Release 4.8.0 - Alpha 2 - E2E UX tests - Amazon security lake

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/framework team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Jan 16, 2024 and notify the @wazuh/framework team via Slack using the c-release channel
• Review: The @wazuh/framework team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jan 17, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Jan 18, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Step by step	Single node	Amazon Linux 2 x86_64
Server	Step by step	Single node	Amazon Linux 2 x86_64
Dashboard	Step by step	-	Amazon Linux 2 x86_64
Agent	Wazuh WUI one-liner deploy using IP	-	Amazon Linux 1 x86_64

Test description

Configure AWS security lake in a Wazuh Manager and a Wazuh Agent.
Ensure the events are correctly displayed on the dashboard.

Test the sample configuration provided in this documentation page:
https://documentation-dev.wazuh.com/v4.8.0-alpha2/cloud-security/amazon/services/supported-services/security-lake.html#amazon-security-lake

Known issues

There are no known issues.

New issues

• Update Amazon Security Lake documentation wazuh-documentation#6951

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Failure type	Notes
🔴	Amazon security lake	Outdated documentation	New issue opened: wazuh/wazuh-documentation#6951

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • In general the guide is quite clear. It only presents an ambiguity when specifying the components. It would be good to specify if they can be installed on the same machine, if it is necessary to install them on different machines, or if it is indifferent.
• Did you face any challenges not covered by the guideline?
  • The guideline is clear. I didn't find any challenges that weren't explained in the guide.
• Suggestions for improvement:
  • What was mentioned in the first question

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• @davidjiglesias (@rauldpm)
• @wazuh/framework

[jbiset]

Request environments and services

Understanding that each component must be on a different AWS machine and that access to AWS Security Lake is needed, the request is made to CICD through the following issue:

• https://github.com/wazuh/internal-devel-requests/issues/680

Environment installation 🟢

All components were installed following the step-by-step guides.

Components

Component	Installation	Type	OS	IP
Indexer	Step by step	Single node	Amazon Linux 2 x86_64	172.31.35.38
Server	Step by step	Single node	Amazon Linux 2 x86_64	172.31.39.94
Dashboard	Step by step	-	Amazon Linux 2 x86_64	172.31.42.82
Agent	Wazuh WUI one-liner deploy using IP	-	Amazon Linux 1 x86_64	172.31.36.83

OS Versions

Indexer

[ec2-user@ip-172-31-35-38 ~]$ cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Manager

[ec2-user@ip-172-31-39-94 ~]$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Dashboard

[ec2-user@ip-172-31-42-82 ~]$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Agent

[ec2-user@ip-172-31-36-83 ~]$ cat /etc/os-release
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"

Component installation 🟢

Indexer installation 🟢

Certificates creation

curl -sO https://packages-dev.wazuh.com/4.8/wazuh-certs-tool.sh
curl -sO https://packages-dev.wazuh.com/4.8/config.yml

config.yml configuration

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "172.31.35.38"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "172.31.39.94"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "172.31.42.82"

Run wazuh-certs-tool.sh

[ec2-user@ip-172-31-35-38 ~]$ bash ./wazuh-certs-tool.sh -A
12/01/2024 14:55:57 INFO: Admin certificates created.
12/01/2024 14:55:57 INFO: Wazuh indexer certificates created.
12/01/2024 14:55:58 INFO: Wazuh server certificates created.
12/01/2024 14:55:58 INFO: Wazuh dashboard certificates created.

Compress files

[ec2-user@ip-172-31-35-38 ~]$ tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
./
./root-ca.key
./root-ca.pem
./admin-key.pem
./admin.pem
./node-1-key.pem
./node-1.pem
./wazuh-1-key.pem
./wazuh-1.pem
./dashboard-key.pem
./dashboard.pem
[ec2-user@ip-172-31-35-38 ~]$ rm -rf ./wazuh-certificates

Nodes installation

-Installing package dependencies

[root@ip-172-31-35-38 ec2-user]# yum install coreutils
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                             | 3.6 kB  00:00:00     
El paquete coreutils-8.22-24.amzn2.x86_64 ya se encuentra instalado con su versión más reciente
Nada para hacer

• Adding the Wazuh repository

[root@ip-172-31-35-38 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@ip-172-31-35-38 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1

Installing Wazuh indexer

[root@ip-172-31-35-38 ec2-user]# yum -y install wazuh-indexer
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                             | 3.6 kB  00:00:00     
wazuh                                                                  | 3.4 kB  00:00:00     
wazuh/primary_db                                                       | 440 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-indexer.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                    Arquitectura        Versión              Repositorio        Tamaño
==============================================================================================
Instalando:
 wazuh-indexer              x86_64              4.8.0-1              wazuh              743 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 743 M
Tamaño instalado: 1.0 G
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-indexer-4.8.0-1.x86_64.rpm                                       | 743 MB  00:00:11     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-indexer-4.8.0-1.x86_64                                            1/1 
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
  Comprobando   : wazuh-indexer-4.8.0-1.x86_64                                            1/1 

Instalado:
  wazuh-indexer.x86_64 0:4.8.0-1                                                              

¡Listo!

