Skip to content

Deployment Overview of Wazuh on Server

Prerequisites and Basic Requirements

The deployment of Wazuh requires a server running an Ubuntu-based operating system with root privileges. The system must have access to the internet to download the installation script and required packages. The following components are installed during the process:

  • Wazuh Indexer
  • Wazuh Server
  • Wazuh Dashboard
  • Nginx with Certbot for SSL termination

The Wazuh Dashboard is configured to listen on port 8080. The Wazuh Indexer cluster health is verified via port 9200.

File and Directory Structure

The application files, configuration data, and logs are organized in the following directories:

  • {{ wazuh_data_dir }}: The primary directory for Wazuh installation scripts and configuration files.
  • wazuh-install.sh: The official Wazuh installation script.
  • config.yml: The configuration file used to generate the Wazuh environment.
  • wazuh-install-files.tar: Archive containing generated configuration and password files.
  • password: A file storing the admin username and password for the Wazuh Indexer.
  • /root/nginx: Directory containing the Docker Compose configuration for the Nginx proxy.
  • compose.yml: Docker Compose file defining the Nginx and Certbot services.
  • /data/nginx/user_conf.d: Directory containing custom Nginx configuration files for specific host keys.
  • /etc/letsencrypt: Volume mount point for SSL certificates managed by Certbot.
  • /etc/apt/sources.list.d/wazuh.list: The APT source list file for Wazuh repositories.

Application Installation Process

The Wazuh suite is installed using the official installation script wazuh-install.sh version 4.11. The installation process follows these steps:

  1. The installation script is downloaded from https://packages.wazuh.com/4.11/wazuh-install.sh into the {{ wazuh_data_dir }} directory.
  2. A configuration file config.yml is placed in the data directory.
  3. Configuration files are generated by executing ./wazuh-install.sh --generate-config-files.
  4. The Wazuh Indexer is installed as a single node using the command wazuh-install.sh --wazuh-indexer node-1.
  5. The Wazuh Indexer cluster is started using wazuh-install.sh --start-cluster.
  6. The Wazuh Server is installed using wazuh-install.sh --wazuh-server wazuh-1.
  7. The Wazuh Dashboard is installed and configured to run on port 8080 using wazuh-install.sh --wazuh-dashboard dashboard -p 8080.

After the installation, the Wazuh APT repository is disabled by commenting out the deb entry in /etc/apt/sources.list.d/wazuh.list to prevent automatic updates.

Access Rights and Security

Security credentials for the Wazuh Indexer are generated during the installation process. The admin password is extracted from the wazuh-install-files.tar archive and stored in the {{ wazuh_data_dir }}/password file with permissions set to 0600.

The Wazuh Indexer cluster health is verified by sending a request to https://127.0.0.1:9200/_cluster/health using the generated admin credentials. The deployment validates that the cluster status is green before proceeding.

Docker Containers and Their Deployment

The Nginx reverse proxy and SSL certificate management are deployed using Docker Compose. The configuration is located in /root/nginx/compose.yml.

The Docker Compose file defines the following service:

  • nginx:
  • Image: jonasal/nginx-certbot:latest
  • Restart Policy: unless-stopped
  • Network Mode: host
  • Environment Variable: [email protected]
  • Environment File: /data/nginx/nginx-certbot.env
  • Volumes:
    • nginx_secrets mounted to /etc/letsencrypt
    • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d

The container is started using the command docker compose up -d executed from the /root/nginx directory.

Proxy Servers

Nginx is configured as a reverse proxy to handle incoming traffic and manage SSL certificates via Certbot. The proxy configuration is customized for specific host keys in the /data/nginx/user_conf.d directory.

For each host key, a configuration file named {{ prefix }}{{ server_id }}.hostkey.in.conf is modified to include the following proxy rule:

location / {
    proxy_pass https://{{ prefix }}{{ server_id }}.hostkey.in:8080;
}

This configuration forwards traffic to the Wazuh Dashboard running on port 8080 over HTTPS.

Permission Settings

File and directory permissions are set as follows to ensure security and proper operation:

  • {{ wazuh_data_dir }}: Mode 0755
  • wazuh-install.sh: Mode 0755
  • config.yml: Mode 0600, owned by root:root
  • password: Mode 0600
  • /root/nginx: Mode 0755, owned by root:root
  • /root/nginx/compose.yml: Mode 0644, owned by root:root
question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×