85 lines
2.8 KiB
Bash
85 lines
2.8 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
# Ensure the script is run as root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Please run as root"
|
|
exit
|
|
fi
|
|
|
|
# Step 1: Wazuh server node installation
|
|
# Install the necessary packages
|
|
apt-get install -y gnupg apt-transport-https
|
|
|
|
# Install the GPG key
|
|
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
|
|
|
|
# Overwrite the Wazuh repository list
|
|
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
|
|
|
|
# Update the package information
|
|
apt-get update
|
|
|
|
# Install the Wazuh manager package
|
|
apt-get -y install wazuh-manager
|
|
|
|
# Install Filebeat
|
|
apt-get -y install filebeat
|
|
|
|
# Configure Filebeat
|
|
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml
|
|
|
|
# Create the Filebeat keystore (overwrite if it exists)
|
|
filebeat keystore create --force
|
|
|
|
# Add the username and password to the Filebeat keystore
|
|
echo -n "admin" | filebeat keystore add username --stdin --force
|
|
echo -n "admin" | filebeat keystore add password --stdin --force
|
|
|
|
# Download the alerts template for the Wazuh indexer
|
|
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json
|
|
chmod go+r /etc/filebeat/wazuh-template.json
|
|
|
|
# Install the Wazuh module for Filebeat
|
|
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
|
|
|
|
# Check if the directory exists before creating it
|
|
if [ ! -d "/etc/filebeat/certs" ]; then
|
|
mkdir /etc/filebeat/certs
|
|
fi
|
|
|
|
# Check if the wazuh-certificates.tar file exists
|
|
if [ -f "./wazuh-certificates.tar" ]; then
|
|
# Deploy certificates
|
|
NODE_NAME=wazuh.nixc.us
|
|
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
|
|
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
|
|
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
|
|
chmod 500 /etc/filebeat/certs
|
|
chmod 400 /etc/filebeat/certs/*
|
|
chown -R root:root /etc/filebeat/certs
|
|
else
|
|
echo "Error: wazuh-certificates.tar not found. Please ensure the file is in the correct location."
|
|
exit 1
|
|
fi
|
|
|
|
# Configure the Wazuh indexer connection
|
|
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
|
|
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
|
|
|
|
# Start the Wazuh manager
|
|
systemctl daemon-reload
|
|
systemctl enable wazuh-manager
|
|
systemctl start wazuh-manager
|
|
|
|
# Verify the Wazuh manager status
|
|
systemctl status wazuh-manager
|
|
|
|
# Start the Filebeat service
|
|
systemctl enable filebeat
|
|
systemctl start filebeat
|
|
|
|
# Verify Filebeat installation
|
|
filebeat test output
|