Deploying certificates

[root@ip-172-31-35-38 ec2-user]# NODE_NAME=node-1
[root@ip-172-31-35-38 ec2-user]# mkdir /etc/wazuh-indexer/certs
[root@ip-172-31-35-38 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
[root@ip-172-31-35-38 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
[root@ip-172-31-35-38 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
[root@ip-172-31-35-38 ec2-user]# chmod 500 /etc/wazuh-indexer/certs
[root@ip-172-31-35-38 ec2-user]# chmod 400 /etc/wazuh-indexer/certs/*
[root@ip-172-31-35-38 ec2-user]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Starting the service

[root@ip-172-31-35-38 ec2-user]# systemctl daemon-reload
[root@ip-172-31-35-38 ec2-user]# systemctl enable wazuh-indexer
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
[root@ip-172-31-35-38 ec2-user]# systemctl start wazuh-indexer

Cluster initialization

[root@ip-172-31-35-38 ec2-user]# bash /usr/share/wazuh-indexer/bin/indexer-init.sh -i 172.31.35.38
Executing Wazuh indexer security init script...
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 172.31.35.38:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: node-1
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
Executing Wazuh indexer ISM init script...
Will create 'wazuh' index template
 SUCC: 'wazuh' template created or updated
Will create 'ism_history_indices' index template
 SUCC: 'ism_history_indices' template created or updated
Will disable replicas for 'plugins.index_state_management.history' indices
 SUCC: cluster's settings saved
Will create index templates to configure the alias
 SUCC: 'wazuh-alerts' template created or updated
 SUCC: 'wazuh-archives' template created or updated
Will create the 'rollover_policy' policy
  SUCC: 'rollover_policy' policy created
Will create initial indices for the aliases
  SUCC: 'wazuh-alerts' write index created
  SUCC: 'wazuh-archives' write index created
SUCC: Indexer ISM initialization finished successfully.

Testing cluster installation

[root@ip-172-31-39-94 ec2-user]# curl -k -u admin:admin https://172.31.35.38:9200
{
  "name" : "node-1",
  "cluster_name" : "node-1",
  "cluster_uuid" : "0YB6Gy-jRJqsD1lNowdzeA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Testing single-node is working correctly

[root@ip-172-31-39-94 ec2-user]# curl -k -u admin:admin https://172.31.35.38:9200/_cat/nodes?v 
ip           heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
172.31.35.38           28          81  12    0.11    0.32     0.25 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

Manager installation 🟢

Wazuh server node installation

• Adding the Wazuh repository

[root@ip-172-31-39-94 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@ip-172-31-39-94 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1

• Installing the Wazuh manager

[root@ip-172-31-39-94 ec2-user]# yum -y install wazuh-manager
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                             | 3.6 kB  00:00:00     
wazuh                                                                  | 3.4 kB  00:00:00     
wazuh/primary_db                                                       | 440 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-manager.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                    Arquitectura        Versión              Repositorio        Tamaño
==============================================================================================
Instalando:
 wazuh-manager              x86_64              4.8.0-1              wazuh              350 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 350 M
Tamaño instalado: 854 M
Downloading packages:
wazuh-manager-4.8.0-1.x86_64.rpm                                       | 350 MB  00:00:06     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-manager-4.8.0-1.x86_64                                            1/1 
  Comprobando   : wazuh-manager-4.8.0-1.x86_64                                            1/1 

Instalado:
  wazuh-manager.x86_64 0:4.8.0-1                                                              

¡Listo!

[root@ip-172-31-39-94 ec2-user]# systemctl daemon-reload
[root@ip-172-31-39-94 ec2-user]# systemctl enable wazuh-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service.
[root@ip-172-31-39-94 ec2-user]# systemctl start wazuh-manager

[root@ip-172-31-39-94 ec2-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2024-01-12 16:16:32 UTC; 51s ago
  Process: 559 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─619 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─663 /var/ossec/bin/wazuh-authd
           ├─685 /var/ossec/bin/wazuh-db
           ├─711 /var/ossec/bin/wazuh-execd
           ├─715 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─718 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─721 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─737 /var/ossec/bin/wazuh-analysisd
           ├─753 /var/ossec/bin/wazuh-syscheckd
           ├─801 /var/ossec/bin/wazuh-remoted
           ├─837 /var/ossec/bin/wazuh-logcollector
           ├─857 /var/ossec/bin/wazuh-monitord
           └─877 /var/ossec/bin/wazuh-modulesd

ene 12 16:16:25 ip-172-31-39-94.ec2.internal env[559]: Started wazuh-analysisd...
ene 12 16:16:26 ip-172-31-39-94.ec2.internal env[559]: Started wazuh-syscheckd...
ene 12 16:16:27 ip-172-31-39-94.ec2.internal env[559]: Started wazuh-remoted...
ene 12 16:16:28 ip-172-31-39-94.ec2.internal env[559]: Started wazuh-logcollector...
ene 12 16:16:29 ip-172-31-39-94.ec2.internal env[559]: Started wazuh-monitord...
ene 12 16:16:29 ip-172-31-39-94.ec2.internal env[559]: 2024/01/12 16:16:29 wazuh-modulesd:router: INFO: Loaded router module.
ene 12 16:16:29 ip-172-31-39-94.ec2.internal env[559]: 2024/01/12 16:16:29 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
ene 12 16:16:30 ip-172-31-39-94.ec2.internal env[559]: Started wazuh-modulesd...
ene 12 16:16:32 ip-172-31-39-94.ec2.internal env[559]: Completed.
ene 12 16:16:32 ip-172-31-39-94.ec2.internal systemd[1]: Started Wazuh manager.

