Consult documentation for instructions for newest version
https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
tee config.yml > /dev/null << 'EOT'
nodes:
indexer:
- name: node-1
ip: "10.9.8.10"
server:
- name: wazuh-1
ip: "10.9.8.10"
dashboard:
- name: dashboard
ip: "10.9.8.10"
EOT
bash wazuh-install.sh --generate-config-files
bash wazuh-install.sh --wazuh-indexer node-1
bash wazuh-install.sh --start-cluster
bash wazuh-install.sh --wazuh-server wazuh-1
bash wazuh-install.sh --wazuh-dashboard dashboard -p 9000
For vulnerability detector
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
Enable provider and configure to use rocky linux.
vim /var/ossec/etc/ossec.conf
<!-- RedHat OS vulnerabilities -->
<provider name = "redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<os allow="Rocky Linux-9">9</os>
<update_interval>1h</update_interval>
</provider>
WAZUH_MANAGER="10.9.8.10" dnf install wazuh-agent -y
vim /var/ossec/ruleset/sca/cis_rhel9_linux.yml
Add line under "rules:"
- "f:/etc/redhat-release -> r:^Rocky && r:release 9"
dnf install suricata
https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html
https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
vim /etc/sysconfig/suricata
suricata-update -o /etc/suricata/rules
tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
systemctl restart wazuh-agent