monitoring without licensing costs, making it ideal for organizations of all sizes.

The installation process on Linux Mint 22 requires special consideration due to compatibility differences with Ubuntu-based systems. This article covers both quickstart and manual installation methods, ensuring successful deployment regardless of system configuration or technical expertise level.

Understanding Wazuh Architecture

Core Components Overview

Wazuh’s architecture consists of three essential components working in harmony to deliver comprehensive security monitoring. The Wazuh Manager serves as the central analysis engine, collecting and processing security events from deployed agents across your network infrastructure.

The Wazuh Indexer functions similarly to Elasticsearch in the ELK stack, providing scalable data storage and search capabilities for security events, alerts, and historical data. This component handles the massive volumes of security telemetry generated by modern IT environments.

The Wazuh Dashboard offers an intuitive web-based interface comparable to Kibana, enabling security analysts to visualize threats, investigate incidents, and generate compliance reports. Together, these components create a unified security operations platform.

Deployment Architecture Options

Single-node deployments consolidate all three components on one server, simplifying management for smaller environments monitoring up to 100 endpoints. This configuration requires minimal infrastructure while providing full SIEM functionality.

Multi-node deployments distribute components across multiple servers, enabling horizontal scaling for large enterprise environments. This approach improves performance, redundancy, and allows dedicated resources for each component’s specific requirements.

System Requirements and Prerequisites

Hardware Requirements

Minimum specifications for Linux Mint 22 installations include 4 vCPU cores, 8GB RAM, and 50GB available storage space. These requirements support basic monitoring scenarios with moderate alert volumes.

Recommended specifications scale based on monitoring scope and data retention requirements. Environments monitoring 50-100 endpoints benefit from 8 vCPU cores, 16GB RAM, and 100GB+ storage. High-volume environments require additional resources proportional to expected event rates.

Storage calculations depend heavily on alerts per second and retention periods. Each agent typically generates 1-10MB of data daily, though this varies significantly based on monitoring configuration and endpoint activity levels.

Software Prerequisites

Linux Mint 22 compatibility requires specific package dependencies for successful installation. The system must include gnupg for GPG key verification, apt-transport-https for secure repository access, wget for file downloads, and sudo for administrative privileges.

64-bit Intel, AMD, or ARM processors provide the necessary architecture support for Wazuh components. Legacy 32-bit systems lack compatibility and cannot run modern Wazuh versions.

Clean system installations minimize potential conflicts with existing software packages. Minimal Linux Mint 22 installations provide optimal foundations for Wazuh deployments, reducing complexity and improving performance.

Pre-Installation Preparation

System Updates and Configuration

Begin by updating all Linux Mint 22 packages to ensure compatibility and security patches are current:

sudo apt update && sudo apt upgrade -y

Configure a static IP address to prevent connectivity issues with agents after installation. Dynamic IP addresses require agent reconfiguration whenever the Wazuh server’s address changes, creating unnecessary administrative overhead.

Firewall Configuration

Wazuh requires specific network ports for proper communication between components and agents. Configure firewall rules to allow traffic on ports 1514 (agent communication), 1515 (agent enrollment), 443 (dashboard access), and 9200 (indexer API).

For UFW (Uncomplicated Firewall) users:

sudo ufw allow 1514
sudo ufw allow 1515
sudo ufw allow 443
sudo ufw allow 9200

Directory Structure Preparation

Create a dedicated directory structure for Wazuh installation files and configurations:

mkdir ~/wazuh-installation
cd ~/wazuh-installation

This organized approach simplifies file management and troubleshooting throughout the installation process.

Installation Method 1: Quickstart Installation

When to Use Quickstart Method

The quickstart installation method provides automated deployment suitable for environments monitoring up to 100 endpoints. This approach minimizes configuration complexity and reduces installation time significantly.

Testing environments, proof-of-concept deployments, and small office installations benefit most from quickstart installations. The automated process handles component configuration, certificate generation, and service initialization automatically.

Quickstart Installation Steps

Download the official installation assistant script from Wazuh repositories:

wget https://packages.wazuh.com/resources/4.9/open-distro/wazuh-install.sh
chmod +x wazuh-install.sh

Execute the unattended installation command with appropriate parameters:

sudo ./wazuh-install.sh -a

The installation process typically requires 10-15 minutes depending on system performance and network connectivity. Monitor progress through console output, watching for any error messages or warnings that might indicate issues.

Upon completion, extract the generated administrator credentials:

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Access the Wazuh dashboard through a web browser using your server’s IP address or hostname. The default URL follows the format https://your-server-ip or https://your-hostname.

