Monitor Kubernetes nodes with Wazuh

This document guides you through an installation of the Wazuh server and Elastic Stack components in an all-in-one configuration

What is Wazuh

Wazuh is an open-source security information and event management (SIEM) platform that aids in monitoring and managing security events within an IT environment. It integrates essential security components, including intrusion detection, vulnerability detection, log analysis, vulnerability detection, and more, into a centralized system. Wazuh provides real-time monitoring and alerting for security incidents, allowing organizations to promptly respond to potential threats. It offers advanced features like log analysis, vulnerability detection, intrusion detection, security information, and event management, as well as threat detection and incident response capabilities. With its flexible architecture and scalable design, Wazuh is widely used to enhance the security posture of various systems and networks, making it a valuable tool for proactive threat detection and mitigation. Comprehensive documentation and resources are available to guide users through installation, configuration, and effective utilization of the platform to enhance their security infrastructure.

Here we are going to install Wazuh as an elastic stack installation by installing Wazuh, Elasticsearch, Kibana and Filebeat in a standalone Ubuntu system and install the Wazuh agents in the kubernetes Nodes to push the data to the elastic search

What is Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine it is an open-source, distributed search and analytics engine designed for real-time search, analysis, and visualization of large volumes of structured and unstructured data. It is part of the Elastic Stack, which includes other components like Kibana, Beats, and Logstash, collectively providing a comprehensive platform for various data processing and visualization needs.

Installing Elasticsearch

Install all the necessary packages:

apt-get install apt-transport-https zip unzip lsb-release curl gnupg

add the elastic stack repository

curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
apt-get update

Install Elasticsearch (version 7.17.12):

apt-get install elasticsearch=7.17.12

configuration file /etc/elasticsearch/elasticsearch.yml using the predefined values from their official packages https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml

Download the Elasticsearch configuration templates from the Wazuh repository and save them to the appropriate locations we can modify it as per our requirements.

curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch_all_in_one.yml
curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/instances_aio.yml

Generate and Set Up SSL Certificates:

Generate SSL certificates using elasticsearch-certutil, and then copy them to the Elasticsearch certificates directory.

/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
unzip ~/certs.zip -d ~/certs
mkdir /etc/elasticsearch/certs/ca -p
cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
chown -R elasticsearch: /etc/elasticsearch/certs
chmod -R 500 /etc/elasticsearch/certs
chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
rm -rf ~/certs/ ~/certs.zip

Configure systemd and Start Elasticsearch:

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

These steps install Elasticsearch, configure it using provided templates, set up SSL certificates, and start the Elasticsearch service using systemd. Make sure to adjust configurations and paths based on your specific setup and requirements.

The command elasticsearch-setup-passwords auto is used in Elasticsearch to automatically set passwords for built-in users like elastic, kibana, logstash_system, beats_system, etc. This is an important step for securing Elasticsearch and its components with proper authentication.

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

When you run this command, Elasticsearch will generate and set passwords for the built-in users and display them. It’s essential to securely store these passwords as they are crucial for authenticating and securing your Elasticsearch cluster and associated components.

To check that the installation was made successfully, run the following command replacing <elastic_password> with the password generated in the previous step for elastic user:

curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k

Installing Wazuh server

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get install wazuh-manager
systemctl daemon-reload
systemctl enable wazuh-manager

These steps ensure the proper installation and configuration of the Wazuh Manager, enabling you to utilize its features for security event management and monitoring.

Installing Filebeat

Filebeat is an open-source lightweight data shipping agent developed by Elastic. It is part of the Elastic Stack (formerly known as the ELK Stack), which also includes Elasticsearch, Logstash, and Kibana. Filebeat is designed to efficiently collect, ship, and centralize log and event data from various sources for further processing, analysis, and visualization.Filebeat is commonly used in various use cases such as application monitoring, server log monitoring, security event monitoring, and more. Its ability to collect data from diverse sources and efficiently forward it to Elasticsearch for further analysis makes it a valuable tool for organizations looking to gain insights from their log data.

Install Filebeat (version 7.17.12):

apt-get install filebeat=7.17.12

Download Filebeat Configuration and Wazuh Template: Download the Filebeat configuration file and the Wazuh Elasticsearch template from the specified URLs and save them to their respective locations.

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.5/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Download Wazuh Filebeat Module: Download the Wazuh Filebeat module and extract it to the appropriate location.

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

Edit Filebeat Configuration: Edit the Filebeat configuration file to include the Elasticsearch password.

echo "output.elasticsearch.password: <elasticsearch_password>" >> /etc/filebeat/filebeat.yml

Replace <elasticsearch_password> with the actual password for connecting to Elasticsearch.

Copy SSL Certificates: Copy the SSL certificates from the Elasticsearch directory to the Filebeat directory for secure communication.

cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt
cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key

Reload systemd to recognize the changes and enable Filebeat to start on boot.

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

To ensure that Filebeat has been successfully installed, run the following command:

filebeat test output

Kibana installation and configuration

Kibana is an open-source data visualization and exploration tool designed for use with Elasticsearch

Kibana is widely used by data analysts, IT operations teams, business intelligence professionals, and developers to monitor systems, analyze logs, track performance metrics, and create visually appealing dashboards to aid in decision-making processes. Its versatility and integration with Elasticsearch make it a powerful tool for gaining insights from data and improving operational efficiency.

Install Kibana (version 7.17.12):

apt-get install kibana=7.17.12

Create Kibana Certificates Directory and Copy Certificates: Create a directory for Kibana certificates, and copy the necessary SSL certificates from the Elasticsearch directory.

mkdir /etc/kibana/certs/ca -p
cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key
cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt

Set Permissions for Kibana Certificates Directory: Set appropriate permissions for the Kibana certificates directory and files.

chown -R kibana:kibana /etc/kibana/
chmod -R 500 /etc/kibana/certs
chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*

Download and Configure Kibana YAML Configuration File: Download the Kibana YAML configuration file and edit it to include the Elasticsearch password.

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana_all_in_one.yml
# Edit the file and add the Elasticsearch password
# elasticsearch.password: <elasticsearch_password>

Create Kibana Data Directory: Create the Kibana data directory and set appropriate ownership.

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana

Install Wazuh Plugin for Kibana: Install the Wazuh plugin for Kibana using the provided URL.

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.2_7.17.12-1.zip

Link Kibana’s socket to privileged port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Reload systemd to recognize the changes and enable/start Kibana.

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

Now you can access the web console of the Wazuh dashboard by accessing
https://<wazuh_server_ip/domain>

user: elastic
password: <PASSWORD_elastic>

wazuh agent installation

You can also deploy a new agent following the instructions in the Wazuh dashboard. Go to Wazuh > Agents, and click on Deploy new agent. Then the Wazuh dashboard will show you the steps to deploy a new agent

This will generate the command you need to run on the system you need to monitor with the wazuh by providing the details such as the OS of the agent system you need to install.

To monitor the Kubernetes nodes using the Wazuh agent install the agent in the Kubernetes nodes

For example if you are using Amazon linux machine as you kubernetes nodes your installation command will be like

WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent

You can use different installation variable as per your requirement while installing the agent

the full list can be found from here https://documentation.wazuh.com/current/user-manual/deployment-variables/deployment-variables-linux.html

provide your server IP of FQDN instead of 10.0.0.2

systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Now your Kubernetes nodes can be monitored using Wazuh

Secure your Kubernetes nodes with Wazuh! This comprehensive DevOps guide shows you how to install and configure Wazuh for complete monitoring and threat detection. Take control of your cluster’s security today!