VMware esxi安装centos9操作系统,编译安装wazuh4.8
1.查看网络状态,配置静态IP
1. 查看当前网络连接信息 nmcli connection show 2. 修改网络连接配置(设置静态 IP) nmcli con mod ens160 ipv4.addresses 192.168.1.100/24 nmcli con mod ens160 ipv4.gateway 192.168.1.1 nmcli con mod ens160 ipv4.dns 8.8.8.8,1.1.1.1 nmcli con mod ens160 ipv4.method manual nmcli con mod ens160 connection.autoconnect yes nmcli con mod ens160: 修改名为 ens160 的连接配置。 3. 重启网络连接使配置生效 sudo systemctl restart NetworkManager 4.删除辅助 IP 地址(180为辅助IP) nmcli connection modify ens192 -ipv4.addresses 192.168.0.180/24 5.应用更改 nmcli connection down ens192 nmcli connection up ens192
2.开通ssh
1. 检查 SSH 是否已安装 rpm -q openssh-server 2. 安装 SSH 服务器 dnf install -y openssh-server 3. 启动 SSH 服务并设置开机自启 systemctl start sshd systemctl enable sshd systemctl status sshd 4. 配置防火墙允许 SSH 连接 firewall-cmd --permanent --add-service=ssh firewall-cmd --reload firewall-cmd --list-services 5. 进行基本的 SSH 安全配置 vi /etc/ssh/sshd_config PermitRootLogin yes systemctl restart sshd
3.安装wazuh的编译环境
1.更新系统包缓存 dnf update 2.安装核心开发工具组: dnf groupinstall "Development Tools" 3.安装 Wazuh 特定的依赖库: dnf install openssl-devel pcre2-devel zlib-devel libcurl-devel 4.安装 CMake 及其他编译依赖 dnf install cmake gcc-c++ make openssl-devel pcre2-devel zlib-devel libcurl-devel
4.dnf安装wazuh各个组件
1.使用DNF安装wazuh-manager4.8,添加Wazuh 4.8仓库 rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 EOF 2.安装Wazuh manager 4.8 dnf install wazuh-manager-4.8.0 -y
5.编译安装wazuh出现错误及解决方案
1.编译错误 /analysisd/compiled_rules/register_rule.sh: Permission denied 2.提升权限 cd /path/to/wazuh-4.8.0 find . -name "*.sh" -exec chmod +x {} \; 3.清理之前的构建 ./clean.sh 4.重新安装 ./install.sh # 对于 Manager
6.wazuh-manager开启监听端口
1.manager放行端口 firewall-cmd --add-port=1514/tcp --permanent firewall-cmd --add-port=1515/tcp --permanent firewall-cmd --add-port=55000/tcp --permanent firewall-cmd --reload 2.manager开启服务 systemctl start wazuh-manager systemctl status wazuh-manager 3.manager设置注册口令 bash -c 'cat >> /var/ossec/etc/ossec.conf << "EOF" <auth> <use_password>yes</use_password> </auth> EOF' echo 'YourStrongPassword!' | sudo tee /var/ossec/etc/authd.pass chmod 640 /var/ossec/etc/authd.pass chown root:wazuh /var/ossec/etc/authd.pass systemctl restart wazuh-manager 4.命令行注册(agent-auth) hostnamectl set-hostname your_new_hostname 设置新主机名 var/ossec/bin/agent-auth -m MANAGER_IP -A $(hostname -s) -P 'YourStrongPassword!' systemctl restart wazuh-agent 5.验证注册结果(manager) /var/ossec/bin/agent_control -l
7.注册agent到manager出现错误
1.错误,不显示agent的IP Wazuh agent_control. List of available agents: ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local ID: 001, Name: centos9, IP: any, Active 2.备份manager配置 cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.backup 3.在 Manager 上修改 /var/ossec/etc/ossec.conf,开启按源 IP 登记: <ossec_config> <auth> <use_source_ip>yes</use_source_ip> </auth> </ossec_config> 4.重启 Manager: systemctl restart wazuh-manager 5.重新登记Agent /var/ossec/bin/agent_control -l /var/ossec/bin/manage_agents -r <旧ID> 6.在 Agent 上清旧 key 并重注册 systemctl stop wazuh-agent rm -f /var/ossec/etc/client.keys /var/ossec/bin/agent-auth -m <MANAGER_IP> -A <唯一名称> systemctl start wazuh-agent
8.在wazuh-manager配置SSL证书
