#!/bin/bash set -e # Ensure the script is run as root if [ "$EUID" -ne 0 ]; then echo "Please run as root" exit fi # Generate a timestamp TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S") # Generate random alphanumeric credentials USERNAME=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32) PASSWORD=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32) # Log file path LOG_FILE="/root/wazuh_installation_${TIMESTAMP}.log" # Create the log file and set permissions touch $LOG_FILE chmod 600 $LOG_FILE # Save the generated credentials and other details to the log file { echo "Wazuh Installation Log - $TIMESTAMP" echo "========================================" echo "Username: $USERNAME" echo "Password: $PASSWORD" echo "----------------------------------------" } >> $LOG_FILE # Step 1: Wazuh server node installation { echo "Installing necessary packages..." >> $LOG_FILE apt-get install -y gnupg apt-transport-https echo "Installing GPG key..." >> $LOG_FILE curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg echo "Overwriting Wazuh repository list..." >> $LOG_FILE echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list echo "Updating package information..." >> $LOG_FILE apt-get update echo "Installing Wazuh manager..." >> $LOG_FILE apt-get -y install wazuh-manager echo "Installing Filebeat..." >> $LOG_FILE apt-get -y install filebeat echo "Configuring Filebeat..." >> $LOG_FILE curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml echo "Creating Filebeat keystore..." >> $LOG_FILE filebeat keystore create --force echo "Adding credentials to keystore..." >> $LOG_FILE echo -n "$USERNAME" | filebeat keystore add username --stdin --force echo -n "$PASSWORD" | filebeat keystore add password --stdin --force echo "Downloading Wazuh alerts template..." >> $LOG_FILE curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json chmod go+r /etc/filebeat/wazuh-template.json echo "Installing Wazuh module for Filebeat..." >> $LOG_FILE curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module echo "Checking and creating certs directory..." >> $LOG_FILE if [ ! -d "/etc/filebeat/certs" ]; then mkdir /etc/filebeat/certs fi if [ -f "./wazuh-certificates.tar" ]; then echo "Deploying certificates..." >> $LOG_FILE NODE_NAME=wazuh.nixc.us tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs else echo "Error: wazuh-certificates.tar not found. Exiting." >> $LOG_FILE exit 1 fi echo "Configuring Wazuh indexer connection..." >> $LOG_FILE /var/ossec/bin/wazuh-keystore -f indexer -k username -v "$USERNAME" /var/ossec/bin/wazuh-keystore -f indexer -k password -v "$PASSWORD" echo "Starting Wazuh manager..." >> $LOG_FILE systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager echo "Starting Filebeat service..." >> $LOG_FILE systemctl enable filebeat systemctl start filebeat echo "Testing Filebeat output..." >> $LOG_FILE filebeat test output >> $LOG_FILE echo "Installation complete." >> $LOG_FILE } 2>&1 | tee -a $LOG_FILE # All information, including any errors, is now logged in /root/wazuh_installation_${TIMESTAMP}.log