安裝 Wazuh 資安管理平台(Docker)

  • 安裝環境
    • VM : 2vCore / 4G RAM / 60G SSD
    • OS : Ubuntu 22.04LTS
  • 設定相關系統參數

    sysctl -w vm.max_map_count=262144
    echo "vm.max_map_count = 262144" >> /etc/sysctl.conf

  • 安裝 Wazuh v4.7.0

    git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0
    cd wazuh-docker/single-node/
    docker compose -f generate-indexer-certs.yml run --rm generator
    sudo ls -lt config/wazuh_indexer_ssl_certs/
    docker compose up -d

  • 可以開啟 https://server-ip (admin / SecretPassword) 登入
  • 其他文件提到修改 /var/ossec/etc/ossec.conf 需要修改 ~/wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf 然後重啟 docker compse

安裝 Agent 方式

  • Exp. Wazuh Server IP : 10.20.2.38
Ubuntu / Debian
  • apt install lsb-release && wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb && WAZUH_MANAGER='10.20.2.38' dpkg -i ./wazuh-agent_4.7.0-1_amd64.deb
    systemctl daemon-reload
    systemctl enable wazuh-agent
    systemctl restart wazuh-agent

Alpine
  • wget -O /etc/apk/keys/[email protected] https://packages.wazuh.com/key/alpine-devel%40wazuh.com-633d7457.rsa.pub
    echo "https://packages.wazuh.com/4.x/alpine/v3.12/main" >> /etc/apk/repositories
    apk update
    apk add wazuh-agent
    export WAZUH_MANAGER="10.20.2.38" && sed -i "s|MANAGER_IP|$WAZUH_MANAGER|g" /var/ossec/etc/ossec.conf
    /var/ossec/bin/wazuh-control start
    sed -i "s|^https://packages.wazuh.com|#https://packages.wazuh.com|g" /etc/apk/repositories

修改 Agent 端設定

  • Linux Agent 主要安裝路徑 /var/ossec
  • 修改 ossec.conf 檔 → /var/ossec/etc/ossec.conf
  • 修改後重啟 Agent

    systemctl restart wazuh-agent

移除 Agent 方式

Ubuntu / Debian
  • apt remove --purge wazuh-agent

  • tech/wazuh.txt
  • 上一次變更: 2024/05/18 07:43
  • jonathan