• Installing Filebeat

[root@ip-172-31-39-94 ec2-user]# yum -y install filebeat
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete filebeat.x86_64 0:7.10.2-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                Arquitectura         Versión                Repositorio         Tamaño
==============================================================================================
Instalando:
 filebeat               x86_64               7.10.2-1               wazuh                21 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 21 M
Tamaño instalado: 70 M
Downloading packages:
filebeat-oss-7.10.2-x86_64.rpm                                         |  21 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : filebeat-7.10.2-1.x86_64                                                1/1 
  Comprobando   : filebeat-7.10.2-1.x86_64                                                1/1 

Instalado:
  filebeat.x86_64 0:7.10.2-1                                                                  

¡Listo!

[root@ip-172-31-39-94 ec2-user]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml

Filebeat configuration file

# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["172.31.35.38:9200"]
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

[root@ip-172-31-39-94 ec2-user]# filebeat keystore create
Created filebeat keystore

[root@ip-172-31-39-94 ec2-user]# echo admin | filebeat keystore add username --stdin --force
Successfully updated the keystore
[root@ip-172-31-39-94 ec2-user]# echo admin | filebeat keystore add password --stdin --force
Successfully updated the keystore

[root@ip-172-31-39-94 ec2-user]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.0/extensions/elasticsearch/7.x/wazuh-template.json
[root@ip-172-31-39-94 ec2-user]# chmod go+r /etc/filebeat/wazuh-template.json

[root@ip-172-31-39-94 ec2-user]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/config.yml
wazuh/_meta/fields.yml
wazuh/archives/
wazuh/archives/manifest.yml
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/module.yml
wazuh/alerts/
wazuh/alerts/manifest.yml
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json

[root@ip-172-31-39-94 ec2-user]# NODE_NAME=wazuh-1
[root@ip-172-31-39-94 ec2-user]# mkdir /etc/filebeat/certs
[root@ip-172-31-39-94 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
[root@ip-172-31-39-94 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
[root@ip-172-31-39-94 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
[root@ip-172-31-39-94 ec2-user]# chmod 500 /etc/filebeat/certs
[root@ip-172-31-39-94 ec2-user]# chmod 400 /etc/filebeat/certs/*
[root@ip-172-31-39-94 ec2-user]# chown -R root:root /etc/filebeat/certs

[root@ip-172-31-39-94 ec2-user]# systemctl daemon-reload
[root@ip-172-31-39-94 ec2-user]# systemctl enable filebeat
[root@ip-172-31-39-94 ec2-user]# systemctl start filebeat

[root@ip-172-31-39-94 ec2-user]# filebeat test output
elasticsearch: https://172.31.35.38:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.31.35.38
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Dashboard installation 🟢

Installing package dependencies

[root@ip-172-31-42-82 ec2-user]# yum install libcap
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                             | 3.6 kB  00:00:00     
El paquete libcap-2.54-1.amzn2.0.2.x86_64 ya se encuentra instalado con su versión más reciente
Nada para hacer

Adding the Wazuh repository

[root@ip-172-31-42-82 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@ip-172-31-42-82 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1

Installing the Wazuh dashboard

[root@ip-172-31-42-82 ec2-user]# yum -y install wazuh-dashboard
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
wazuh                                                                  | 3.4 kB  00:00:00     
wazuh/primary_db                                                       | 440 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-dashboard.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                     Arquitectura       Versión               Repositorio       Tamaño
==============================================================================================
Instalando:
 wazuh-dashboard             x86_64             4.8.0-1               wazuh             273 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 273 M
Tamaño instalado: 902 M
Downloading packages:
wazuh-dashboard-4.8.0-1.x86_64.rpm                                     | 273 MB  00:00:05     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-dashboard-4.8.0-1.x86_64                                          1/1 
  Comprobando   : wazuh-dashboard-4.8.0-1.x86_64                                          1/1 

Instalado:
  wazuh-dashboard.x86_64 0:4.8.0-1                                                            

¡Listo!

