Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 4.6.0 - Beta 1 - E2E UX tests - Deployment on docker #19148

Closed
1 of 2 tasks
havidarou opened this issue Sep 22, 2023 · 4 comments
Closed
1 of 2 tasks

Release 4.6.0 - Beta 1 - E2E UX tests - Deployment on docker #19148

havidarou opened this issue Sep 22, 2023 · 4 comments
Assignees
@AwwalQuan
Labels
level/subtask type/test

Comments

@havidarou
Copy link
Member

havidarou commented Sep 22, 2023
edited by teddytpc1

End-to-End (E2E) Testing Guideline

  • Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test.
  • Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
  • Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
  • External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
  • Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
  • Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
  • Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
  • Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
  • Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
  • Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing/publication objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
  • Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
  • Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues.
  • Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
  • Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/cicd team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
  • For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

  • 🟢 All checks passed
  • 🟡 Found a known issue
  • 🔴 Found a new error

Deployment requirements

Component Installation Type OS
Indexer Deployment on docker Single node and multi node -
Server Deployment on docker Single node and multi node -
Dashboard Deployment on docker - -
Agent Wazuh WUI one-liner deploy using IP - Amazon Linux 2 aarch64

Test description

Test deployment of Docker repository.

  • Test the installation guide in detail for both a single-node and a multi-node Wazuh cluster
  • Test changing the passwords

Documentation: https://documentation-dev.wazuh.com/v4.6.0-beta1/deployment-options/docker/index.html

Known issues

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below, removing current examples:

Status Test Failure type Notes
🟢 Single node deployment - -
🟢 Multi node deployment - -
🟢 Change of password - -
🟢 Agent enrolment - -

Feedback

I would suggest that the testing guide contains information about how to edit the docker-compose.yml file to include the correct version for testing. This will make the process seamless for the tester.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.
@fcaffieri fcaffieri mentioned this issue Sep 22, 2023
Closed
@AwwalQuan AwwalQuan self-assigned this Sep 26, 2023
@AwwalQuan
Copy link
Member

AwwalQuan commented Sep 26, 2023
edited

Single node deployment 🟢

Clone the repository

[centos@centos8 ~]$ git clone https://github.com/wazuh/wazuh-docker.git -b v4.6.0-beta1
Cloning into 'wazuh-docker'...
remote: Enumerating objects: 11242, done.
remote: Counting objects: 100% (1281/1281), done.
remote: Compressing objects: 100% (639/639), done.
remote: Total 11242 (delta 686), reused 1122 (delta 571), pack-reused 9961
Receiving objects: 100% (11242/11242), 313.99 MiB | 12.81 MiB/s, done.
Resolving deltas: 100% (5759/5759), done.
Note: switching to '958e466682a0547d30de12bcd48ae683c4252228'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

Deploy the Wazuh central components 🟢

Navigate to the single node directory

[centos@centos8 ~]$ cd wazuh-docker/single-node/

Generate a self-signed certificate

[centos@centos8 single-node]$ docker-compose -f generate-indexer-certs.yml run --rm generator
Creating network "single-node_default" with the default driver
Pulling generator (wazuh/wazuh-certs-generator:0.0.1)...
0.0.1: Pulling from wazuh/wazuh-certs-generator
edaedc954fb5: Pull complete
573f4d11a520: Pull complete
8f200922197d: Pull complete
55a86de68c5c: Pull complete
Digest: sha256:ea8b03a68be67bae0e164d82b232eae54dd132c2aacd8d3118ba8705df9364a4
Status: Downloaded newer image for wazuh/wazuh-certs-generator:0.0.1
Creating single-node_generator_run ... done
The tool to create the certificates exists in the in Packages bucket
26/09/2023 05:44:01 INFO: Admin certificates created.
26/09/2023 05:44:02 INFO: Wazuh indexer certificates created.
26/09/2023 05:44:02 INFO: Wazuh server certificates created.
26/09/2023 05:44:02 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
Changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker

Edit docker-compose.yml and add the tag 4.6.0-beta1 on all the manager, indexer, and dashboard images

