Skip to content

Deployment Overview of Wazuh on Server

Prerequisites and Basic Requirements

The following requirements must be met before deploying the Wazuh application:

  • Operating System: Ubuntu with APT package management.

  • Privileges: Root access or sudo privileges are required to execute installation scripts, manage services, and configure the firewall.

  • Domain Configuration: The server must be configured to resolve the hostkey.in zone.

  • Ports: The following ports must be accessible:

    • Port 443 (HTTPS) for external web access via the reverse proxy.

    • Port 8080 (HTTP) for internal communication between the Wazuh dashboard and the reverse proxy.

    • Port 9200 (HTTPS) for internal Wazuh Indexer cluster communication.

FQDN of the Final Panel

The Wazuh dashboard is accessible via the following Fully Qualified Domain Name (FQDN) format, where <server_id> represents the unique identifier for the specific server instance:

wazuh<server_id>.hostkey.in:443

File and Directory Structure

The application components, configuration files, and data are organized within the following directory structure on the host server:

  • /opt/wazuh: The primary directory for Wazuh installation files, scripts, and configuration data.

  • /opt/wazuh/wazuh-install.sh: The official Wazuh installation script (version 4.11).

  • /opt/wazuh/config.yml: The configuration file defining node names and IP addresses for the indexer, server, and dashboard.

  • /opt/wazuh/password: A file containing the admin credentials for the Wazuh indexer.

  • /root/nginx: The directory containing the Nginx reverse proxy configuration.

  • /root/nginx/compose.yml: The Docker Compose file defining the Nginx and Certbot services.

  • /data/nginx/user_conf.d: The directory containing specific Nginx site configuration files (e.g., wazuh<server_id>.hostkey.in.conf).

  • /data/nginx/nginx-certbot.env: The environment file for Nginx Certbot.

  • /data/nginx/: The mount point for external Let's Encrypt secrets and certificates.

Application Installation Process

The Wazuh application is installed using the official installer script provided by Wazuh, version 4.11. The process involves the following steps:

  1. Directory Preparation: The /opt/wazuh directory is created to store installation artifacts.

  2. Script Retrieval: The installation script is downloaded from https://packages.wazuh.com/4.11/wazuh-install.sh into /opt/wazuh.

  3. Configuration Generation: The config.yml file is placed in /opt/wazuh, defining the topology for node-1 (indexer), wazuh-1 (server), and dashboard. The command ./wazuh-install.sh --generate-config-files is executed to prepare installation files.

  4. Wazuh Indexer Installation: The indexer is installed using the command: 

    ./wazuh-install.sh --wazuh-indexer node-1

  5. Cluster Initialization: The indexer cluster is started using: 

    ./wazuh-install.sh --start-cluster

  6. Credential Extraction: The admin password is extracted from the generated tar archive and saved to /opt/wazuh/password.

  7. Wazuh Server Installation: The Wazuh server component is installed using: 

    ./wazuh-install.sh --wazuh-server wazuh-1

  8. Wazuh Dashboard Installation: The dashboard is installed and configured to listen on port 8080 using: 

    ./wazuh-install.sh --wazuh-dashboard dashboard -p 8080

  9. Repository Cleanup: The Wazuh APT repository is disabled by commenting out the entry in /etc/apt/sources.list.d/wazuh.list to prevent automatic updates via the package manager.

Access Rights and Security

Security measures implemented during the deployment include:

  • Password Storage: Admin credentials are stored in /opt/wazuh/password with restricted file permissions (0600).

  • Cluster Health Verification: The installation script verifies the status of the Wazuh Indexer cluster via an HTTPS request to 127.0.0.1:9200. The installation fails if the status is not green.

  • HTTPS Enforcement: External traffic is secured using Nginx with Let's Encrypt certificates (Certbot), ensuring all web traffic is encrypted via port 443.

  • Internal Communication: Internal communication between the dashboard and the proxy uses the unencrypted http protocol on port 8080, as defined in the Nginx configuration.