Configuration opensearch_dashboards.yml

server.host: 172.31.42.82
server.port: 443
opensearch.hosts: https://172.31.35.38:9200
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersAllowlist: ["securitytenant","authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home

Deploying certificates

[root@ip-172-31-42-82 ec2-user]# NODE_NAME=dashboard
[root@ip-172-31-42-82 ec2-user]# mkdir /etc/wazuh-dashboard/certs
[root@ip-172-31-42-82 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
[root@ip-172-31-42-82 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv: «/etc/wazuh-dashboard/certs/dashboard.pem» y «/etc/wazuh-dashboard/certs/dashboard.pem» son el mismo fichero
[root@ip-172-31-42-82 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
mv: «/etc/wazuh-dashboard/certs/dashboard-key.pem» y «/etc/wazuh-dashboard/certs/dashboard-key.pem» son el mismo fichero
[root@ip-172-31-42-82 ec2-user]# chmod 500 /etc/wazuh-dashboard/certs
[root@ip-172-31-42-82 ec2-user]# chmod 400 /etc/wazuh-dashboard/certs/*
[root@ip-172-31-42-82 ec2-user]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Starting the Wazuh dashboard service

[root@ip-172-31-42-82 ec2-user]# systemctl daemon-reload
[root@ip-172-31-42-82 ec2-user]# systemctl enable wazuh-dashboard
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service to /etc/systemd/system/wazuh-dashboard.service.
[root@ip-172-31-42-82 ec2-user]# systemctl start wazuh-dashboard

Wazuh API configuration

hosts:
  - default:
      url: https://172.31.39.94
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false

Wazuh dashboard test access

Agent installation 🟢

WUI Installation

Agent installation (RPM amd64)

curl -o wazuh-agent-4.8.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.x86_64.rpm && sudo WAZUH_MANAGER='172.31.39.94' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Amazon_Linux_1' rpm -ihv wazuh-agent-4.8.0-1.x86_64.rpm

NOTE: Amazon Linux Version 1 not support systemctl.

[root@ip-172-31-36-83 ec2-user]# sudo systemctl daemon-reload
sudo: systemctl: command not found

To enable the service, use chkconfig

[root@ip-172-31-36-83 ec2-user]# chkconfig wazuh-agent on
```console

Then use `/var/ossec/bin/wazuh-control` to start the agent

```console
[root@ip-172-31-36-83 bin]# ./wazuh-control status
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
[root@ip-172-31-36-83 bin]# ./wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Agent correctly connected to environment

Wazuh Versions

Indexer

[root@ip-172-31-35-38 ec2-user]# yum list installed | grep indexer
wazuh-indexer.x86_64                  4.8.0-1                          @wazuh

Manager

[root@ip-172-31-39-94 bin]# ./wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="server"

Dashboard

[root@ip-172-31-42-82 ec2-user]# yum list installed | grep dashboard
wazuh-dashboard.x86_64                4.8.0-1                          @wazuh 

Agent

[root@ip-172-31-36-83 bin]# ./wazuh-control info -v
v4.8.0

Configuring AWS Security Lake in Wazuh Manager 🔴

This documentation is followed: https://documentation-dev.wazuh.com/v4.8.0-alpha2/cloud-security/amazon/services/supported-services/security-lake.html#amazon-security-lake

Visualizing alerts in Wazuh dashboard documentation has outdated text and image, Security events is now Threat Hunting. 🔴

Current

• Text
  Once you set the configuration and restart the manager, you can visualize the Amazon Security Lake alerts in the Wazuh dashboard. To do this, go to the Security events module. Apply the filter rule.groups: amazon_security_lake for an easier visualization.

• Image
  

Expected

• Text
  Once you set the configuration and restart the manager, you can visualize the Amazon Security Lake alerts in the Wazuh dashboard. To do this, go to the Threat Hunting module. Apply the filter rule.groups: amazon_security_lake for an easier visualization.

• Image
  

CICD team provided access to security lake and provided the following configuration:

<subscriber type="security_lake">
  <sqs_name>AmazonSecurityLake-f38b8aff-********-Main-Queue</sqs_nam$
  <iam_role_arn>arn:aws:iam::*********:role/AmazonSecurityLake-f38b8aff******</iam_role_arn>
  <iam_role_duration>1300</iam_role_duration>
  <external_id>wazuh-external-id</external_id>
</subscriber>

Configuring AWS credentials

Created /root/.aws/credentials file, following the Configuring AWS Credentials guide and configured keys corresponding to the user provided by CICD:

[root@ip-172-31-39-94 /]# cat /root/.aws/credentials
[default]
region=us-east-1
aws_access_key_id=AKIAY****
aws_secret_access_key=T0pyD*****

Included the config provided by CICD mentioned and placed it in ossec.conf

no 1h yes AmazonSecurityLake-f38b8aff-********-Main-Queuearn:aws:iam::*********:role/AmazonSecurityLake-f38b8aff****** 1300 wazuh-external-id

Restart de service

systemctl restart wazuh-manager

Checked /var/ossec/logs/ossec.log for details

[root@ip-172-31-39-94 /]# tail -f /var/ossec/logs/ossec.log
2024/01/12 21:01:21 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2024/01/12 21:01:21 wazuh-modulesd:aws-s3: INFO: Executing Subscriber fetch: (Type and SQS: security_lake AmazonSecurityLake-f38b8aff-**********-Main-Queue)

Security Lake integration is working and events show up in dashboard

[Selutario]

LGTM! Each step was carefully described and detailed, good job.