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.6.0-beta1
    hostname: wazuh.manager
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.6.0-beta1
    hostname: wazuh.indexer
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.6.0-beta1
    hostname: wazuh.dashboard
    restart: always
    ports:
      - 443:5601
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
    depends_on:
      - wazuh.indexer
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager

volumes:
  wazuh_api_configuration:
  wazuh_etc:
  wazuh_logs:
  wazuh_queue:
  wazuh_var_multigroups:
  wazuh_integrations:
  wazuh_active_response:
  wazuh_agentless:
  wazuh_wodles:
  filebeat_etc:
  filebeat_var:
  wazuh-indexer-data:
  wazuh-dashboard-config:
  wazuh-dashboard-custom:

Start the Wazuh single-node deployment in the background

[centos@centos8 single-node]$ docker-compose up -d
Creating volume "single-node_wazuh_api_configuration" with default driver
Creating volume "single-node_wazuh_etc" with default driver
Creating volume "single-node_wazuh_logs" with default driver
Creating volume "single-node_wazuh_queue" with default driver
Creating volume "single-node_wazuh_var_multigroups" with default driver
Creating volume "single-node_wazuh_integrations" with default driver
Creating volume "single-node_wazuh_active_response" with default driver
Creating volume "single-node_wazuh_agentless" with default driver
Creating volume "single-node_wazuh_wodles" with default driver
Creating volume "single-node_filebeat_etc" with default driver
Creating volume "single-node_filebeat_var" with default driver
Creating volume "single-node_wazuh-indexer-data" with default driver
Creating volume "single-node_wazuh-dashboard-config" with default driver
Creating volume "single-node_wazuh-dashboard-custom" with default driver
Pulling wazuh.manager (wazuh/wazuh-manager:4.6.0-beta1)...
4.6.0-beta1: Pulling from wazuh/wazuh-manager
edaedc954fb5: Already exists
ca2aba6431cf: Pull complete
a8a06c4638ff: Pull complete
9ba19d5b951c: Pull complete
66d581bfef93: Pull complete
0d1df3c2d7a2: Pull complete
26eb08fb694c: Pull complete
845118c6ffea: Pull complete
189cb219b064: Pull complete
fb807959a356: Pull complete
d919dd249a5d: Pull complete
a8239a2a27d2: Pull complete
9d816b93ad5e: Pull complete
c50ed77c0c69: Pull complete
19c59f1262f7: Pull complete
c93238ef54c6: Pull complete
d15d2a490110: Pull complete
Digest: sha256:18b153a1783a6dced3b3dc3e0763826cbb446aeba118c98bb24bce0709c1fcfd
Status: Downloaded newer image for wazuh/wazuh-manager:4.6.0-beta1
Pulling wazuh.indexer (wazuh/wazuh-indexer:4.6.0-beta1)...
4.6.0-beta1: Pulling from wazuh/wazuh-indexer
edaedc954fb5: Already exists
c2d4e8422b2f: Pull complete
26ee7863050d: Pull complete
e432e71dfaba: Pull complete
8f10d385a6ad: Pull complete
9ad40d3ca823: Pull complete
6369ea9d8d8c: Pull complete
fa457dc57fc0: Pull complete
b893494495d8: Pull complete
797fe791b4d7: Pull complete
9f13eb44c294: Pull complete
3bfbb96af324: Pull complete
d7bdc60faedf: Pull complete
7fa7c0bd371a: Pull complete
Digest: sha256:2987054dd4a98704f515bb4697745ab5935705eb2a36401e67e52070a74a8d9b
Status: Downloaded newer image for wazuh/wazuh-indexer:4.6.0-beta1
Pulling wazuh.dashboard (wazuh/wazuh-dashboard:4.6.0-beta1)...
4.6.0-beta1: Pulling from wazuh/wazuh-dashboard
edaedc954fb5: Already exists
ec1926fbf417: Pull complete
5f8306d73e8b: Pull complete
c762c92fc349: Pull complete
b6133a4980cc: Pull complete
b97ec9c6f568: Pull complete
d5cf488a0e03: Pull complete
be7c0247d44e: Pull complete
0def70ea5046: Pull complete
c0933f891032: Pull complete
604c38b68144: Pull complete
14e98bf81296: Pull complete
Digest: sha256:05b0e7e22201d4da0b2e327a41a34a3b3043cc15539891bacbff22ccbcfc586c
Status: Downloaded newer image for wazuh/wazuh-dashboard:4.6.0-beta1
Creating single-node_wazuh.manager_1 ... done
Creating single-node_wazuh.indexer_1 ... done
Creating single-node_wazuh.dashboard_1 ... done

