This role will install and configure Wazuh Manager and Wazuh API, there are several variables you can use to customize the installation or configuration, for example:
- json_output: enabling or not JSON output (default:
yes
) - email_notification: enabling email notifications (default:
no
) - mail_to: email notifications recipients (array, defaults:
admin@example.net
) - mail_smtp_server: SMTP server to be used by email notifications ( defaults:
localhost
) - mail_from: email notification sender ( defaults:
ossec@example.com
)
By creating a YAML file wazuh-manager.yml
you can be set the usage of this role:
- hosts: wazuh-manager
roles:
- ansible-wazuh-manager
- ansible-role-filebeat
Setting the variables on a separate YAML file is recommended when configuring the installation. For this example we used: vars-production.yml
:
filebeat_output_logstash_hosts: '10.1.1.11:5000'
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
log_format: 'plain'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'no'
force_time: 0
purge: 'no'
use_password: 'no'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: null
ssl_manager_key: null
ssl_auto_negotiate: 'no'
You can configure Wazuh API user credentials, this could be done by setting the file: ansible-wazuh-manager/vars/wazuh_api_creds.yml
located on your Ansible control server, the credentials are in htpasswd
format:
# Be sure you encrypt this file with ansible-vault
wazuh_api_user:
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1
Also, you can configure agentless host credentials via the file: ansible-wazuh-manager/vars/agentless_creeds.yml
, set many as you need:
# Be sure you encrypt this file with ansible-vault.
agentless_creeds:
- type: ssh_integrity_check_linux
frequency: 3600
host: root@example1.net
state: periodic
arguments: '/bin /etc/ /sbin'
passwd: qwerty
- type: ssh_integrity_check_bsd
frequency: 3600
host: user@example2.net
state: periodic
arguments: '/bin /etc/ /sbin'
passwd: qwerty
And the authd
service password could be set in the file ansible-wazuh-manager/vars/authd_pass.yml
:
# Be sure you encrypt this file with ansible-vault
authd_pass: foobar
Warning
We recommend the use of Ansible Vault to protect Wazuh API and agentless credentials.
Next, run the playbook:
$ ansible-playbook wazuh-manager.yml -e@vars-production.yml
The example above will install Wazuh Manager and Filebeat, Filebeat will be configured to forward data to 10.1.1.11:5000
as Logstash node, also it will set various agentless
hosts configurations including their credentials, the Wazuh API and the authd
will be configured as well.
Please review the references <wazuh_ansible_reference_manager>
section to see all variables available for this role.