Verify all components are running properly by checking service status:

sudo systemctl status wazuh-manager
sudo systemctl status wazuh-indexer
sudo systemctl status wazuh-dashboard

Installation Method 2: Step-by-Step Manual Installation

Why Choose Manual Installation

Manual installation provides superior control over configuration settings and component placement, making it essential for Linux Mint 22 compatibility. Ubuntu-specific scripts often fail on Debian-based distributions, requiring manual intervention.

This method enables customization of security settings, network configurations, and performance optimizations specific to your environment. Advanced users prefer manual installation for production deployments requiring specific compliance or security standards.

Step 1: Installing Wazuh Indexer

Install required packages for repository management:

sudo apt-get install gnupg apt-transport-https wget curl

Import the official Wazuh GPG key for package verification:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
sudo chmod 644 /usr/share/keyrings/wazuh.gpg

Add the Wazuh repository to system sources:

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list

Update package cache and install the Wazuh indexer:

sudo apt-get update
sudo apt-get -y install wazuh-indexer

Download and configure certificates for secure communication:

curl -sO https://packages.wazuh.com/resources/4.9/open-distro/wazuh-install.sh
sudo ./wazuh-install.sh --generate-config-files

Edit the indexer configuration file with your server’s IP address:

sudo nano /etc/wazuh-indexer/opensearch.yml

Start and enable the indexer service:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer

Verify indexer installation and connectivity:

sudo systemctl status wazuh-indexer
curl -k -u admin:admin https://localhost:9200

Step 2: Installing Wazuh Server

Install the Wazuh Manager package:

sudo apt install wazuh-manager

Configure manager settings by editing the configuration file:

sudo nano /var/ossec/etc/ossec.conf

Install Filebeat version 7.10.2 specifically for Linux Mint 22 compatibility:

sudo apt install filebeat=7.10.2

This specific version requirement prevents compatibility issues common with newer Filebeat releases on non-Ubuntu systems.

Configure Filebeat to forward alerts to the Wazuh indexer:

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.9/open-distro/filebeat/filebeat.yml

Edit the Filebeat configuration with your indexer’s IP address:

sudo nano /etc/filebeat/filebeat.yml

Install Filebeat templates and start services:

sudo filebeat keystore create
sudo echo admin | filebeat keystore add username --stdin --force
sudo echo admin | filebeat keystore add password --stdin --force
sudo filebeat setup --index-management -E setup.template.json.enabled=false
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
sudo systemctl enable filebeat
sudo systemctl start filebeat

Step 3: Installing Wazuh Dashboard

Install dashboard package and dependencies:

sudo apt install wazuh-dashboard

Configure dashboard certificates and connection settings:

curl -so /etc/wazuh-dashboard/opensearch_dashboards.yml https://packages.wazuh.com/resources/4.9/open-distro/wazuh-dashboard/opensearch_dashboards.yml

Edit dashboard configuration with appropriate server information:

sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml

Start dashboard service and enable automatic startup:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard

Verify dashboard accessibility by checking service status:

sudo systemctl status wazuh-dashboard

Linux Mint 22 Specific Configurations

Resolving Compatibility Issues

Linux Mint 22’s Debian-based architecture requires specific modifications to standard Ubuntu installation procedures. Package dependency conflicts often arise due to different library versions and system configurations.

Repository configurations must account for Linux Mint’s package management differences. Some Ubuntu-specific dependencies may require manual resolution or alternative package installations.

Filebeat Version Management

Wazuh compatibility strictly requires Filebeat version 7.10.2, but Linux Mint repositories may default to newer versions. Explicitly specify the version during installation:

sudo apt install filebeat=7.10.2
sudo apt-mark hold filebeat

The apt-mark hold command prevents accidental upgrades that could break Wazuh functionality.

Service Management Considerations

Linux Mint 22 uses systemd for service management, requiring proper service file configurations and dependency definitions. Verify service startup order to prevent initialization failures:

sudo systemctl list-dependencies wazuh-manager
sudo systemctl list-dependencies wazuh-indexer
sudo systemctl list-dependencies wazuh-dashboard

Post-Installation Configuration

Initial Dashboard Setup

Access the Wazuh dashboard through your web browser using the server’s IP address or configured hostname. The default URL structure follows https://server-ip:443 or simply https://server-ip.

First-time login requires administrator credentials generated during installation. Retrieve these credentials from the installation files:

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Navigate through the initial dashboard setup, configuring basic security settings and creating additional user accounts as needed for your organization’s access control requirements.

Security Configuration

Implement robust security settings including strong password policies, multi-factor authentication where applicable, and role-based access controls. Configure user permissions based on the principle of least privilege.

Explore default dashboards and familiarize yourself with the interface layout, including the main navigation menu, alert summary panels, and reporting sections that provide insights into your security posture.

Agent Deployment Preparation

Configure agent server settings to enable communication with endpoints throughout your network. Verify network connectivity between the Wazuh server and target systems where agents will be deployed.