View running containers

[centos@centos8 single-node]$ docker ps
CONTAINER ID   IMAGE                                 COMMAND                  CREATED              STATUS              PORTS                                                                                                                                                           NAMES
29b9927bb40c   wazuh/wazuh-dashboard:4.6.0-beta1     "/entrypoint.sh"         About a minute ago   Up About a minute   443/tcp, 0.0.0.0:443->5601/tcp, :::443->5601/tcp                                                                                                                single-node_wazuh.dashboard_1
0e84cf18b99d   wazuh/wazuh-manager:4.6.0-beta1       "/init"                  About a minute ago   Up About a minute   0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp   single-node_wazuh.manager_1
04f236d344d6   wazuh/wazuh-indexer:4.6.0-beta1       "/entrypoint.sh open…"   About a minute ago   Up About a minute   0.0.0.0:9200->9200/tcp, :::9200->9200/tcp                                                                                                                       single-node_wazuh.indexer_1

The dashboard is accessible
image

Change password 🟢

Stop the deployment stack

[centos@centos8 single-node]$ docker-compose down
Stopping single-node_wazuh.dashboard_1 ... done
Stopping single-node_wazuh.manager_1   ... done
Stopping single-node_wazuh.indexer_1   ... done
Removing single-node_wazuh.dashboard_1 ... done
Removing single-node_wazuh.manager_1   ... done
Removing single-node_wazuh.indexer_1   ... done
Removing network single-node_default

Generate two hashes for the admin user and the kibanaserver user

[centos@centos8 single-node]$ docker run --rm -ti wazuh/wazuh-indexer:4.6.0-beta1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
[Password:]
$2y$12$QTvnraMJuJCy7JIrW6QiO.exTWryW28w/zVXxhM2s04sGNN82FJji
[centos@centos8 single-node]$ 
[centos@centos8 single-node]$ 
[centos@centos8 single-node]$ 
[centos@centos8 single-node]$ docker run --rm -ti wazuh/wazuh-indexer:4.6.0-beta1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
[Password:]
$2y$12$fKBTJT6NVVyWb9kbWClni.LfG.1vZpJk.sWalHyKWmZc9uikLgL9O

Open the config/wazuh_indexer/internal_users.yml and replace the hash for admin user and kibanaserver user

...
admin:
  hash: "$2y$12$QTvnraMJuJCy7JIrW6QiO.exTWryW28w/zVXxhM2s04sGNN82FJji"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"

kibanaserver:
  hash: "$2y$12$fKBTJT6NVVyWb9kbWClni.LfG.1vZpJk.sWalHyKWmZc9uikLgL9O"
  reserved: true
  description: "Demo kibanaserver user"
...

Edit docker-compose.yml and set the new password

Apply the changes

[centos@centos8 single-node]$ docker-compose up -d
Creating network "single-node_default" with the default driver
Creating single-node_wazuh.indexer_1 ... done
Creating single-node_wazuh.manager_1 ... done
Creating single-node_wazuh.dashboard_1 ... done

Enter the indexer container and run the securityadmin.sh script

[centos@centos8 single-node]$ docker exec -it single-node_wazuh.indexer_1 bash
wazuh-indexer@wazuh:~$ export INSTALLATION_DIR=/usr/share/wazuh-indexer
wazuh-indexer@wazuh:~$ CACERT=$INSTALLATION_DIR/certs/root-ca.pem
wazuh-indexer@wazuh:~$ KEY=$INSTALLATION_DIR/certs/admin-key.pem
wazuh-indexer@wazuh:~$ CERT=$INSTALLATION_DIR/certs/admin.pem
wazuh-indexer@wazuh:~$ export JAVA_HOME=/usr/share/wazuh-indexer/jdk
wazuh-indexer@wazuh:~$ 
wazuh-indexer@wazuh:~$ 
wazuh-indexer@wazuh:~$ 
wazuh-indexer@wazuh:~$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/wazuh-indexer/opensearch-security/
Will update '/config' with /usr/share/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /usr/share/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /usr/share/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /usr/share/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /usr/share/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /usr/share/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /usr/share/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /usr/share/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /usr/share/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

The dashboard is accessible, and I successfully logged in with the new credentials.