1.下载证书生成工具和配置文件 curl -sO https://packages.wazuh.com/4.x/wazuh-certs-tool.sh curl -sO https://packages.wazuh.com/4.x/config.yml 2.编辑 config.yml 文件,配置节点。 对于单节点 Indexer 和 Manager,配置如下(移除多余节点,替换 IP): nodes: # Wazuh indexer nodes indexer: - name: indexer-node ip: "<INDEXER_IP>" # Wazuh server nodes server: - name: manager-node ip: "<MANAGER_IP>" # Wazuh dashboard nodes (可选,如果不安装 Dashboard,可注释掉) dashboard: - name: dashboard ip: "<DASHBOARD_IP>" 3.生成证书 bash ./wazuh-certs-tool.sh -A 4.压缩证书文件: tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . rm -rf ./wazuh-certificates 5.将 wazuh-certificates.tar 复制到 Indexer,dashboard,使用 scp scp wazuh-certificates.tar root@<INDEXER_IP>:~/ scp wazuh-certificates.tar root@<DASHBOARD_IP>:~/
9.另一台centos9安装wazuh-index
1.使用DNF安装wazuh-index4.8,添加Wazuh 4.8仓库 rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 EOF 2.安装Wazuh Indexer 4.8 dnf install wazuh-indexer-4.8.0 -y 3.配置 /etc/wazuh-indexer/opensearch.yml cluster.name: wazuh-cluster node.name: indexer-node network.host: 0.0.0.0 # 或指定 <INDEXER_IP> discovery.seed_hosts: [] # 单节点为空 cluster.initial_master_nodes: - "indexer-node" plugins.security.ssl.transport.pemcert_filepath: certs/indexer.pem plugins.security.ssl.transport.pemkey_filepath: certs/indexer-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.http.pemcert_filepath: certs/indexer.pem plugins.security.ssl.http.pemkey_filepath: certs/indexer-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem plugins.security.allow_unsafe_democertificates: false # 生产环境设为 false plugins.security.nodes_dn: - "CN=indexer-node,OU=Wazuh" plugins.security.authcz.admin_dn: - "CN=admin,OU=Wazuh" plugins.security.enable_snapshot_restore_privilege: true plugins.security.check_snapshot_restore_write_privileges: true plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] 4.部署证书 mkdir -p /etc/wazuh-indexer/certs tar -xf ~/wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./indexer-node.pem ./indexer-node-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem mv /etc/wazuh-indexer/certs/indexer-node.pem /etc/wazuh-indexer/certs/indexer.pem mv /etc/wazuh-indexer/certs/indexer-node-key.pem /etc/wazuh-indexer/certs/indexer-key.pem chmod 500 /etc/wazuh-indexer/certs chmod 400 /etc/wazuh-indexer/certs/* chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs 5.启用并启动服务: systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer 6.初始化 Indexer 安全 /usr/share/wazuh-indexer/bin/indexer-security-init.sh 7.设置密码(生成随机密码,记录下来,用于 Filebeat 等): curl -so /usr/share/wazuh-indexer/bin/wazuh-passwords-tool.sh https://packages.wazuh.com/4.x/wazuh-passwords-tool.sh bash /usr/share/wazuh-indexer/bin/wazuh-passwords-tool.sh -a -v 这会输出用户名(如 admin)和新密码。替换默认 admin/admin 为新密码。 8.验证indexer和manager连通 curl -XGET https://<INDEXER_IP>:9200 -u admin:<NEW_PASSWORD> -k,应返回集群信息。
10.wazuh-manager安装filebeat
