Skip to content

Deployment Overview of Wazuh on Server

Prerequisites and Basic Requirements

The following requirements must be met before deploying the Wazuh application:

  • Operating System: Ubuntu (compatible with APT package manager).

  • Privileges: Root access or sudo privileges are required for installation and configuration.

  • Domain: The server must be configured to use the hostkey.in zone.

  • Ports:

  • Internal communication: Port 8080.

  • External HTTPS access: Port 443.

  • Elasticsearch/Indexer health check: Port 9200.

FQDN of the Final Panel

The Wazuh Dashboard is accessible via the following Fully Qualified Domain Name (FQDN) format:

  • Format: wazuh<Server ID>.hostkey.in:443

  • Example: wazuh123.hostkey.in

The application listens internally on port 8080 and is exposed externally via port 443 through the reverse proxy.

File and Directory Structure

The application utilizes the following directory structure for data, configuration, and scripts:

  • Main Data Directory: /opt/wazuh

  • Contains the installation script, configuration files, and generated credentials.

  • Nginx Configuration Directory: /root/nginx

  • Contains the docker compose file for the proxy service.

  • Nginx User Configuration: /data/nginx/user_conf.d

  • Contains specific server block configurations for the Wazuh domain.

  • SSL Certificates: /etc/letsencrypt

  • Managed by the Docker container for Let's Encrypt certificates.

Application Installation Process

The Wazuh application is installed using the official installation script provided by Wazuh. The process involves the following steps:

  1. Directory Preparation: The /opt/wazuh directory is created with 0755 permissions.

  2. Script Download: The installation script is downloaded from https://packages.wazuh.com/4.11/wazuh-install.sh to /opt/wazuh/wazuh-install.sh.

  3. Configuration Generation:

    • A default configuration file is placed at /opt/wazuh/config.yml.

    • The command ./wazuh-install.sh --generate-config-files is executed to generate necessary configuration archives.

  4. Wazuh Indexer Installation:

    • The indexer is installed as a single node using the command: ./wazuh-install.sh --wazuh-indexer node-1.

    • The cluster is started using: ./wazuh-install.sh --start-cluster.

  5. Credential Generation:

    • The admin password is extracted from the generated wazuh-install-files.tar archive.

    • Credentials are stored in /opt/wazuh/password in the format admin:<password>.

  6. Wazuh Server Installation:

    • The server component is installed using: ./wazuh-install.sh --wazuh-server wazuh-1.

  7. Wazuh Dashboard Installation:

    • The dashboard is installed and configured to listen on port 8080 using: ./wazuh-install.sh --wazuh-dashboard dashboard -p 8080.

  8. Repository Management:

    • The Wazuh APT repository is disabled to prevent automatic updates via the system package manager by commenting out the entry in /etc/apt/sources.list.d/wazuh.list.

Access Rights and Security

Security measures are implemented through the following configurations:

  • Firewall: External access is restricted to port 443 (HTTPS) via the Nginx reverse proxy. Internal services communicate over ports 8080 and 9200.

  • User Credentials:

  • The default administrator username is admin.

  • The password is generated during installation and stored securely in /opt/wazuh/password.

  • Certificate Management: SSL certificates are managed automatically via the nginx-certbot Docker container using the email [email protected].

  • File Permissions:

  • The main data directory /opt/wazuh is set to 0755.

  • The credentials file /opt/wazuh/password is set to 0600 (readable only by root).

  • The configuration file /opt/wazuh/config.yml is set to 0600.

Databases

The Wazuh Indexer serves as the database and log storage backend.

  • Connection Method: Internal communication occurs over https://127.0.0.1:9200.

  • Storage Location: Data is stored within the Wazuh installation directories managed by the wazuh-install.sh script.

  • Authentication: Access requires the admin username and the password generated during installation.

  • Health Check: The cluster status is verified against the endpoint https://127.0.0.1:9200/_cluster/health and must return a status of green.

Docker Containers and Their Deployment

A Docker container is deployed to manage the Nginx reverse proxy and SSL certificate renewal.

  • Image: jonasal/nginx-certbot:latest

  • Deployment Method: Docker Compose

  • Compose File Location: /root/nginx/compose.yml

  • Configuration Details:

  • Restart Policy: unless-stopped

  • Network Mode: host

  • Environment Variables:

  • Volumes:

    • nginx_secrets (external) mounted to /etc/letsencrypt.

    • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d.

Proxy Servers

Nginx is configured as a reverse proxy to handle external traffic and SSL termination.

  • Proxy Configuration:

  • The proxy listens on port 443 for the domain wazuh<Server ID>.hostkey.in.

  • Traffic is forwarded to the internal Wazuh Dashboard at https://wazuh<Server ID>.hostkey.in:8080.

  • SSL/TLS:

  • Managed by the nginx-certbot container.

  • Certificates are stored in the nginx_secrets volume.

  • Custom Domain: The proxy is configured specifically for the hostkey.in zone with the wazuh prefix.

Permission Settings

The following file and directory permissions are enforced during deployment:

Path Owner Group Mode Description
/opt/wazuh root root 0755 Main application data directory
/opt/wazuh/wazuh-install.sh root root 0755 Installation script
/opt/wazuh/config.yml root root 0600 Application configuration
/opt/wazuh/password root root 0600 Admin credentials file
/root/nginx root root 0755 Nginx Docker compose directory
/root/nginx/compose.yml root root 0644 Docker compose file

Location of Configuration Files and Data

Key configuration and data files are located in the following paths:

  • Application Data: /opt/wazuh

  • Installation Script: /opt/wazuh/wazuh-install.sh

  • Configuration File: /opt/wazuh/config.yml

  • Admin Credentials: /opt/wazuh/password

  • Docker Compose: /root/nginx/compose.yml

  • Nginx Server Config: /data/nginx/user_conf.d/wazuh<Server ID>.hostkey.in.conf

Available Ports for Connection

The following ports are utilized by the Wazuh deployment:

  • 443: External HTTPS access via Nginx proxy.

  • 8080: Internal Wazuh Dashboard access (not exposed directly to the public internet).

  • 9200: Internal Wazuh Indexer API access.

Starting, Stopping, and Updating

Service management is handled through the following mechanisms:

  • Wazuh Services:

  • The Wazuh components (Indexer, Server, Dashboard) are managed by the installation script and the underlying systemd services created by Wazuh.

  • Standard service management commands (e.g., systemctl) apply to the installed Wazuh services.

  • Nginx Proxy:

  • The proxy container is managed via Docker Compose.

  • To restart the proxy: docker compose up -d executed from the /root/nginx directory.

  • Updates:

  • Automatic updates via the APT repository are disabled.

  • Manual updates require re-running the installation script or updating the Docker image for the proxy.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×