Databases

Wazuh utilizes a built-in indexing engine (Wazuh Indexer) for data storage and retrieval.

  • Storage Location: Data is stored locally on the node within the default Wazuh directories under /opt/wazuh.

  • Connection Method: The Wazuh Server and Dashboard connect to the Indexer via 127.0.0.1:9200.

  • Authentication: Access requires the admin username and the password generated during installation, stored in /opt/wazuh/password.

Docker Containers and Their Deployment

A reverse proxy and SSL management solution is deployed using Docker.

  • Deployment Method: Docker Compose is used to orchestrate the services.

  • Configuration File: The deployment is defined in /root/nginx/compose.yml.

  • Service Image: jonasal/nginx-certbot:latest.

  • Network Mode: The container runs in host network mode.

  • Volumes:

    • nginx_secrets: An external volume mounted at /etc/letsencrypt for SSL certificates.

    • /data/nginx/user_conf.d: Mounted at /etc/nginx/user_conf.d for custom Nginx configurations.

  • Environment: The service uses an environment file located at /data/nginx/nginx-certbot.env and sets the email [email protected].

Proxy Servers

An Nginx reverse proxy is configured to handle incoming HTTPS traffic and route it to the Wazuh Dashboard.

  • Software: Nginx with Certbot (managed via Docker).

  • SSL/TLS: Managed automatically by Certbot using Let's Encrypt.

  • Configuration: A specific configuration file is generated for the domain wazuh<server_id>.hostkey.in.conf located in /data/nginx/user_conf.d.

  • Proxy Rule: The configuration includes a location / block that forwards requests to the internal Wazuh Dashboard: 

    proxy_pass https://wazuh<server_id>.hostkey.in:8080;

  • Operation: The proxy is started using the command: 

    docker compose up -d
    executed within the /root/nginx directory.

Permission Settings

The following file and directory permissions are applied during the deployment:

  • /opt/wazuh: Created with 0755 permissions (Owner: root, Group: root).

  • /opt/wazuh/wazuh-install.sh: Set to 0755 (Executable).

  • /opt/wazuh/config.yml: Set to 0600 (Readable/Writable by owner only).

  • /opt/wazuh/password: Set to 0600 (Readable/Writable by owner only).

  • /root/nginx: Created with 0755 permissions.

  • /root/nginx/compose.yml: Set to 0644 permissions.

Location of Configuration Files and Data

Critical configuration and data files are located in the following paths:

  • Wazuh Topology: /opt/wazuh/config.yml

  • Installation Script: /opt/wazuh/wazuh-install.sh

  • Admin Credentials: /opt/wazuh/password

  • Nginx Compose: /root/nginx/compose.yml

  • Nginx Site Config: /data/nginx/user_conf.d/wazuh<server_id>.hostkey.in.conf

  • Nginx Environment: /data/nginx/nginx-certbot.env

  • Wazuh APT Source: /etc/apt/sources.list.d/wazuh.list (Disabled)

Available Ports for Connection

The following ports are configured for network communication:

Port Protocol Purpose Access
443 TCP HTTPS (Reverse Proxy) External
8080 TCP HTTP (Wazuh Dashboard) Internal (Proxy only)
9200 TCP HTTPS (Wazuh Indexer) Internal (Localhost)

Starting, Stopping, and Updating

Service management commands are specific to the Wazuh installation script and the Docker proxy container.

  • Start Nginx Proxy: 

    cd /root/nginx
docker compose up -d

  • Start Wazuh Cluster: 

    /opt/wazuh/wazuh-install.sh --start-cluster

  • Stop/Restart Services: Wazuh services are managed by the system service manager (systemd) under the names wazuh-indexer, wazuh-manager, and wazuh-dashboard, which can be controlled via standard systemctl commands (e.g., systemctl restart wazuh-manager).

  • Updates: Automatic updates via the APT repository have been disabled. Manual updates require re-running the installation script or downloading new binaries.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×