#!/bin/bash set -e # Ensure the script is run as root if [ "$EUID" -ne 0 ]; then echo "Please run as root" exit fi # Generate a timestamp TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S") # Generate random alphanumeric credentials USERNAME=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32) PASSWORD=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32) # Log file path for credentials CREDENTIALS_LOG_FILE="/root/wazuh_credentials_${TIMESTAMP}.log" # Save the generated credentials to the log file { echo "Wazuh Credentials - $TIMESTAMP" echo "==============================" echo "Username: $USERNAME" echo "Password: $PASSWORD" echo "==============================" } >> $CREDENTIALS_LOG_FILE # Step 1: Wazuh server node installation # Install the necessary packages apt-get install -y gnupg apt-transport-https # Install the GPG key curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg # Overwrite the Wazuh repository list echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list # Update the package information apt-get update # Install the Wazuh manager package apt-get -y install wazuh-manager # Install Filebeat apt-get -y install filebeat # Configure Filebeat curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml # Create the Filebeat keystore (overwrite if it exists) filebeat keystore create --force # Add the randomly generated username and password to the Filebeat keystore echo -n "$USERNAME" | filebeat keystore add username --stdin --force echo -n "$PASSWORD" | filebeat keystore add password --stdin --force # Download the alerts template for the Wazuh indexer curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json chmod go+r /etc/filebeat/wazuh-template.json # Install the Wazuh module for Filebeat curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # Skip the certificate deployment step if not needed # Configure the Wazuh indexer connection /var/ossec/bin/wazuh-keystore -f indexer -k username -v "$USERNAME" /var/ossec/bin/wazuh-keystore -f indexer -k password -v "$PASSWORD" # Enable and start the Wazuh manager service systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager # Enable and start the Filebeat service systemctl enable filebeat systemctl start filebeat # Finished echo "Wazuh setup complete. Credentials saved in $CREDENTIALS_LOG_FILE."