[rauldpm]

Final reviewer notes

• The command outputs should be in English as the issue is public and English is the main language, I propose a small reminder to the team about this as this behavior is increasingly present
• The wrong tag has been used when downloading the Filebeat template but no error is reported, this must be reviewed

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.0/extensions/elasticsearch/7.x/wazuh-template.json

• As the template error is a deployment error, we could be validating results that could change if the deployment is done correctly, the test must be done again

[jbiset]

New testing

Note

Due to connection failure to the AWS machine for Wazuh Server, a new AWS machine had to be used.
On all AWS machines, the components were uninstalled following the following documentation, except for Wazuh server, which was installed on a new machine.
Thus, the agent installed in the previous test was also removed.

OS Versions

Indexer

[root@ip-172-31-35-38 ec2-user]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Manager

[root@ip-172-31-40-255 ec2-user]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Dashboard

[root@ip-172-31-42-82 ec2-user]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Agent

[ec2-user@ip-172-31-36-83 ~]$ cat /etc/os-release
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"

Component installation 🟢

Indexer installation 🟢

Certificates creation

[root@ip-172-31-35-38 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-certs-tool.sh
[root@ip-172-31-35-38 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.8/config.yml

config.yml configuration

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "172.31.35.38"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "172.31.40.255"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "172.31.42.82"

Run wazuh-certs-tool.sh

[root@ip-172-31-35-38 ec2-user]# bash ./wazuh-certs-tool.sh -A
17/01/2024 20:25:16 INFO: Admin certificates created.
17/01/2024 20:25:16 INFO: Wazuh indexer certificates created.
17/01/2024 20:25:16 INFO: Wazuh server certificates created.
17/01/2024 20:25:16 INFO: Wazuh dashboard certificates created.

Compress files

[root@ip-172-31-35-38 ec2-user]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
./
./root-ca.key
./root-ca.pem
./admin-key.pem
./admin.pem
./node-1-key.pem
./node-1.pem
./wazuh-1-key.pem
./wazuh-1.pem
./dashboard-key.pem
./dashboard.pem
[root@ip-172-31-35-38 ec2-user]# rm -rf ./wazuh-certificates

Nodes installation

• Installing package dependencies

[root@ip-172-31-35-38 ec2-user]# yum install coreutils
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                             | 3.6 kB  00:00:00     
El paquete coreutils-8.22-24.amzn2.x86_64 ya se encuentra instalado con su versión más reciente
Nada para hacer

• Adding the Wazuh repository

[root@ip-172-31-35-38 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@ip-172-31-35-38 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1

Installing Wazuh indexer

[root@ip-172-31-35-38 ec2-user]# yum -y install wazuh-indexer
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
wazuh                                                                  | 3.4 kB  00:00:00     
Resolviendo dependencias
There are unfinished transactions remaining. You might consider running yum-complete-transaction, or "yum-complete-transaction --cleanup-only" and "yum history redo last", first to finish them. If those don't work you'll have to try removing/installing packages by hand (maybe package-cleanup can help).
--> Ejecutando prueba de transacción
---> Paquete wazuh-indexer.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                    Arquitectura        Versión              Repositorio        Tamaño
==============================================================================================
Instalando:
 wazuh-indexer              x86_64              4.8.0-1              wazuh              743 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 743 M
Tamaño instalado: 1.0 G
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-indexer-4.8.0-1.x86_64.rpm                                       | 743 MB  00:00:14     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-indexer-4.8.0-1.x86_64                                            1/1 
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
  Comprobando   : wazuh-indexer-4.8.0-1.x86_64                                            1/1 

Instalado:
  wazuh-indexer.x86_64 0:4.8.0-1                                                              

¡Listo!

Wazuh indexer configuration

network.host: "172.31.35.38"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
#- "node-2"
#- "node-3"
cluster.name: "wazuh-cluster"
#discovery.seed_hosts:
#  - "node-1-ip"
#  - "node-2-ip"
#  - "node-3-ip"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true

Deploying certificates

[root@ip-172-31-35-38 ec2-user]# NODE_NAME=node-1
[root@ip-172-31-35-38 ec2-user]# mkdir /etc/wazuh-indexer/certs
[root@ip-172-31-35-38 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
[root@ip-172-31-35-38 ec2-user]# 
[root@ip-172-31-35-38 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
[root@ip-172-31-35-38 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
[root@ip-172-31-35-38 ec2-user]# chmod 500 /etc/wazuh-indexer/certs
[root@ip-172-31-35-38 ec2-user]# chmod 400 /etc/wazuh-indexer/certs/*
[root@ip-172-31-35-38 ec2-user]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Starting the service

[root@ip-172-31-35-38 ec2-user]# systemctl daemon-reload
[root@ip-172-31-35-38 ec2-user]# systemctl enable wazuh-indexer
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
[root@ip-172-31-35-38 ec2-user]# systemctl start wazuh-indexer

