BonsaiiWazuh Manager Installation and Configuration Guide - Part 2
Overview
This guide continues from Part 1: Secure OpenSearch Installation, where we established a secure OpenSearch infrastructure with proper certificate management and SSL/TLS configuration. In this section, we'll deploy and configure Wazuh Manager 4.12, integrating it securely with our existing OpenSearch indexer to create a comprehensive Security Information and Event Management (SIEM) solution.
Prerequisites
Before proceeding, ensure you have completed Part 1 of this guide, which includes:
- ✅ AVX processor support verification
- ✅ Custom Certificate Authority (CA) creation
- ✅ OpenSearch 2.15.0 installation and secure configuration
- ✅ SSL/TLS certificate deployment
- ✅ Wazuh certificate generation using
wazuh-certs-tool.sh
Wazuh Manager Installation
System Prerequisites
Wazuh Manager requires specific packages for secure repository access and cryptographic operations. Install the necessary dependencies:
# Install required packages for secure repository access
apt-get install gnupg apt-transport-httpsPackage Functions:
- gnupg: Provides GPG functionality for package signature verification
- apt-transport-https: Enables secure HTTPS transport for APT repositories
Repository Configuration
Import Wazuh GPG Key
Security best practices mandate verifying package integrity through cryptographic signatures. Import the official Wazuh GPG key:
# Import Wazuh GPG key with proper keyring management
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpgSecurity Note: The --no-default-keyring flag ensures the key is stored in a dedicated keyring, maintaining separation from other system keys and reducing the attack surface.
Add Wazuh Repository
Configure the official Wazuh 4.x repository for stable releases:
# Add Wazuh repository with GPG signature verification
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.listUpdate Package Cache
Refresh the local package database to include Wazuh components:
# Update package information from all configured repositories
apt-get updateWazuh Manager Installation
Install Wazuh Manager version 4.12, which provides optimal compatibility with OpenSearch 2.15.0:
# Install Wazuh Manager with automatic dependency resolution
apt-get -y install wazuh-managerInstallation Components:
- Wazuh Manager: Core security monitoring and analysis engine
- OSSEC Framework: Underlying intrusion detection system
- Log Analysis Engine: Real-time log processing and correlation
- File Integrity Monitoring: System file change detection
- Rootkit Detection: Advanced malware detection capabilities
Certificate Deployment and Configuration
SSL/TLS Certificate Installation
Deploy the certificates generated in Part 1 to secure communication between Wazuh Manager and OpenSearch:
# Define node name matching the certificate generation configuration
NODE_NAME=wazuh-1
# Create certificate directory with appropriate security permissions
mkdir /var/ossec/etc/certs
# Extract certificates for the Wazuh Manager node
tar -xf ./wazuh-certificates.tar -C /var/ossec/etc/certs ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# Rename certificates for standardized configuration management
mv -n /var/ossec/etc/certs/$NODE_NAME.pem /var/ossec/etc/certs/manager.pem
mv -n /var/ossec/etc/certs/$NODE_NAME-key.pem /var/ossec/etc/certs/manager-key.pem
# Apply secure permissions following the principle of least privilege
chmod 500 /var/ossec/etc/certs/ # Directory: read and execute for owner only
chmod 400 /var/ossec/etc/certs/* # Files: read-only for owner
chown -R root:root /var/ossec/etc/certs/ # Ensure root ownershipSecurity Rationale:
- Directory Permissions (500): Prevents unauthorized access while allowing certificate reading
- File Permissions (400): Read-only access prevents accidental modification or deletion
- Root Ownership: Ensures certificates can only be modified by privileged users
Secure Indexer Integration
Credential Management
Wazuh Manager requires secure credentials to authenticate with OpenSearch for vulnerability detection and log indexing. Use the built-in keystore for secure credential storage:
# Store OpenSearch credentials in Wazuh keystore
echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k passwordSecurity Best Practices:
- Replace
<INDEXER_USERNAME>with a dedicated service account (e.g.,wazuh-indexer) - Replace
<INDEXER_PASSWORD>with a strong password meeting organizational policies - Consider using automated credential rotation mechanisms
- Implement role-based access control (RBAC) in OpenSearch for the service account
Recommended OpenSearch User Permissions:
# Create dedicated user in OpenSearch for Wazuh integration
# Grant minimum required permissions: index creation, document indexing, searchManager Configuration
Configure Wazuh Manager to integrate securely with OpenSearch by modifying /var/ossec/etc/ossec.conf:
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://bonsaii.local:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/var/ossec/etc/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/var/ossec/etc/certs/manager.pem</certificate>
<key>/var/ossec/etc/certs/manager-key.pem</key>
</ssl>
</indexer>Configuration Breakdown:
