How To Install And Configure Wazuh On Centos 7

How To Install And Configure Wazuh On Centos 7

Learn how To Install And Configure Wazuh On Centos 7 step by step. Wazuh is an open-source intrusion detection system which allows you to automatically log data analysis and monitor the integrity. Now, you can buy all Cheap CentOS VPS 7 on Eldernode to enjoy the 24/7 supports and Wazuh features on it. Whether you work with Linux, OpenBSD, FreeBSD, macOS, Solaris, and Windows it provides intrusion detection for your operating systems.

Tutorial Install And Configure Wazuh On Centos 7

You can use the Wazuh as an open-source platform to threat prevention, detection, and response. Similar to the thousands of organizations around the world, you will learn how to install and use Wazuh whether you have a small or a large business. Follow this guide to be part of it. Also, the Slack channel, Google group, and GitHub repositories are its resources.

Wazuh Main Features (Configure Wazuh On Centos 7)

1- Security Analytics

2- Intrusion Analytics

3- Log Data Analysis

4- File Integrity Monitoring

5- Vulnerability Detection

6- Configuration Assessment

7- Incident Response

8- Regulatory Compliance

9- Cloud Security

10- Containers Security

Wazuh components

Wazuh System consists of several components:

1- OSSEC HIDS – Host Based Intrusion Detection System

2- OpenSCAP – Open Vulnerability Assessment Language

3- Elastic Stack – Filebeat, Elasticsearch, Kibana

4- Wazuh is loaded with a number of valued capabilities.

Install Wazuh Server On Centos 7

1) First, set the hostname and launch terminal:

hostnamectl set-hostname wazuh-server

2) As always, you should update CentOS and packages:

yum update -y

3) Use the command below to install NTP and check its service status:

yum install ntp
systemctl status ntpd

4) You may face a situation that the service is not started, so run the following command to start it:

systemctl start ntpd

5) To enable NTP on system boot type below command:

systemctl enable ntpd

6) Now you need to modify, rules to allow NTP service so, type the below commands to enable service:

firewall-cmd --add-service=ntp --zone=public --permanent
firewall-cmd --reload

Install Wazuh Manager

Use the following command to add key:

rpm --import

Use the command below to edit the Wazuh repository :

vim /etc/yum.repos.d/wazuh.repo

Next, add the following content to the file.

[wazuh_repo]  gpgcheck=1  gpgkey=  enabled=1  name=Wazuh repository  baseurl=  protect=1

Now, you can save and exit the file.

Then type the following command to list the repositories:

yum repolist

To install the Wazuh manager run:

yum install wazuh-manager -y

And it is time to install Wazuh Manager. Do not forget to check its status.

systemctl status wazuh-manager
Recommended Article: Tutorial Install Innotop to Monitor MySQL on CentOS

How To Install The Wazuh API

In this part, you will add the official NodeJS repository:

curl --silent --location | bash -

Note: To run the Wazuh API, NodeJS>= 4.6.1 is required. Follow our article on How To Install Node.js On CentOS 7.

Or to install NodeJS:

yum install nodejs -y

If you install the Wazuh API, it will update NodeJS if it is required:

yum install wazuh-api

And then, check the status of wazuh-api.

systemctl status wazuh-api

You can use the following command to change the default credentials manually:

cd /var/ossec/api/configuration/auth

Then, run the command below to set a password for the user:

node htpasswd -Bc -C 10 user darshana

You can restart API anytime you type:

systemctl restart wazuh-api

Also, you can change the port manually if it is required. The file /var/ossec/api/configuration/config.js contains the parameter:

// TCP Port used by the API.  config.port = "55000";

How To Install Filebeat

What is Filebeat? It is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch.

To install it, type:

rpm --import

Setup repository:

vim /etc/yum.repos.d/elastic.repo

Add the following contents to the server:

[elasticsearch-7.x]  name=Elasticsearch repository for 7.x packages  baseurl=  gpgcheck=1  gpgkey=  enabled=1  autorefresh=1  type=rpm-md

And to install Filebeat:

yum install filebeat-7.5.1

The Filebeat configuration is pre-configured to forward Wazuh alerts to Elasticsearch, but you can download it from the Wazuh repository:

curl -so /etc/filebeat/filebeat.yml

Use the command below if you need to change file Permissions:

chmod go+r /etc/filebeat/filebeat.yml

Now, download the alerts template for Elasticsearch:

curl -so /etc/filebeat/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Type the following command to download the Wazuh module for Filebeat:

curl -s | sudo tar -xvz -C /usr/share/filebeat/module

Now, you must add Elasticsearch server IP. Edit “filebeat.yml.”

vim /etc/filebeat/filebeat.yml

And modify the following line:

output.elasticsearch.hosts: ['http://ELASTIC_SERVER_IP:9200']

Run the commands below to enable and start the Filebeat service:

systemctl daemon-reload  systemctl enable filebeat.service  systemctl start filebeat.service

How To Install Elastic Stack

in this step, you will configure the second Centos server with ELK. You can do this on your elastic stack server.