Enroll agent 🟢

The endpoint details

[root@localhost ~]# uname -a
Linux localhost 4.14.322-244.539.amzn2.x86_64 #1 SMP Wed Aug 30 17:57:46 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Run the oneliner to install the agent

[root@localhost ~]# curl -o wazuh-agent-4.6.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.6.0-1.x86_64.rpm && sudo WAZUH_MANAGER='192.168.132.137' WAZUH_AGENT_NAME='AmazonLinux' rpm -ihv wazuh-agent-4.6.0-1.x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9180k  100 9180k    0     0  2783k      0  0:00:03  0:00:03 --:--:-- 2783k
Preparing...                          ################################# [100%]
Updating / installing...
   1:wazuh-agent-4.6.0-1              ################################# [100%]

Start the agent

[root@localhost ~]# sudo systemctl daemon-reload
[root@localhost ~]# systemctl enable wazuh-agent
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-agent.service to /usr/lib/systemd/system/wazuh-agent.service.
[root@localhost ~]# sudo systemctl start wazuh-agent

The agent enrolled successfully
image

@AwwalQuan
Copy link
Member

Multi node deployment 🟢

Increase max_map_count on the Docker host

[centos@centos8 multi-node]$ sudo sysctl -w vm.max_map_count=262144
vm.max_map_count = 262144

Clone the repository

[centos@centos8 ~]$ git clone https://github.com/wazuh/wazuh-docker.git -b v4.6.0-beta1
Cloning into 'wazuh-docker'...
remote: Enumerating objects: 11242, done.
remote: Counting objects: 100% (1281/1281), done.
remote: Compressing objects: 100% (636/636), done.
remote: Total 11242 (delta 686), reused 1135 (delta 574), pack-reused 9961
Receiving objects: 100% (11242/11242), 313.99 MiB | 10.71 MiB/s, done.
Resolving deltas: 100% (5763/5763), done.
Note: switching to '958e466682a0547d30de12bcd48ae683c4252228'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

Deploying the Wazuh central components 🟢

[centos@centos8 ~]$ cd wazuh-docker/multi-node/

Generate self-signed certificate

[centos@centos8 multi-node]$ docker-compose -f generate-indexer-certs.yml run --rm generator
Creating network "multi-node_default" with the default driver
Pulling generator (wazuh/wazuh-certs-generator:0.0.1)...
0.0.1: Pulling from wazuh/wazuh-certs-generator
edaedc954fb5: Pull complete
573f4d11a520: Pull complete
8f200922197d: Pull complete
55a86de68c5c: Pull complete
Digest: sha256:ea8b03a68be67bae0e164d82b232eae54dd132c2aacd8d3118ba8705df9364a4
Status: Downloaded newer image for wazuh/wazuh-certs-generator:0.0.1
Creating multi-node_generator_run ... done
The tool to create the certificates exists in the in Packages bucket
26/09/2023 08:10:21 INFO: Admin certificates created.
26/09/2023 08:10:21 INFO: Wazuh indexer certificates created.
26/09/2023 08:10:21 INFO: Wazuh server certificates created.
26/09/2023 08:10:21 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
Changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker

Edit docker-compose.yml and add the tag 4.6.0-beta1 on all the manager, indexer, and dashboard images

