UbuntuUbuntu Based

How To Install Wazuh on Ubuntu 24.04 LTS

r00t

Install Wazuh on Ubuntu 24.04

Wazuh has established itself as a premier open-source security platform that provides robust threat detection and monitoring capabilities. By deploying Wazuh on Ubuntu 24.04 LTS, organizations can significantly enhance their security posture while leveraging the stability and performance of Ubuntu’s latest long-term support release. This comprehensive guide walks you through the complete installation process, from preparation to post-configuration, ensuring you can implement an effective security monitoring solution.

Understanding Wazuh and Its Benefits

Wazuh functions as an open-source security platform that combines SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities. Organizations implement Wazuh to detect threats, monitor security incidents, and respond to vulnerabilities across their infrastructure. The platform excels at log analysis, file integrity monitoring, vulnerability detection, and compliance management.

Ubuntu 24.04 LTS serves as an excellent foundation for Wazuh due to its long-term support, stability, and robust security features. The combination provides a reliable security monitoring solution that can scale according to organizational needs.

Prerequisites for Installation

Before proceeding with the installation, ensure your system meets these requirements:

  • A server running Ubuntu 24.04 LTS (fresh installation recommended)
  • Minimum 4GB RAM (8GB recommended for production environments)
  • At least 2 CPU cores (4+ recommended for production)
  • Minimum 50GB of free disk space
  • Root or sudo privileges on the server
  • Static IP address configuration
  • Basic familiarity with Linux command line
  • Open ports: 1514, 1515, 514, 55000, 443, 9200 (firewall configuration)
  • Stable internet connection for package downloads

Proper preparation will help avoid common installation issues and ensure optimal performance of your Wazuh deployment.

Understanding Wazuh Architecture

Wazuh operates through several key components that work together to provide comprehensive security monitoring:

Wazuh Manager: This central component analyzes data collected from agents and generates alerts when it detects security issues. It processes events, applies rules, and manages the overall security monitoring workflow.

Wazuh Indexer: Based on OpenSearch technology, the indexer stores, searches, and retrieves data processed by the Wazuh manager. It enables efficient querying of large volumes of security events.

Wazuh Dashboard: This web interface provides visualization capabilities, allowing administrators to monitor security events, manage agents, and configure the Wazuh environment through an intuitive UI.

Wazuh Agents: These components run on endpoints (servers, workstations, containers) to collect security data and forward it to the Wazuh manager for analysis.

For smaller environments, all server-side components can run on a single host. Larger deployments might distribute components across multiple servers for improved performance and high availability.

Preparing Your Ubuntu Server

Begin by updating your Ubuntu 24.04 system to ensure all packages are current:

sudo apt update
sudo apt upgrade -y

Install essential dependencies required for the installation process:

sudo apt install vim curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Configure your system’s hostname and ensure it’s properly set in both /etc/hostname and /etc/hosts files. A proper hostname configuration prevents communication issues between Wazuh components.

Synchronize your system clock using NTP to maintain accurate timestamps for security events:

sudo apt install ntp
sudo systemctl enable ntp
sudo systemctl start ntp

Adding the Wazuh Repository

To install Wazuh packages, you must first add the official Wazuh repository to your system:

1. Install prerequisite packages:

sudo apt install gnupg apt-transport-https

2. Import the Wazuh GPG key for package verification:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor | sudo tee /usr/share/keyrings/wazuh.gpg > /dev/null

3. Add the Wazuh repository to APT sources:

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

4. Update package information:

sudo apt update

If you encounter GPG errors, verify that the key was properly imported. For persistent issues, try manually downloading the key from the official Wazuh website and importing it again.