<enabled>yes</enabled>: Activates OpenSearch integration for log indexing and vulnerability detection<host>https://bonsaii.local:9200</host>: Specifies the secure HTTPS endpoint of your OpenSearch instance<certificate_authorities>: Defines the trusted CA for certificate validation<certificate>and<key>: Client certificate and private key for mutual TLS authentication
Security Considerations:
- The configuration enforces mutual TLS (mTLS) authentication
- Certificate validation prevents man-in-the-middle attacks
- Encrypted communication protects sensitive security data in transit
Service Management and Startup
Service Activation
Configure Wazuh Manager for automatic startup and initialize the service:
# Reload systemd configuration to recognize new service files
systemctl daemon-reload
# Enable Wazuh Manager for automatic startup at boot
systemctl enable wazuh-manager
# Start the Wazuh Manager service
systemctl start wazuh-managerService Verification
Verify successful service startup and review initial logs:
# Check service status and recent activity
systemctl status wazuh-manager
# Monitor real-time logs for startup messages and errors
tail -f /var/ossec/logs/ossec.log
# Verify network connectivity to OpenSearch
tail -f /var/ossec/logs/ossec.log | grep -i indexerExpected Log Indicators:
- Successful SSL/TLS certificate loading
- Established connection to OpenSearch indexer
- Active vulnerability detection module
- File integrity monitoring initialization
Version Management and Security Maintenance
Package Version Locking
Prevent automatic updates that could introduce compatibility issues or security vulnerabilities:
# Lock Wazuh Manager at current version
sudo apt-mark hold wazuh-managerVersion Management Strategy:
- Maintain compatibility with OpenSearch 2.15.0
- Implement controlled update procedures with testing environments
- Monitor Wazuh security advisories for critical patches
- Establish rollback procedures for failed updates
Integration Verification
Connectivity Testing
Verify the secure connection between Wazuh Manager and OpenSearch:
# Check OpenSearch indices for Wazuh data
curl -X GET "https://bonsaii.local:9200/_cat/indices/wazuh*" -u 'admin:<your-secure-password>' --insecure
# Verify Wazuh agent enrollment capability
/var/ossec/bin/manage_agentsLog Analysis Verification
Confirm that Wazuh Manager is successfully processing and indexing security events:
# Monitor incoming events in real-time
tail -f /var/ossec/logs/ossec.log | grep -E "(Received|Indexed)"
# Check for vulnerability detection activity
grep -i "vulnerability" /var/ossec/logs/ossec.logSecurity Hardening Recommendations
Network Security
- Firewall Configuration: Restrict access to Wazuh Manager ports (1514/udp, 1515/tcp)
- Network Segmentation: Isolate security infrastructure in dedicated VLANs
- Access Control: Implement IP-based access restrictions where possible
Authentication and Authorization
- Service Accounts: Use dedicated service accounts with minimal privileges
- Certificate Rotation: Implement automated certificate renewal processes
- Access Logging: Enable comprehensive audit trails for all administrative actions
Monitoring and Alerting
- Service Monitoring: Implement health checks for Wazuh Manager service
- Performance Metrics: Monitor resource utilization and processing capacity
- Security Alerts: Configure alerts for certificate expiration and service failures
Troubleshooting Common Issues
Certificate-Related Problems
# Verify certificate validity and expiration
openssl x509 -in /var/ossec/etc/certs/manager.pem -noout -text
# Check certificate chain validation
openssl verify -CAfile /var/ossec/etc/certs/root-ca.pem /var/ossec/etc/certs/manager.pemConnectivity Issues
# Test OpenSearch connectivity from Wazuh Manager
curl -X GET "https://bonsaii.local:9200" --cert /var/ossec/etc/certs/manager.pem --key /var/ossec/etc/certs/manager-key.pem --cacert /var/ossec/etc/certs/root-ca.pem
# Check DNS resolution
nslookup bonsaii.localService Startup Problems
# Detailed service status with recent logs
systemctl status wazuh-manager -l
# Check for configuration syntax errors
/var/ossec/bin/ossec-control startNext Steps
With Wazuh Manager successfully installed and configured, your security infrastructure now includes:
- ✅ Secure OpenSearch indexer (Part 1)
- ✅ Wazuh Manager with vulnerability detection
- ✅ Encrypted communication channels
- ✅ Proper certificate management
Upcoming Components:
- Part 3: Wazuh Dashboard installation and configuration
- Part 4: Agent deployment and management
- Part 5: Rule customization and threat detection tuning
Conclusion
This installation establishes a secure, production-ready Wazuh Manager that integrates seamlessly with your OpenSearch infrastructure. The implementation follows security best practices including proper certificate management, encrypted communications, and principle of least privilege access controls. Regular monitoring and maintenance of this infrastructure will ensure optimal security posture for your organization's threat detection and response capabilities.
For production environments, consider implementing additional security measures such as log retention policies, backup procedures, and disaster recovery planning to ensure business continuity and compliance with regulatory requirements.