Cluster initialization

[root@ip-172-31-35-38 ec2-user]# bash /usr/share/wazuh-indexer/bin/indexer-init.sh -i 172.31.35.38
Executing Wazuh indexer security init script...
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 172.31.35.38:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
Executing Wazuh indexer ISM init script...
Will create 'wazuh' index template
 SUCC: 'wazuh' template created or updated
Will create 'ism_history_indices' index template
 SUCC: 'ism_history_indices' template created or updated
Will disable replicas for 'plugins.index_state_management.history' indices
 SUCC: cluster's settings saved
Will create index templates to configure the alias
 SUCC: 'wazuh-alerts' template created or updated
 SUCC: 'wazuh-archives' template created or updated
Will create the 'rollover_policy' policy
  SUCC: 'rollover_policy' policy created
Will create initial indices for the aliases
  SUCC: 'wazuh-alerts' write index created
  SUCC: 'wazuh-archives' write index created
SUCC: Indexer ISM initialization finished successfully.

Testing cluster installation

[root@ip-172-31-40-255 ec2-user]# curl -k -u admin:admin https://172.31.35.38:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "hn55RGTPT3-IcT4iBnsmlA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Testing single-node is working correctly

[root@ip-172-31-40-255 ec2-user]# curl -k -u admin:admin https://172.31.35.38:9200/_cat/nodes?v 
ip           heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
172.31.35.38           23          81  12    0.14    0.26     0.16 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

Manager installation 🟢

Wazuh server node installation

• Adding the Wazuh repository

[root@ip-172-31-40-255 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@ip-172-31-40-255 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1

• Installing the Wazuh manager

[root@ip-172-31-40-255 ec2-user]# yum -y install wazuh-manager
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                             | 3.6 kB  00:00:00     

wazuh                                                                  | 3.4 kB  00:00:00     
wazuh/primary_db                                                       | 440 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-manager.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                    Arquitectura        Versión              Repositorio        Tamaño
==============================================================================================
Instalando:
 wazuh-manager              x86_64              4.8.0-1              wazuh              350 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 350 M
Tamaño instalado: 854 M
Downloading packages:
wazuh-manager-4.8.0-1.x86_64.rpm                                       | 350 MB  00:00:06     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-manager-4.8.0-1.x86_64                                            1/1 
  Comprobando   : wazuh-manager-4.8.0-1.x86_64                                            1/1 

Instalado:
  wazuh-manager.x86_64 0:4.8.0-1                                                              

¡Listo!

[root@ip-172-31-40-255 ec2-user]# systemctl daemon-reload
[root@ip-172-31-40-255 ec2-user]# systemctl enable wazuh-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service.
[root@ip-172-31-40-255 ec2-user]# systemctl start wazuh-manager

[root@ip-172-31-40-255 ec2-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2024-01-17 20:45:53 UTC; 36s ago
  Process: 3751 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─3810 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─3852 /var/ossec/bin/wazuh-authd
           ├─3869 /var/ossec/bin/wazuh-db
           ├─3883 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─3886 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─3889 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─3903 /var/ossec/bin/wazuh-execd
           ├─3919 /var/ossec/bin/wazuh-analysisd
           ├─3930 /var/ossec/bin/wazuh-syscheckd
           ├─3980 /var/ossec/bin/wazuh-remoted
           ├─4016 /var/ossec/bin/wazuh-logcollector
           ├─4035 /var/ossec/bin/wazuh-monitord
           └─4057 /var/ossec/bin/wazuh-modulesd

ene 17 20:45:46 ip-172-31-40-255.ec2.internal env[3751]: Started wazuh-analysisd...
ene 17 20:45:47 ip-172-31-40-255.ec2.internal env[3751]: Started wazuh-syscheckd...
ene 17 20:45:48 ip-172-31-40-255.ec2.internal env[3751]: Started wazuh-remoted...
ene 17 20:45:49 ip-172-31-40-255.ec2.internal env[3751]: Started wazuh-logcollector...
ene 17 20:45:50 ip-172-31-40-255.ec2.internal env[3751]: Started wazuh-monitord...
ene 17 20:45:50 ip-172-31-40-255.ec2.internal env[3751]: 2024/01/17 20:45:50 wazuh-modulesd:router: INFO: Loaded router module.
ene 17 20:45:50 ip-172-31-40-255.ec2.internal env[3751]: 2024/01/17 20:45:50 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
ene 17 20:45:51 ip-172-31-40-255.ec2.internal env[3751]: Started wazuh-modulesd...
ene 17 20:45:53 ip-172-31-40-255.ec2.internal env[3751]: Completed.
ene 17 20:45:53 ip-172-31-40-255.ec2.internal systemd[1]: Started Wazuh manager.