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'

services:
  wazuh.master:
    image: wazuh/wazuh-manager:4.6.0-beta1
    hostname: wazuh.master
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh1.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - master-wazuh-api-configuration:/var/ossec/api/configuration
      - master-wazuh-etc:/var/ossec/etc
      - master-wazuh-logs:/var/ossec/logs
      - master-wazuh-queue:/var/ossec/queue
      - master-wazuh-var-multigroups:/var/ossec/var/multigroups
      - master-wazuh-integrations:/var/ossec/integrations
      - master-wazuh-active-response:/var/ossec/active-response/bin
      - master-wazuh-agentless:/var/ossec/agentless
      - master-wazuh-wodles:/var/ossec/wodles
      - master-filebeat-etc:/etc/filebeat
      - master-filebeat-var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

  wazuh.worker:
    image: wazuh/wazuh-manager:4.6.0-beta1
    hostname: wazuh.worker
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    environment:
      - INDEXER_URL=https://wazuh1.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
    volumes:
      - worker-wazuh-api-configuration:/var/ossec/api/configuration
      - worker-wazuh-etc:/var/ossec/etc
      - worker-wazuh-logs:/var/ossec/logs
      - worker-wazuh-queue:/var/ossec/queue
      - worker-wazuh-var-multigroups:/var/ossec/var/multigroups
      - worker-wazuh-integrations:/var/ossec/integrations
      - worker-wazuh-active-response:/var/ossec/active-response/bin
      - worker-wazuh-agentless:/var/ossec/agentless
      - worker-wazuh-wodles:/var/ossec/wodles
      - worker-filebeat-etc:/etc/filebeat
      - worker-filebeat-var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf

  wazuh1.indexer:
    image: wazuh/wazuh-indexer:4.6.0-beta1
    hostname: wazuh1.indexer
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data-1:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

  wazuh2.indexer:
    image: wazuh/wazuh-indexer:4.6.0-beta1
    hostname: wazuh2.indexer
    restart: always
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data-2:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

  wazuh3.indexer:
    image: wazuh/wazuh-indexer:4.6.0-beta1
    hostname: wazuh3.indexer
    restart: always
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data-3:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.6.0-beta1
    hostname: wazuh.dashboard
    restart: always
    ports:
      - 443:5601
    environment:
      - OPENSEARCH_HOSTS="https://wazuh1.indexer:9200"
      - WAZUH_API_URL="https://wazuh.master"
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
    volumes:
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
    depends_on:
      - wazuh1.indexer
    links:
      - wazuh1.indexer:wazuh1.indexer
      - wazuh.master:wazuh.master

  nginx:
    image: nginx:stable
    hostname: nginx
    restart: always
    ports:
      - "1514:1514"
    depends_on:
      - wazuh.master
      - wazuh.worker
      - wazuh.dashboard
    links:
      - wazuh.master:wazuh.master
      - wazuh.worker:wazuh.worker
      - wazuh.dashboard:wazuh.dashboard
    volumes:
      - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro

volumes:
  master-wazuh-api-configuration:
  master-wazuh-etc:
  master-wazuh-logs:
  master-wazuh-queue:
  master-wazuh-var-multigroups:
  master-wazuh-integrations:
  master-wazuh-active-response:
  master-wazuh-agentless:
  master-wazuh-wodles:
  master-filebeat-etc:
  master-filebeat-var:
  worker-wazuh-api-configuration:
  worker-wazuh-etc:
  worker-wazuh-logs:
  worker-wazuh-queue:
  worker-wazuh-var-multigroups:
  worker-wazuh-integrations:
  worker-wazuh-active-response:
  worker-wazuh-agentless:
  worker-wazuh-wodles:
  worker-filebeat-etc:
  worker-filebeat-var:
  wazuh-indexer-data-1:
  wazuh-indexer-data-2:
  wazuh-indexer-data-3:
  wazuh-dashboard-config:
  wazuh-dashboard-custom:

