Skip to content

Instantly share code, notes, and snippets.

@austinsonger
Last active March 26, 2020 21:19
Show Gist options
  • Save austinsonger/9f5f30c67d883d5433823eecc002ba64 to your computer and use it in GitHub Desktop.
Save austinsonger/9f5f30c67d883d5433823eecc002ba64 to your computer and use it in GitHub Desktop.
Install Wazuh - Centos
#!/bin/sh
yum update -y
yum upgrade -y
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jdk-8u172-linux-x64.rpm"
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.rpm"
https://download.oracle.com/otn/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jdk-8u202-linux-x64.rpm
https://download.oracle.com/otn/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm
rpm -ivh jdk-8u172-linux-x64.rpm
rpm -ivh jre-8u172-linux-x64.rpm
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[logstash-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" > /etc/yum.repos.d/elasticsearch.repo
yum update -y
yum -y install elasticsearch-7.4.0 kibana-7.4.0 logstash-7.4.0
chkconfig --add kibana
chkconfig --add logstash
chkconfig --add elasticsearch
chkconfig logstash on
chkconfig elasticsearch on
chkconfig kibana on
/usr/share/logstash/bin/logstash-plugin install logstash-output-email
echo "cluster.name: elk01
node.name: elk01-nodo01
bootstrap.memory_lock: true
network.host: 127.0.0.1" >> /etc/elasticsearch/elasticsearch.yml
sed -i 's/-Xms1g/-Xms32g/g' /etc/elasticsearch/jvm.options
sed -i 's/-Xmx1g/-Xmx32g/g' /etc/elasticsearch/jvm.options
echo "ES_HOME=/usr/share/elasticsearch
CONF_DIR=/etc/elasticsearch
DATA_DIR=/var/lib/elasticsearch
LOG_DIR=/var/log/elasticsearch
PID_DIR=/var/run/elasticsearch
ES_USER=elasticsearch
ES_GROUP=elasticsearch
ES_STARTUP_SLEEP_TIME=5
MAX_OPEN_FILES=9965536" >> /etc/sysconfig/elasticsearch
echo 'server.port: 5601
server.host: "localhost"
server.name: "ELK01"
elasticsearch.url: "http://localhost:9200"
elasticsearch.preserveHost: true
kibana.index: ".kibana"
kibana.defaultAppId: "discover"' >> /etc/kibana/kibana.yml
service elasticsearch start
service kibana start
cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
yum update
yum -y install wazuh-manager
service wazuh-manager status
curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
yum install -y nodejs
python --version
netstat -tapn | grep LISTEN
yum -y install wazuh-api
service wazuh-api status
curl https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/logstash/01-wazuh-local.conf
chown logstash:logstash /etc/logstash/conf.d/01-wazuh.conf
usermod -a -G ossec logstash
systemctl daemon-reload
export NODE_OPTIONS="--max-old-space-size=3072"
/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.10.2_7.4.0.zip
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elasticsearch.repo
node /var/ossec/api/configuration/auth/htpasswd -c /var/ossec/api/configuration/auth/user manager
service wazuh-api restart
echo "PASSWORD" /var/ossec/etc/authd.pass
/var/ossec/bin/ossec-authd -i -P -a
firewall-cmd --permanent --add-port=1515/tcp
firewall-cmd --permanent --add-port=1514/udp
firewall-cmd --reload
service logstash start
service kibana restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment