Wazuh server deployment

The firewall needs to open the following ports

• TCP: 1514, 1515, 55000, 9200, 443
• UDP:514

0. Install docker and docker-compose

1. docker installation
   2.docker-compose installation (linux server)

   
   $ sudo curl -L "https://github.com/docker/compose/releases/download/2.16.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local /bin/docker-compose

$ sudo chmod +x /usr/local/bin/docker-compose

$ docker-compose --version

### 1. Modify server `max_map_count`

$ sysctl -w vm.max_map_count=262144

### 2. Upload `wazuh-project.zip` to the server

![image.png](https://cdn.elephdev.com/uploads/20230505/0999a13008f7d2be5b7156d677fd4263.png)

unzip

$ unzip wazuh-project.zip

![image.png](https://cdn.elephdev.com/uploads/20230505/ef8229a5d5595c9530cb2485943cd762.png)

### 3. `docker-compose` one-click start project

$ docker-compose up -d

Waiting to pull the docker image
![image.png](https://cdn.elephdev.com/uploads/20230505/6229919c95ebd0c104e2e4cc5b8da9f7.png)

Start successfully
![image.png](https://cdn.elephdev.com/uploads/20230505/481f2f571fa1aee0f7ad30c1c7724a76.png)

On the first start, `Wazuh` needs to generate the necessary indexes and index patterns, which takes about 1 minute (the speed depends on the configuration of the server)
![image.png](https://cdn.elephdev.com/uploads/20230505/fe9dc0a8388be70d50100f70fdb614e5.png)

### 4. Access `wazuh` console

Browser access: https://{IP}
Default account: `admin`
Default password: `elephdev`
The password change tutorial is below

![image.png](https://cdn.elephdev.com/uploads/20230505/bb487ad89d5a45fed22f18cd3a50f2ec.png)

Since it is an IP and wazuh officially generated certificate to access https, you need to click Ignore Access

![image.png](https://cdn.elephdev.com/uploads/20230505/dc50e40f6970a319aac59676810414aa.png)

![image.png](https://cdn.elephdev.com/uploads/20230505/11a7d6d1ac9a581bce82d92606e07b12.png)

![image.png](https://cdn.elephdev.com/uploads/20230505/77f536de215096357e86b652d4365051.png)

### change Password

1. Enter the command

$ docker run --rm -ti wazuh/wazuh-indexer:4.3.10 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

2. Enter the password (you need to pay attention that it will not be displayed, press Enter after entering)
![image.png](https://cdn.elephdev.com/uploads/20230505/747f6d07852d786f279c47fecae96045.png)

3. Copy the generated hash and replace the current user hash in the file `config/wazuh_indexer/internal_users.yml`
![image.png](https://cdn.elephdev.com/uploads/20230505/ac7c701ea9e540d81c56c7e51cdefc7d.png)

4. INDEXER_PASSWORD Change the default value of all occurrences in the file docker-compose.yml to the new password
![image.png](https://cdn.elephdev.com/uploads/20230505/a3eeeee7e84d45f2067c730b19d9dd91.png)
![image.png](https://cdn.elephdev.com/uploads/20230505/7c6da3bbf7bfd3123d8d919a55a4873a.png)

5. Restart the project

docker-compose restart

6. Enter the container

$ docker exec -it wazuh_elasticsearch_1 bash

7. Execute commands

export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
CACERT=$OPENSEARCH_PATH_CONF/certs/root-ca.pem
KEY=$OPENSEARCH_PATH_CONF/certs/admin-key.pem
CERT=$OPENSEARCH_PATH_CONF/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9300 -icl

![image.png](https://cdn.elephdev.com/uploads/20230505/4d428291e3f1bb8656c193a6ea3829ea.png)

8. Exit the container
![image.png](https://cdn.elephdev.com/uploads/20230505/c540d02ad0b7f66ca384cb22d677cd66.png)