Set up agent registration processes, including shared key generation and distribution methods. Plan agent deployment strategies based on network segmentation and organizational structure.

Installing and Configuring Wazuh Agents

Linux Agent Installation

Deploy agents on target Linux systems by first adding the Wazuh repository:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt-get update

Install the agent package with manager IP configuration:

WAZUH_MANAGER="your-wazuh-server-ip" sudo apt-get install wazuh-agent

Configure agent settings and register with the manager:

sudo /var/ossec/bin/agent-auth -m your-wazuh-server-ip
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Agent Verification and Testing

Verify agent connectivity through the Wazuh dashboard interface. Navigate to the Agents section and confirm new agents appear in the inventory with “Active” status indicators.

Test alert generation by triggering sample security events on monitored endpoints:

sudo tail /var/log/auth.log
sudo /var/ossec/bin/ossec-control restart

Monitor agent logs for communication errors or configuration issues:

sudo tail -f /var/ossec/logs/ossec.log

Run initial security scans to verify proper monitoring functionality and alert generation capabilities. Check dashboard panels for incoming security events and system inventory information.

Troubleshooting Common Issues

Installation Script Failures

Installation script failures on Linux Mint 22 typically result from repository compatibility issues or missing dependencies. Common error messages include GPG key verification failures and package dependency conflicts.

Resolve GPG key errors by manually importing keys before running installation scripts:

sudo apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -

Address package dependency conflicts by updating system packages and resolving conflicting installations before attempting Wazuh installation.

Service Startup Problems

Service startup failures often indicate configuration file errors or port conflicts with existing services. Analyze service logs for specific error messages:

sudo journalctl -u wazuh-manager -f
sudo journalctl -u wazuh-indexer -f
sudo journalctl -u wazuh-dashboard -f

Check for port conflicts by verifying which processes are listening on required ports:

sudo netstat -tlnp | grep -E '(1514|1515|9200|443)'

Dashboard Access Issues

Dashboard access problems typically involve authentication failures or network connectivity issues. Verify service status and network accessibility before investigating authentication problems.

Regenerate passwords if login attempts fail consistently:

sudo /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -a

Clear browser cache and cookies for the Wazuh dashboard URL to resolve persistent login problems.

Agent Connectivity Problems

Agent connectivity issues manifest as agents showing “Disconnected” status in the dashboard. Verify network connectivity between agents and the Wazuh server using telnet or netcat:

telnet wazuh-server-ip 1514
nc -zv wazuh-server-ip 1514

Check agent configuration files for correct manager IP addresses and authentication keys:

sudo cat /var/ossec/etc/ossec.conf | grep -A 5 server

Security Hardening and Best Practices

HTTPS Configuration

Secure dashboard access by implementing proper SSL/TLS certificates instead of self-signed certificates. Obtain certificates from trusted certificate authorities or implement internal PKI infrastructure for enhanced security.

Configure strong cipher suites and disable deprecated SSL/TLS versions to protect against cryptographic attacks. Regular certificate renewal processes ensure continuous security.

Access Control Implementation

Implement comprehensive user access controls with role-based permissions aligned to organizational responsibilities. Create separate accounts for different user roles including security analysts, administrators, and read-only users.

Enable audit logging for all administrative actions and user access attempts. Regular access reviews ensure permissions remain appropriate and excessive privileges are promptly removed.

Network Security

Implement network segmentation to isolate Wazuh infrastructure from general network traffic. Use dedicated VLANs or network zones for security monitoring infrastructure components.

Configure firewall rules with explicit allow/deny policies, permitting only necessary communication paths between Wazuh components and monitored endpoints.

Monitoring and Maintenance

Regular Health Checks

Perform routine health assessments of all Wazuh components to identify potential issues before they impact security monitoring capabilities. Monitor system resources including CPU utilization, memory consumption, and disk space usage.

Implement automated monitoring for critical services and configure alerting for service failures or performance degradation. Regular backup verification ensures data recovery capabilities remain functional.

Log Management

Configure appropriate log retention policies balancing storage costs with compliance and forensic investigation requirements. Implement log rotation to prevent disk space exhaustion while maintaining necessary historical data.

Monitor log ingestion rates and alert volumes to identify trends that might indicate security incidents or system problems requiring attention.

Update Procedures

Establish regular update procedures for Wazuh components, operating system packages, and security definitions. Test updates in development environments before applying to production systems.

Coordinate update schedules with change management processes to minimize operational impact while maintaining current security postures.

Congratulations! You have successfully installed Wazuh. Thanks for using this tutorial for installing Wazuh open source security platform on your Linux Mint 22 system. For additional help or useful information, we recommend you check the official Wazuh website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button