Installing the Wazuh Indexer

The Wazuh Indexer stores and processes security events collected by the Wazuh Manager. Follow these steps to install it:

1. Install the Wazuh Indexer package:

sudo apt install wazuh-indexer

2. Create a directory for certificates if you’re setting up a manual installation:

mkdir /etc/wazuh-indexer/certs/

3. Configure the Wazuh Indexer by editing its configuration file:

sudo nano /etc/wazuh-indexer/opensearch.yml

4. Modify the configuration to include these essential settings:

network.host: 0.0.0.0
node.name: node-1
cluster.initial_master_nodes: node-1
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.allow_unsafe_democertificates: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
  - CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US

5. Start and enable the Wazuh Indexer service:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer

6. Verify that the Wazuh Indexer is running:

sudo systemctl status wazuh-indexer

The indexer may take a minute or two to fully initialize. Be patient during this process as it sets up indices and security configurations.

Installing the Wazuh Manager

The Wazuh Manager is the core component that analyzes security data and generates alerts. Install it with these steps:

1. Install the Wazuh Manager package:

sudo apt install wazuh-manager

2. Start and enable the Wazuh Manager service:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager

3. Verify the manager is running correctly:

sudo systemctl status wazuh-manager

4. Check the manager’s status with:

sudo /var/ossec/bin/wazuh-control status

The main configuration file for the Wazuh Manager is located at /var/ossec/etc/ossec.conf. This file controls various aspects of the Wazuh Manager’s behavior, including log collection, alerts, and integrations. The default configuration works well for most deployments, but you may need to customize it for specific requirements.

Installing the Wazuh Dashboard

The Wazuh Dashboard provides a web interface for interacting with your Wazuh environment:

1. Install the Wazuh Dashboard package:

sudo apt install wazuh-dashboard

2. Create a directory for certificates:

sudo mkdir /etc/wazuh-dashboard/certs/

3. Configure the dashboard by editing its configuration file:

sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml

4. Modify the configuration with these essential settings:

server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://localhost:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

5. Start and enable the Wazuh Dashboard service:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard

6. Verify the dashboard is running:

sudo systemctl status wazuh-dashboard

The dashboard may take several minutes to fully initialize on first startup, especially on systems with limited resources.

Configuring SSL/TLS Certificates

Secure communication between Wazuh components is essential. If you haven’t set up certificates during installation, follow these steps:

1. For a development or testing environment, you can use the Wazuh certificate tool:

sudo curl -sO https://packages.wazuh.com/4.x/filebeat/wazuh-certificates-tool.sh
sudo bash ./wazuh-certificates-tool.sh -A

2. This creates a certificates directory with all necessary files. Copy certificates to their appropriate locations:

# For the Wazuh Indexer
sudo cp wazuh-certificates/indexer.pem /etc/wazuh-indexer/certs/
sudo cp wazuh-certificates/indexer-key.pem /etc/wazuh-indexer/certs/
sudo cp wazuh-certificates/root-ca.pem /etc/wazuh-indexer/certs/

# For the Wazuh Dashboard
sudo cp wazuh-certificates/dashboard.pem /etc/wazuh-dashboard/certs/
sudo cp wazuh-certificates/dashboard-key.pem /etc/wazuh-dashboard/certs/
sudo cp wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/

3. Set proper ownership and permissions:

sudo chmod 500 /etc/wazuh-indexer/certs /etc/wazuh-dashboard/certs
sudo chmod 400 /etc/wazuh-indexer/certs/* /etc/wazuh-dashboard/certs/*
sudo chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
sudo chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

4. Restart services to apply the certificate configuration:

sudo systemctl restart wazuh-indexer
sudo systemctl restart wazuh-dashboard

For production environments, consider using certificates from a trusted Certificate Authority instead of self-signed certificates.

Configuring Filebeat

Filebeat forwards alerts and archived events from the Wazuh Manager to the Wazuh Indexer:

1. Install Filebeat:

sudo apt install filebeat

2. Download the Wazuh configuration for Filebeat:

sudo curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.x/filebeat/filebeat.yml

3. Download the Wazuh template for Filebeat:

sudo curl -so /etc/filebeat/wazuh-template.json https://packages.wazuh.com/4.x/filebeat/wazuh-template.json

4. Download the Filebeat configuration file:

sudo curl -s https://packages.wazuh.com/4.x/filebeat/filebeat.yml | sudo tee /etc/filebeat/filebeat.yml > /dev/null