1.使用DNF在manager安装filebeat,配置wazuh.repo [wazuh] name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 2.安装filebeat dnf install -y filebeat 3.下载filelbeat配置文件 curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.x/tpl/wazuh/filebeat/filebeat.yml 4.配置Filebeat /etc/filebeat/filebeat.yml output.elasticsearch: hosts: ["https://<INDEXER_IP>:9200"] username: "admin" password: "<INDEXER_ADMIN_PASSWORD>" ssl.certificate_authorities: ["/etc/filebeat/certs/root-ca.pem"] 5.创建 keystore 并添加凭证(如果不使用 keystore,可直接在 yml 中写密码,但不推荐): filebeat keystore create echo admin | filebeat keystore add username --stdin --force echo <INDEXER_ADMIN_PASSWORD> | filebeat keystore add password --stdin --force 6.下载filebeat警报模板和模块 curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.0/extensions/elasticsearch/7.x/wazuh-template.json chmod go+r /etc/filebeat/wazuh-template.json curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module 7.部署证书(用于 Filebeat) mkdir -p /etc/filebeat/certs tar -xf ~/wazuh-certificates.tar -C /etc/filebeat/certs/ ./manager-node.pem ./manager-node-key.pem ./root-ca.pem mv /etc/filebeat/certs/manager-node.pem /etc/filebeat/certs/filebeat.pem mv /etc/filebeat/certs/manager-node-key.pem /etc/filebeat/certs/filebeat-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs 8.启用并启动服务 systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager systemctl enable filebeat systemctl start filebeat 9.验证互通 (1)检查 Manager 日志 /var/ossec/logs/ossec.log 是否有错误。 (2)filebeat test output 验证连接到 Indexer。 (3)在Indexer 上运行 curl -XGET https://<INDEXER_IP>:9200/_cat/indices -u admin:<PASSWORD> -k 查看是否有 wazuh-alerts 索引生成。
11.另一台centos9安装wazuh-adshboard
1.使用DNF安装dashboard,添加 Wazuh 仓库 2.安装wazuh-dashboard dnf install wazuh-dashboard-4.8.0 -y 3.部署证书 mkdir /etc/wazuh-dashboard/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./dashboard-node.pem ./dashboard-node-key.pem ./root-ca.pem mv /etc/wazuh-dashboard/certs/dashboard-node.pem /etc/wazuh-dashboard/certs/dashboard.pem mv /etc/wazuh-dashboard/certs/dashboard-node-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem chmod 500 /etc/wazuh-dashboard/certs chmod 400 /etc/wazuh-dashboard/certs/* chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs 4.配置/etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 # 监听所有 IP server.port: 443 # HTTPS 端口 opensearch.hosts: ["https://192.168.1.10:9200"] # 远程 Indexer 的 URL opensearch.ssl.verificationMode: certificate # 证书验证模式 opensearch.username: kibanaserver # 默认用户名(生产环境更改) opensearch.password: kibanaserver # 默认密码(生产环境更改) server.ssl.enabled: true server.ssl.key: certs/dashboard-key.pem server.ssl.certificate: certs/dashboard.pem opensearch.ssl.certificateAuthorities: ["certs/root-ca.pem"] wazuh_api.url: "https://192.168.1.1:55000" # Manager API wazuh_api.username: "wazuh" # 默认 API 用户,后续更改 wazuh_api.password: "wazuh" 5.启动wazuh-dashboard systemctl start wazuh-dashboard 6.Dashboard 主机上,测试连接Indexer curl -k -u admin:admin https://INDEXERIP:9200 7.浏览器访问Dashboard https://DASHBOARDIP (默认用户名/密码:admin/admin)。登录后,应能看到 Indexer 中的数据(如果有 Manager 推送数据)
12.agent注册出现的问题