Start the Wazuh multi-node deployment in the background

[centos@centos8 multi-node]$ docker-compose up -d
Creating volume "multi-node_master-wazuh-api-configuration" with default driver
Creating volume "multi-node_master-wazuh-etc" with default driver
Creating volume "multi-node_master-wazuh-logs" with default driver
Creating volume "multi-node_master-wazuh-queue" with default driver
Creating volume "multi-node_master-wazuh-var-multigroups" with default driver
Creating volume "multi-node_master-wazuh-integrations" with default driver
Creating volume "multi-node_master-wazuh-active-response" with default driver
Creating volume "multi-node_master-wazuh-agentless" with default driver
Creating volume "multi-node_master-wazuh-wodles" with default driver
Creating volume "multi-node_master-filebeat-etc" with default driver
Creating volume "multi-node_master-filebeat-var" with default driver
Creating volume "multi-node_worker-wazuh-api-configuration" with default driver
Creating volume "multi-node_worker-wazuh-etc" with default driver
Creating volume "multi-node_worker-wazuh-logs" with default driver
Creating volume "multi-node_worker-wazuh-queue" with default driver
Creating volume "multi-node_worker-wazuh-var-multigroups" with default driver
Creating volume "multi-node_worker-wazuh-integrations" with default driver
Creating volume "multi-node_worker-wazuh-active-response" with default driver
Creating volume "multi-node_worker-wazuh-agentless" with default driver
Creating volume "multi-node_worker-wazuh-wodles" with default driver
Creating volume "multi-node_worker-filebeat-etc" with default driver
Creating volume "multi-node_worker-filebeat-var" with default driver
Creating volume "multi-node_wazuh-indexer-data-1" with default driver
Creating volume "multi-node_wazuh-indexer-data-2" with default driver
Creating volume "multi-node_wazuh-indexer-data-3" with default driver
Creating volume "multi-node_wazuh-dashboard-config" with default driver
Creating volume "multi-node_wazuh-dashboard-custom" with default driver
Pulling wazuh.master (wazuh/wazuh-manager:4.6.0-beta1)...
4.6.0-beta1: Pulling from wazuh/wazuh-manager
edaedc954fb5: Already exists
ca2aba6431cf: Pull complete
a8a06c4638ff: Pull complete
9ba19d5b951c: Pull complete
66d581bfef93: Pull complete
0d1df3c2d7a2: Pull complete
26eb08fb694c: Pull complete
845118c6ffea: Pull complete
189cb219b064: Pull complete
fb807959a356: Pull complete
d919dd249a5d: Pull complete
a8239a2a27d2: Pull complete
9d816b93ad5e: Pull complete
c50ed77c0c69: Pull complete
19c59f1262f7: Pull complete
c93238ef54c6: Pull complete
d15d2a490110: Pull complete
Digest: sha256:18b153a1783a6dced3b3dc3e0763826cbb446aeba118c98bb24bce0709c1fcfd
Status: Downloaded newer image for wazuh/wazuh-manager:4.6.0-beta1
Pulling wazuh1.indexer (wazuh/wazuh-indexer:4.6.0-beta1)...
4.6.0-beta1: Pulling from wazuh/wazuh-indexer
edaedc954fb5: Already exists
c2d4e8422b2f: Pull complete
26ee7863050d: Pull complete
e432e71dfaba: Pull complete
8f10d385a6ad: Pull complete
9ad40d3ca823: Pull complete
6369ea9d8d8c: Pull complete
fa457dc57fc0: Pull complete
b893494495d8: Pull complete
797fe791b4d7: Pull complete
9f13eb44c294: Pull complete
3bfbb96af324: Pull complete
d7bdc60faedf: Pull complete
7fa7c0bd371a: Pull complete
Digest: sha256:2987054dd4a98704f515bb4697745ab5935705eb2a36401e67e52070a74a8d9b
Status: Downloaded newer image for wazuh/wazuh-indexer:4.6.0-beta1
Pulling wazuh.dashboard (wazuh/wazuh-dashboard:4.6.0-beta1)...
4.6.0-beta1: Pulling from wazuh/wazuh-dashboard
edaedc954fb5: Already exists
ec1926fbf417: Pull complete
5f8306d73e8b: Pull complete
c762c92fc349: Pull complete
b6133a4980cc: Pull complete
b97ec9c6f568: Pull complete
d5cf488a0e03: Pull complete
be7c0247d44e: Pull complete
0def70ea5046: Pull complete
c0933f891032: Pull complete
604c38b68144: Pull complete
14e98bf81296: Pull complete
Digest: sha256:05b0e7e22201d4da0b2e327a41a34a3b3043cc15539891bacbff22ccbcfc586c
Status: Downloaded newer image for wazuh/wazuh-dashboard:4.6.0-beta1
Pulling nginx (nginx:stable)...
stable: Pulling from library/nginx
7dbc1adf280e: Pull complete
a7184f3665ed: Pull complete
f144d5d97503: Pull complete
9097eea98b48: Pull complete
356d4b647b64: Pull complete
608e661a622a: Pull complete
Digest: sha256:73341830a31bf12a44c846b6b323dd8a4fab7668e72c16e9124913ff097c9536
Status: Downloaded newer image for nginx:stable
Creating multi-node_wazuh.worker_1   ... done
Creating multi-node_wazuh3.indexer_1 ... done
Creating multi-node_wazuh1.indexer_1 ... done
Creating multi-node_wazuh2.indexer_1 ... done
Creating multi-node_wazuh.master_1   ... done
Creating multi-node_wazuh.dashboard_1 ... done
Creating multi-node_nginx_1           ... done