5. Create the directory for certificates:

sudo mkdir /etc/filebeat/certs

6. Copy the certificates:

sudo cp wazuh-certificates/filebeat.pem /etc/filebeat/certs/
sudo cp wazuh-certificates/filebeat-key.pem /etc/filebeat/certs/
sudo cp wazuh-certificates/root-ca.pem /etc/filebeat/certs/

7. Set proper ownership and permissions:

sudo chmod 500 /etc/filebeat/certs
sudo chmod 400 /etc/filebeat/certs/*
sudo chown -R root:root /etc/filebeat/certs

8. Edit the Filebeat configuration file to update the Wazuh Indexer host:

sudo nano /etc/filebeat/filebeat.yml

Update the hosts line to match your environment:

output.elasticsearch:
  hosts: ['https://localhost:9200']

9. Enable and start Filebeat:

sudo systemctl daemon-reload
sudo systemctl enable filebeat
sudo systemctl start filebeat

10. Verify Filebeat’s configuration:

sudo filebeat test config

Accessing the Wazuh Dashboard

After completing the installation, access the Wazuh Dashboard through your web browser:

1. Open your firewall to allow access to port 443:

sudo ufw allow 443/tcp

2. Access the Wazuh Dashboard by navigating to:

https://YOUR_SERVER_IP

3. Accept the self-signed certificate warning in your browser (if using self-signed certificates).

4. Log in with the default credentials:

  • Username: admin
  • Password: admin

For an automated installation using the official script, you’ll receive custom credentials at the end of the installation process.

5. When logging in for the first time, you’ll need to change the default password.

6. The dashboard will display an overview of your security environment, though you won’t see any agent data until you deploy Wazuh agents to your endpoints.

Post-Installation Configuration

After successfully installing Wazuh, consider these important post-installation steps:

1. Change default passwords for all user accounts to enhance security:

cd /usr/share/wazuh-indexer/plugins/opensearch-security/tools/
sudo ./securityadmin.sh -f ../../../config/roles_mapping.yml -t roles_mapping -h localhost -p 9200 -cn admin -nhnv

2. Configure email notifications for alerts by editing the Wazuh Manager configuration:

sudo nano /var/ossec/etc/ossec.conf

Add or modify the email_alert section:

<email_alerts>
  <email_to>your-email@example.com</email_to>
  <smtp_server>smtp.example.com</smtp_server>
  <email_from>wazuh@your-domain.com</email_from>
</email_alerts>

3. Set up regular backups of your Wazuh configurations and data:

sudo mkdir -p /var/backups/wazuh
sudo cp -r /var/ossec/etc /var/backups/wazuh/

4. Create a backup script and schedule it with cron for automated backups.

5. Implement more advanced security rules and policies through the dashboard interface.

Troubleshooting Common Issues

Service Won’t Start

  • Check logs for errors: sudo journalctl -u wazuh-manager -u wazuh-indexer -u wazuh-dashboard
  • Verify file permissions on certificates
  • Ensure adequate resources (RAM, CPU) are available

Certificate Errors

  • Verify certificate paths in configuration files
  • Check certificate format and contents
  • Ensure certificate permissions are set correctly

Dashboard Access Issues

  • Confirm the dashboard service is running: sudo systemctl status wazuh-dashboard
  • Check the dashboard port configuration in the opensearch_dashboards.yml file
  • Verify firewall settings allow access to port 443

Connection Problems Between Components

  • Ensure all services are running
  • Verify correct hostnames or IP addresses in configuration files
  • Check network connectivity between components: ping, telnet, or nc

Filebeat Configuration Errors

  • Test your Filebeat configuration with: sudo filebeat test config
  • Check Filebeat logs: sudo journalctl -u filebeat
  • Verify Filebeat can connect to the Wazuh Indexer

Agent Connection Issues

  • Confirm the agent manager address is correctly configured
  • Verify the agent is properly registered with the manager
  • Check firewall settings allow communication on required ports

Congratulations! You have successfully installed Wazuh. Thanks for using this tutorial for installing Wazuh on your Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official Wazuh website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button