1.错误原因背景 在wazuh-agent上执行/var/ossec/bin/agent-auth -m 192.168.0.110 -A $(hostname -s) -P '1234' 注册agent到192.168.0.110wazuh-manager 出现 2025/09/08 14:10:24 agent-auth: ERROR: Duplicate IP: 192.168.0.150 (from manager) 2025/09/08 14:10:24 agent-auth: ERROR: Unable to add agent (from manager), 在110server执行/var/ossec/bin/agent_control -l检查注册的agent, Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: centos9, IP: 192.168.0.120, Active ID: 003, Name: localhost.localdomain, IP: 192.168.0.150, Active, 2.解决方案 192.168.0.110(Manager) 上操作 /var/ossec/bin/manage_agents -l #列出并确认那条 003 旧记录 /var/ossec/bin/manage_agents -r 003 #精确删除 ID 003 grep -i "duplicate" /var/ossec/logs/ossec.log || true 检查 Manager 端日志是否已无相关告警 3.在 192.168.0.150(Agent) 上操作 sudo systemctl stop wazuh-agent sudo rm -f /var/ossec/etc/client.keys 清老的本地绑定密钥 sudo hostnamectl set-hostname suricata-150 系统主机名改成唯一值 4.重新注册并启动 sudo /var/ossec/bin/agent-auth -m 192.168.0.110 -A suricata-150 -P '1234' sudo systemctl start wazuh-agent 5.Manager验证,是否出现新 ID,状态为 Active /var/ossec/bin/agent_control -l
13.agent上报suricata告警到manager,出现问题
1.Manager是否收到了来自该 Agent 的事件 Wazuh 会把所有收到的日志(不论是否触发告警)写入本地归档文件 archives.json,可以先从这里确认链路没断 sudo tail -n 300 /var/ossec/logs/archives/archives.json | grep -i suricata | tail 或 sudo grep -F '"event_type":"alert"' /var/ossec/logs/archives/archives.json | tail 能看到就说明 Agent→Manager 这一段通了 2.第一步没通,打开 /var/ossec/etc/ossec.conf,在 <global> 里启用 JSON 归档 <ossec_config> <global> <logall>yes</logall> <!-- 生成 archives.log(纯文本,可选) --> <logall_json>yes</logall_json> <!-- 生成 archives.json(我们要的) --> <!-- 保持 jsonout_output:yes,确保 alerts.json 也持续写入 --> <jsonout_output>yes</jsonout_output> </global> </ossec_config> 3.重启 Manager sudo systemctl restart wazuh-manager 4.验证文件出现并有内容 ls -lh /var/ossec/logs/archives/archives.json sudo tail -n 50 /var/ossec/logs/archives/archives.json | head
14.wazuh-dashboard出现Agent event queue is back to normal load
1.问题原因 Wazuh 的反洪泛机制信息级事件,表示代理端/服务端的事件缓冲区在短暂拥塞后又恢复正常,不是错误。出现它通常说明近期事件量(比如 Suricata 告警)有过突增,可以先删除存储在index上的告警 2.在 Indexer(10.0.0.20) 看各天索引与大小 curl -k -u admin:admin 'https://10.0.0.20:9200/_cat/indices/wazuh-alerts-4.x-*?v&s=store.size:desc' 3.删除某一天(示例:2025-09-07)的告警索引: curl -k -u admin:admin -X DELETE 'https://10.0.0.20:9200/wazuh-alerts-4.x-2025.09.07'
15.卸载wazuh组件
dnf remove wazuh-agent -y dnf remove wazuh-manager -y dnf remove wazuh-indexer -y dnf remove wazuh-dashboard -y
16.wazuh-manager安装wazuh-agent出现错误
wazuh-manager上与wazuh-agent冲突的解决方案 1.看看现在装了什么 rpm -qa | egrep 'wazuh-(manager|agent)' 2.停并卸 agent(若存在) systemctl stop wazuh-agent 2>/dev/null || true dnf remove -y wazuh-agent || true 3.兜底强杀残留的 manager 进程(wazuh-apid/clusterd 等是 python3) for p in wazuh-analysisd wazuh-authd wazuh-db wazuh-monitord wazuh-logcollector \ wazuh-syscheckd wazuh-modulesd wazuh-execd wazuh-apid wazuh-clusterd; do pkill -9 -f "$p" 2>/dev/null || true done 4.清理陈旧 pid/socket(目录在就清) rm -f /var/ossec/var/run/*.pid /var/ossec/var/run/*.sock 2>/dev/null || true
17.wazuh-manager、wazuh-indexer、wazuh-dashboard日志存储
1. 检查Manager本地日志 tail -f /var/ossec/logs/alerts/alerts.json ls -lh /var/ossec/logs/alerts/ 2. 检查Indexer存储 curl -k -u admin:password https://localhost:9200/_cat/indices?v curl -k -u admin:password "https://localhost:9200/_cat/indices/wazuh-alerts-*?v&s=index" curl -k -u admin:password "https://localhost:9200/_cat/indices/wazuh-*?v&s=store.size:desc" du -sh /var/lib/wazuh-indexer/ 3. 检查Dashboard连接 tail -f /var/log/wazuh-dashboard/wazuh-dashboard.log curl -k -u wazuh-dashboard:password https://localhost:5601/api/status
浙公网安备 33010602011771号