View running containers

[centos@centos8 multi-node]$ docker ps
CONTAINER ID   IMAGE                                 COMMAND                  CREATED              STATUS          PORTS                                                                                                                                                 NAMES
3493ae0b33e9   nginx:stable                          "/docker-entrypoint.…"   56 seconds ago       Up 53 seconds   80/tcp, 0.0.0.0:1514->1514/tcp, :::1514->1514/tcp                                                                                                     multi-node_nginx_1
c659bf7146c5   wazuh/wazuh-dashboard:4.6.0-beta1     "/entrypoint.sh"         57 seconds ago       Up 54 seconds   443/tcp, 0.0.0.0:443->5601/tcp, :::443->5601/tcp                                                                                                      multi-node_wazuh.dashboard_1
df2c519e7c3c   wazuh/wazuh-manager:4.6.0-beta1       "/init"                  59 seconds ago       Up 56 seconds   1514/tcp, 0.0.0.0:1515->1515/tcp, :::1515->1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 1516/tcp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp   multi-node_wazuh.master_1
e37f173f13ae   wazuh/wazuh-indexer:4.6.0-beta1       "/entrypoint.sh open…"   59 seconds ago       Up 57 seconds   9200/tcp                                                                                                                                              multi-node_wazuh2.indexer_1
7cc6b87fc1c4   wazuh/wazuh-indexer:4.6.0-beta1       "/entrypoint.sh open…"   59 seconds ago       Up 56 seconds   0.0.0.0:9200->9200/tcp, :::9200->9200/tcp                                                                                                             multi-node_wazuh1.indexer_1
de606ccc88cb   wazuh/wazuh-indexer:4.6.0-beta1       "/entrypoint.sh open…"   About a minute ago   Up 57 seconds   9200/tcp                                                                                                                                              multi-node_wazuh3.indexer_1
e0f444e2467f   wazuh/wazuh-manager:4.6.0-beta1       "/init"                  About a minute ago   Up 57 seconds   1514-1516/tcp, 514/udp, 55000/tcp                                                                                                                     multi-node_wazuh.worker_1

Events on the dashboard
image

Change password 🟢

Stop the deployment stack

[centos@centos8 multi-node]$ docker-compose down
Stopping multi-node_nginx_1           ... done
Stopping multi-node_wazuh.dashboard_1 ... done
Stopping multi-node_wazuh.master_1    ... done
Stopping multi-node_wazuh2.indexer_1  ... done
Stopping multi-node_wazuh1.indexer_1  ... done
Stopping multi-node_wazuh3.indexer_1  ... done
Stopping multi-node_wazuh.worker_1    ... done
Removing multi-node_nginx_1           ... done
Removing multi-node_wazuh.dashboard_1 ... done
Removing multi-node_wazuh.master_1    ... done
Removing multi-node_wazuh2.indexer_1  ... done
Removing multi-node_wazuh1.indexer_1  ... done
Removing multi-node_wazuh3.indexer_1  ... done
Removing multi-node_wazuh.worker_1    ... done
Removing network multi-node_default