• Installing Filebeat

[root@ip-172-31-40-255 ec2-user]# yum -y install filebeat
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete filebeat.x86_64 0:7.10.2-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                Arquitectura         Versión                Repositorio         Tamaño
==============================================================================================
Instalando:
 filebeat               x86_64               7.10.2-1               wazuh                21 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 21 M
Tamaño instalado: 70 M
Downloading packages:
filebeat-oss-7.10.2-x86_64.rpm                                         |  21 MB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : filebeat-7.10.2-1.x86_64                                                1/1 
  Comprobando   : filebeat-7.10.2-1.x86_64                                                1/1 

Instalado:
  filebeat.x86_64 0:7.10.2-1                                                                  

¡Listo!

[root@ip-172-31-40-255 ec2-user]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml

Filebeat configuration file

# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["172.31.35.38:9200"]
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

[root@ip-172-31-40-255 ec2-user]# filebeat keystore create
Created filebeat keystore
[root@ip-172-31-40-255 ec2-user]# echo admin | filebeat keystore add username --stdin --force
Successfully updated the keystore
[root@ip-172-31-40-255 ec2-user]# echo admin | filebeat keystore add password --stdin --force
Successfully updated the keystore

This part was wrong in the previous test

[root@ip-172-31-40-255 ec2-user]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.0-alpha2/extensions/elasticsearch/7.x/wazuh-template.json
[root@ip-172-31-40-255 ec2-user]# chmod go+r /etc/filebeat/wazuh-template.json

[root@ip-172-31-40-255 ec2-user]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/config.yml
wazuh/_meta/fields.yml
wazuh/archives/
wazuh/archives/manifest.yml
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/module.yml
wazuh/alerts/
wazuh/alerts/manifest.yml
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json

[root@ip-172-31-40-255 ec2-user]# ls
wazuh-certificates.tar
[root@ip-172-31-40-255 ec2-user]# NODE_NAME=wazuh-1
[root@ip-172-31-40-255 ec2-user]# mkdir /etc/filebeat/certs
[root@ip-172-31-40-255 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
[root@ip-172-31-40-255 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
[root@ip-172-31-40-255 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
[root@ip-172-31-40-255 ec2-user]# chmod 500 /etc/filebeat/certs
[root@ip-172-31-40-255 ec2-user]# chmod 400 /etc/filebeat/certs/*
[root@ip-172-31-40-255 ec2-user]# chown -R root:root /etc/filebeat/certs

[root@ip-172-31-40-255 ec2-user]# systemctl daemon-reload
[root@ip-172-31-40-255 ec2-user]# systemctl enable filebeat
Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service.
[root@ip-172-31-40-255 ec2-user]# systemctl start filebeat

[root@ip-172-31-40-255 ec2-user]# filebeat test output
elasticsearch: https://172.31.35.38:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.31.35.38
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Dashboard installation 🟢

Installing package dependencies

[root@ip-172-31-42-82 ec2-user]# yum install libcap
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
El paquete libcap-2.54-1.amzn2.0.2.x86_64 ya se encuentra instalado con su versión más reciente
Nada para hacer

Adding the Wazuh repository

[root@ip-172-31-42-82 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@ip-172-31-42-82 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1

Installing the Wazuh dashboard

[root@ip-172-31-42-82 ec2-user]# yum -y install wazuh-dashboard
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
wazuh                                                                  | 3.4 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-dashboard.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

==============================================================================================
 Package                     Arquitectura       Versión               Repositorio       Tamaño
==============================================================================================
Instalando:
 wazuh-dashboard             x86_64             4.8.0-1               wazuh             273 M

Resumen de la transacción
==============================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 273 M
Tamaño instalado: 902 M
Downloading packages:
wazuh-dashboard-4.8.0-1.x86_64.rpm                                     | 273 MB  00:00:05     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-dashboard-4.8.0-1.x86_64                                          1/1 
  Comprobando   : wazuh-dashboard-4.8.0-1.x86_64                                          1/1 

Instalado:
  wazuh-dashboard.x86_64 0:4.8.0-1                                                            

¡Listo!

Configuration opensearch_dashboards.yml

server.host: 172.31.42.82
server.port: 443
opensearch.hosts: https://172.31.35.38:9200
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersAllowlist: ["securitytenant","authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home

Deploying certificates

[root@ip-172-31-42-82 ec2-user]# NODE_NAME=dashboard
[root@ip-172-31-42-82 ec2-user]# mkdir /etc/wazuh-dashboard/certs
[root@ip-172-31-42-82 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
[root@ip-172-31-42-82 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv: «/etc/wazuh-dashboard/certs/dashboard.pem» y «/etc/wazuh-dashboard/certs/dashboard.pem» son el mismo fichero
[root@ip-172-31-42-82 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
mv: «/etc/wazuh-dashboard/certs/dashboard-key.pem» y «/etc/wazuh-dashboard/certs/dashboard-key.pem» son el mismo fichero
[root@ip-172-31-42-82 ec2-user]# chmod 500 /etc/wazuh-dashboard/certs
[root@ip-172-31-42-82 ec2-user]# chmod 400 /etc/wazuh-dashboard/certs/*
[root@ip-172-31-42-82 ec2-user]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Starting the Wazuh dashboard service

[root@ip-172-31-42-82 ec2-user]# systemctl daemon-reload
[root@ip-172-31-42-82 ec2-user]# systemctl enable wazuh-dashboard
[root@ip-172-31-42-82 ec2-user]# systemctl start wazuh-dashboard