As you guess, the first step is to set-hostname:

hostnamectl set-hostname elk

And use the following command to update the system:

yum update -y

How To Install ELK

All you need to do in this part is to install the Elastic Stack with RPM packages and then add the Elastic repository and its GPG key:

rpm --import

Next, create a repository file:

vim /etc/yum.repos.d/elastic.repo

Add the following content to the file:

[elasticsearch-7.x]  name=Elasticsearch repository for 7.x packages  baseurl=  gpgcheck=1  gpgkey=  enabled=1  autorefresh=1  type=rpm-md
Recommended Article: How To Install And Configure Wazuh On Centos 7

How To Install Elasticsearch

Run the following command to Elasticsearch package:

yum install elasticsearch-7.5.1.

By default, Elasticsearch listens on the loopback interface (localhost). So, you need to configure Elasticsearch to listen to a non-loopback address by editing /etc/elasticsearch/elasticsearch.yml and uncommenting the configuration. Adjust the IP value you want to connect to:

By the way, you can change firewall rules.

firewall-cmd --permanent --zone=public --add-rich-rule='  rule family="ipv4"  source address=""  port protocol="tcp" port="9200" accept'

And also to reload firewall rules:

firewall-cmd --reload

However, the further configuration will be necessary for the elastic search configuration file.

Edit the “elasticsearch.yml” file.

vim /etc/elasticsearch/elasticsearch.yml

Now,  change or edit “” and “cluster.initial_master_nodes”. <node_name>
cluster.initial_master_nodes: ["<node_name>"]

Next, run the following command to enable and start the Elasticsearch service:

systemctl daemon-reload

And enable on system boot.

systemctl enable elasticsearch.service

To start elastic search service, use the following command:

systemctl start elasticsearch.service

To check the status of the elastic search, type:

systemctl status elasticsearch.service

You need to check the log file for any issues.

tail -f /var/log/elasticsearch/elasticsearch.log

You need to load the Filebeat template after running Elasticsearch. So, run the following command on the Wazuh server.

filebeat setup --index-management -E setup.template.json.enabled=false

How To Install Kibana

To install the Kibana package, type:

yum install kibana-7.5.1

And to install the Wazuh app plugin for Kibana:

sudo -u kibana /usr/share/kibana/bin/kibana-plugin install

At this point, please be aware that Kibana PluginNeed to modify Kibana configurations to access Kibana from the outside. You can edit the Kibana configuration file.

vim /etc/kibana/kibana.yml

Also, you can change the following line. ""

Then, configure the URLs of the Elasticsearch instances.

elasticsearch.hosts: ["http://localhost:9200"]

Again, Run the commands below to enable and start the Kibana service:

systemctl daemon-reload  systemctl enable kibana.service  systemctl start kibana.service

How To Add Wazuh API To Kibana Configurations

First, you need to edit “wazuh.yml.”

vim /usr/share/kibana/plugins/wazuh/wazuh.yml

Remember to edit hostname, username, and password. Then, you can save and exit the file and restart the Kibana service.

systemctl restart kibana.service

In this way, you installed the Wazuh server and the ELK server. So, let’s add hosts using an agent.

Install Wazuh agent

In this step, you need to pass two parts:

1- Adding Ubuntu Server

2- Installing needed packages

apt-get install curl apt-transport-https lsb-release gnupg2

And to install the Wazuh repository GPG key use:

curl -s | apt-key add -

Run the command below to add the repository and then update repositories.

echo "deb stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt-get update

Tutorial Install The Wazuh agent (Configure Wazuh On Centos 7)

What the blow command does is to add “WAZUH_MANAGER” IP to wazuh-agent configuration automatically when installing it.

WAZUH_MANAGER="" apt-get install wazuh-agent

How To Add CentOS host

By running the below command, you will add the Wazuh repository.

rpm --import

And then, edit and add to the repository:

vim /etc/yum.repos.d/wazuh.repo

Add the following contents:

[wazuh_repo]  gpgcheck=1  gpgkey=  enabled=1  name=Wazuh repository  baseurl=  protect=1

Use the following command to install the agent.

WAZUH_MANAGER="" yum install wazuh-agent

How To Access To Wazuh Dashboard

First, browse Kibana using the IP.

http://IP or hostname:5601/

The below interface should display:

Kibana DashBoard


If you click on “Wazuh ” Icon, you would go to its Dashboard and you can see “Wazuh” Dashboard as follows.

Wazuh Dashboard


Now, you should see the connected agents, security information management, etc. Click on security events to see a graphical view of events.

Security Events


Uninstall The Agent :

apt-get remove wazuh-agent

Since some of the package managers do not remove those files from the filesystem because of their designation, you should run the following command to provide a complete file removal:

apt-get remove --purge wazuh-agent  

By reaching here, you have finished learning all that was needed for installing and configuring the Wazuh server on CentOS.



In this article, you learned How To Install And Configure Wazuh On Centos 7. Due to your operating system and whether or not you wish to build from sources there would be several options for installing the Wazuh server. In case you are interested in reading more, find our article on How to Install CWP on CentOS 7.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

View More Posts
Marilyn Bisson
Content Writer
Eldernode Writer
We Are Waiting for your valuable comments and you can be sure that it will be answered in the shortest possible time.
  • mrashid
    2 years ago

    Need to correct version number of elasticsearch.

    yum install elasticsearch-7.5.1

    • Michael Morgan
      Michael Morgan
      2 years ago

      Thanks for your comment, the changes of your comment have been applied.


Leave Your Comment

Your email address will not be published.

We are by your side every step of the way

Think about developing your online business; We will protect it compassionately

We are by your side every step of the way


7 days a week, 24 hours a day