Generate two hashes for the admin user and the kibanaserver user

[centos@centos8 multi-node]$ docker run --rm -ti wazuh/wazuh-indexer:4.6.0-beta1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
[Password:]
$2y$12$o.GVSKq6SgvCe4zzIieOPuMPlkNdXZyAsBDyOfplmKfh2RxcKdyMa
[centos@centos8 multi-node]$ 
[centos@centos8 multi-node]$ 
[centos@centos8 multi-node]$ docker run --rm -ti wazuh/wazuh-indexer:4.6.0-beta1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
[Password:]
$2y$12$7vsvn.Wdgs3nKVUWfwyzK.dtug1wqT/pq0aJld6oZms2TTrZpft2C

Open the config/wazuh_indexer/internal_users.yml and replace the hash for admin user and kibanaserver user

...
admin:
  hash: "$2y$12$o.GVSKq6SgvCe4zzIieOPuMPlkNdXZyAsBDyOfplmKfh2RxcKdyMa"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"

kibanaserver:
  hash: "$2y$12$7vsvn.Wdgs3nKVUWfwyzK.dtug1wqT/pq0aJld6oZms2TTrZpft2C"
  reserved: true
  description: "Demo kibanaserver user"
...

Edit docker-compose.yml and set the new password
Apply the changes

[centos@centos8 multi-node]$ docker-compose up -d
Creating network "multi-node_default" with the default driver
Creating multi-node_wazuh2.indexer_1 ... done
Creating multi-node_wazuh3.indexer_1 ... done
Creating multi-node_wazuh.worker_1   ... done
Creating multi-node_wazuh1.indexer_1 ... done
Creating multi-node_wazuh.master_1   ... done
Creating multi-node_wazuh.dashboard_1 ... done
Creating multi-node_nginx_1           ... done

Enter one of the indexer containers and run the securityadmin.sh script

[centos@centos8 multi-node]$ docker exec -it multi-node_wazuh1.indexer_1 bash
wazuh-indexer@wazuh1:~$ export INSTALLATION_DIR=/usr/share/wazuh-indexer
wazuh-indexer@wazuh1:~$ CACERT=$INSTALLATION_DIR/certs/root-ca.pem
wazuh-indexer@wazuh1:~$ KEY=$INSTALLATION_DIR/certs/admin-key.pem
wazuh-indexer@wazuh1:~$ CERT=$INSTALLATION_DIR/certs/admin.pem
wazuh-indexer@wazuh1:~$ export JAVA_HOME=/usr/share/wazuh-indexer/jdk
wazuh-indexer@wazuh1:~$ 
wazuh-indexer@wazuh1:~$ 
wazuh-indexer@wazuh1:~$ HOST=$(grep node.name $INSTALLATION_DIR/opensearch.yml | awk '{printf $2}')
wazuh-indexer@wazuh1:~$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl -h $HOST
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to wazuh1.indexer:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/wazuh-indexer/opensearch-security/
Will update '/config' with /usr/share/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /usr/share/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /usr/share/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /usr/share/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /usr/share/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /usr/share/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /usr/share/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /usr/share/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /usr/share/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

The dashboard is accessible, and I successfully logged in with the new credentials.

Enroll agent 🟢

Run the one-liner to install the agent

[root@localhost ~]# curl -o wazuh-agent-4.6.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.6.0-1.x86_64.rpm && sudo WAZUH_MANAGER='192.168.132.137' WAZUH_AGENT_NAME='Amazon-Linux' rpm -ihv wazuh-agent-4.6.0-1.x8
6_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9180k  100 9180k    0     0  3372k      0  0:00:02  0:00:02 --:--:-- 3373k
Preparing...                          ################################# [100%]
Updating / installing...
   1:wazuh-agent-4.6.0-1              ################################# [100%]

Start the agent

[root@localhost ~]# sudo systemctl daemon-reload
[root@localhost ~]# systemctl enable wazuh-agent
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-agent.service to /usr/lib/systemd/system/wazuh-agent.service.
[root@localhost ~]# sudo systemctl start wazuh-agent

The agent enrolled successfully
image

@davidcr01
Copy link
Contributor

LGTM

1 similar comment
@juliamagan
Copy link
Member

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AwwalQuan AwwalQuan

Labels
level/subtask type/test
Projects
No open projects
Release 4.6.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@havidarou @AwwalQuan @davidcr01 @juliamagan