diff --git a/install.sh b/install.sh index db731a9..864a9a6 100644 --- a/install.sh +++ b/install.sh @@ -15,95 +15,69 @@ TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S") USERNAME=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32) PASSWORD=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32) -# Log file path -LOG_FILE="/root/wazuh_installation_${TIMESTAMP}.log" +# Log file path for credentials +CREDENTIALS_LOG_FILE="/root/wazuh_credentials_${TIMESTAMP}.log" -# Create the log file and set permissions -touch $LOG_FILE -chmod 600 $LOG_FILE - -# Save the generated credentials and other details to the log file +# Save the generated credentials to the log file { - echo "Wazuh Installation Log - $TIMESTAMP" - echo "========================================" + echo "Wazuh Credentials - $TIMESTAMP" + echo "==============================" echo "Username: $USERNAME" echo "Password: $PASSWORD" - echo "----------------------------------------" -} >> $LOG_FILE + echo "==============================" +} >> $CREDENTIALS_LOG_FILE # Step 1: Wazuh server node installation -{ - echo "Installing necessary packages..." >> $LOG_FILE - apt-get install -y gnupg apt-transport-https - echo "Installing GPG key..." >> $LOG_FILE - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg +# Install the necessary packages +apt-get install -y gnupg apt-transport-https - echo "Overwriting Wazuh repository list..." >> $LOG_FILE - echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list +# Install the GPG key +curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg - echo "Updating package information..." >> $LOG_FILE - apt-get update +# Overwrite the Wazuh repository list +echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list - echo "Installing Wazuh manager..." >> $LOG_FILE - apt-get -y install wazuh-manager +# Update the package information +apt-get update - echo "Installing Filebeat..." >> $LOG_FILE - apt-get -y install filebeat +# Install the Wazuh manager package +apt-get -y install wazuh-manager - echo "Configuring Filebeat..." >> $LOG_FILE - curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml +# Install Filebeat +apt-get -y install filebeat - echo "Creating Filebeat keystore..." >> $LOG_FILE - filebeat keystore create --force +# Configure Filebeat +curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml - echo "Adding credentials to keystore..." >> $LOG_FILE - echo -n "$USERNAME" | filebeat keystore add username --stdin --force - echo -n "$PASSWORD" | filebeat keystore add password --stdin --force +# Create the Filebeat keystore (overwrite if it exists) +filebeat keystore create --force - echo "Downloading Wazuh alerts template..." >> $LOG_FILE - curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json - chmod go+r /etc/filebeat/wazuh-template.json +# Add the randomly generated username and password to the Filebeat keystore +echo -n "$USERNAME" | filebeat keystore add username --stdin --force +echo -n "$PASSWORD" | filebeat keystore add password --stdin --force - echo "Installing Wazuh module for Filebeat..." >> $LOG_FILE - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module +# Download the alerts template for the Wazuh indexer +curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json +chmod go+r /etc/filebeat/wazuh-template.json - echo "Checking and creating certs directory..." >> $LOG_FILE - if [ ! -d "/etc/filebeat/certs" ]; then - mkdir /etc/filebeat/certs - fi +# Install the Wazuh module for Filebeat +curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module - if [ -f "./wazuh-certificates.tar" ]; then - echo "Deploying certificates..." >> $LOG_FILE - NODE_NAME=wazuh.nixc.us - tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem - mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem - mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem - chmod 500 /etc/filebeat/certs - chmod 400 /etc/filebeat/certs/* - chown -R root:root /etc/filebeat/certs - else - echo "Error: wazuh-certificates.tar not found. Exiting." >> $LOG_FILE - exit 1 - fi +# Skip the certificate deployment step if not needed - echo "Configuring Wazuh indexer connection..." >> $LOG_FILE - /var/ossec/bin/wazuh-keystore -f indexer -k username -v "$USERNAME" - /var/ossec/bin/wazuh-keystore -f indexer -k password -v "$PASSWORD" +# Configure the Wazuh indexer connection +/var/ossec/bin/wazuh-keystore -f indexer -k username -v "$USERNAME" +/var/ossec/bin/wazuh-keystore -f indexer -k password -v "$PASSWORD" - echo "Starting Wazuh manager..." >> $LOG_FILE - systemctl daemon-reload - systemctl enable wazuh-manager - systemctl start wazuh-manager +# Enable and start the Wazuh manager service +systemctl daemon-reload +systemctl enable wazuh-manager +systemctl start wazuh-manager - echo "Starting Filebeat service..." >> $LOG_FILE - systemctl enable filebeat - systemctl start filebeat +# Enable and start the Filebeat service +systemctl enable filebeat +systemctl start filebeat - echo "Testing Filebeat output..." >> $LOG_FILE - filebeat test output >> $LOG_FILE - - echo "Installation complete." >> $LOG_FILE -} 2>&1 | tee -a $LOG_FILE - -# All information, including any errors, is now logged in /root/wazuh_installation_${TIMESTAMP}.log +# Finished +echo "Wazuh setup complete. Credentials saved in $CREDENTIALS_LOG_FILE."