Wazuh API configuration

hosts:
  - default:
      url: https://172.31.40.255
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false

Wazuh dashboard test access

Agent installation 🟢

Agent installation (RPM amd64)

WUI Installation

• Command

curl -o wazuh-agent-4.8.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.x86_64.rpm && sudo WAZUH_MANAGER='172.31.40.255' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='amazon-linux-1' rpm -ihv wazuh-agent-4.8.0-1.x86_64.rpm

[root@ip-172-31-36-83 ec2-user]# curl -o wazuh-agent-4.8.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.x86_64.rpm && sudo WAZUH_MANAGER='172.31.40.255' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='amazon-linux-1' rpm -ihv wazuh-agent-4.8.0-1.x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9448k  100 9448k    0     0  24.6M      0 --:--:-- --:--:-- --:--:-- 24.6M
advertencia:wazuh-agent-4.8.0-1.x86_64.rpm: EncabezadoV3 RSA/SHA256 Signature, ID de clave 29111145: NOKEY
Preparando...                         ################################# [100%]
Actualizando / instalando...
   1:wazuh-agent-4.8.0-1              ################################# [100%]

[root@ip-172-31-36-83 bin]# chkconfig wazuh-agent on
[root@ip-172-31-36-83 bin]# ./wazuh-control status
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
[root@ip-172-31-36-83 bin]# ./wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@ip-172-31-36-83 bin]# ./wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Agent correctly connected to environment

Wazuh Versions

Indexer

[root@ip-172-31-35-38 ec2-user]# yum list installed | grep indexer
wazuh-indexer.x86_64                  4.8.0-1                          @wazuh 

Manager

[root@ip-172-31-40-255 bin]# ./wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="server"

Dashboard

[root@ip-172-31-42-82 ec2-user]# yum list installed | grep dashboard
wazuh-dashboard.x86_64                4.8.0-1                          @wazuh 

Agent

[root@ip-172-31-36-83 bin]# ./wazuh-control info -v
v4.8.0

Configuring AWS Security Lake in Wazuh Manager 🔴

This documentation is followed: https://documentation-dev.wazuh.com/v4.8.0-alpha2/cloud-security/amazon/services/supported-services/security-lake.html#amazon-security-lake

Visualizing alerts in Wazuh dashboard documentation has outdated text and image, Security events is now Threat Hunting. 🔴

Current

• Text
  Once you set the configuration and restart the manager, you can visualize the Amazon Security Lake alerts in the Wazuh dashboard. To do this, go to the Security events module. Apply the filter rule.groups: amazon_security_lake for an easier visualization.

• Image
  

Expected

• Text
  Once you set the configuration and restart the manager, you can visualize the Amazon Security Lake alerts in the Wazuh dashboard. To do this, go to the Threat Hunting module. Apply the filter rule.groups: amazon_security_lake for an easier visualization.

• Image
  

CICD team provided access to security lake and provided the following configuration:

<subscriber type="security_lake">
  <sqs_name>AmazonSecurityLake-f38b8aff-********-Main-Queue</sqs_nam$
  <iam_role_arn>arn:aws:iam::*********:role/AmazonSecurityLake-f38b8aff******</iam_role_arn>
  <iam_role_duration>1300</iam_role_duration>
  <external_id>wazuh-external-id</external_id>
</subscriber>

Configuring AWS credentials

Created /root/.aws/credentials file, following the Configuring AWS Credentials guide and configured keys corresponding to the user provided by CICD:

[root@ip-172-31-39-94 /]# cat /root/.aws/credentials
[default]
region=us-east-1
aws_access_key_id=AKIAY****
aws_secret_access_key=T0pyD*****

Included the config provided by CICD mentioned and placed it in ossec.conf

  <!-- AWS Security Lake integration -->
  <wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>1h</interval>
    <run_on_start>yes</run_on_start>
    <subscriber type="security_lake">
        <sqs_name>AmazonSecurityLake-f38b8aff-********-Main-Queue</sqs_nam$
        <iam_role_arn>arn:aws:iam::*********:role/AmazonSecurityLake-f38b8aff******</iam_role_arn>
        <iam_role_duration>1300</iam_role_duration>
        <external_id>wazuh-external-id</external_id>
    </subscriber>
  </wodle>

Restart de service

systemctl restart wazuh-manager

Checked /var/ossec/logs/ossec.log for details

[root@ip-172-31-39-94 /]# tail -f /var/ossec/logs/ossec.log
2024/01/17 21:56:24 wazuh-modulesd:aws-s3: INFO: Module AWS started
2024/01/17 21:56:24 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2024/01/17 21:56:24 wazuh-modulesd:aws-s3: INFO: Executing Subscriber fetch: (Type and SQS: security_lake AmazonSecurityLake-f38b8aff-fec5-4705-a05a-3d62abdfc439-Main-Queue)

Security Lake integration is working and events show up in dashboard

[Selutario]

LGTM 👍