# Wazuh ## Server install (Taken from the [quick start guide](https://documentation.wazuh.com/current/quickstart.html)) ``` curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -a ``` As install finishes, keep an eye out for your default admin password. If you miss it: ``` sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt ``` ### Make groups for your endpoints to drop into ``` /var/ossec/bin/agent_groups -a -g Windows -q /var/ossec/bin/agent_groups -a -g macOS -q /var/ossec/bin/agent_groups -a -g Linux -q ``` ### Add agents Head to `https://your.wazuh-server.com/app/endpoints-summary#/agents-preview/deploy` to fill out the connection info to generate an install file for the appropriate OS. ### Check if Wazuh is running ``` systemctl status wazuh-manager ``` ### Main config file to edit ``` sudo nano /var/ossec/etc/ossec.conf ``` ### Review server logs/statuses ``` systemctl status wazuh-manager systemctl status wazuh-indexer sudo tail -f /var/ossec/logs/ossec.log sudo cat wazuh-indexer/wazuh-cluster.log sudo filebeat test output ``` ### Starting/restarting services if necessary ``` sudo systemctl restart wazuh-indexer sudo systemctl restart wazuh-manager ``` ## Reset all passwords Read more about password resets [here](https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html). For single-node Wazuh deployments (4.x). Resets all indexer passwords and updates the dashboard so it can still authenticate. ### Pre-flight checks Before running the password tool, **the indexer cluster must be healthy** (yellow or green, not red). If it's red, the tool will hang on "wait for YELLOW clusterstate" forever. ```bash # Verify indexer is running and listening sudo systemctl status wazuh-indexer sudo ss -tlnp | grep 9200 # Verify cluster health (must be yellow or green) sudo curl -k --cert /etc/wazuh-indexer/certs/admin.pem \ --key /etc/wazuh-indexer/certs/admin-key.pem \ https://127.0.0.1:9200/_cluster/health?pretty ``` Also verify ownership on the backup directory — root-owned files here cause silent failures: ```bash sudo ls -la /etc/wazuh-indexer/ | grep backup # Should show: drwxr-x--- wazuh-indexer wazuh-indexer # If owned by root, fix it: sudo chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/backup sudo chmod 750 /etc/wazuh-indexer/backup ``` ### Step 1: Reset all indexer passwords ```bash sudo /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -a -v 2>&1 | sudo tee /root/wazuh-pw-reset-$(date +%Y%m%d-%H%M).log ``` What the flags mean: - `-a` — change ALL internal users (auto-generate new passwords) - `-v` — verbose - `-A` — also rotate the Wazuh API admin password (requires current API creds; skip if unknown) - `-u USER -p PASS` — change a single user to a specific password Save these from the output to your password manager: - `admin` ← used for browser login - `kibanaserver` ← used by dashboard service to talk to indexer - `kibanaro`, `logstash`, `readall`, `snapshotrestore`, `anomalyadmin` ← rarely used directly, but save them The script also auto-updates the **filebeat keystore** for you (no manual step needed). After saving passwords: ```bash sudo shred -u /root/wazuh-pw-reset-*.log ``` ### Step 2: Update dashboard keystore (required after admin/kibanaserver password change) The dashboard authenticates to the indexer using credentials in its keystore. After a password reset, this keystore is stale. ```bash # Update the dashboard's stored username (should be kibanaserver, not admin) sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore remove opensearch.username --allow-root sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.username --allow-root # At prompt: kibanaserver # Update the password sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore remove opensearch.password --allow-root sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.password --allow-root # At prompt: paste the kibanaserver password ``` > **Important:** the dashboard service uses **kibanaserver** to query the indexer, NOT admin. Browser login uses admin, but that's separate. ### Step 3: Restart services in the right order ```bash sudo systemctl restart filebeat sudo systemctl restart wazuh-dashboard ``` `wazuh-indexer` and `wazuh-manager` don't need restarting after password changes. ### Step 4: Verify ```bash # Filebeat → indexer connection sudo filebeat test output # Dashboard logs (look for "Server running at" — no [ResponseError] floods) sudo journalctl -u wazuh-dashboard -n 30 --no-pager # Browser login: https:// as admin ``` ### Resetting the Wazuh API admin password (separate procedure) The Wazuh API (port 55000) has its OWN admin user and password, separate from the indexer. To reset: ```bash # Method A: with -A flag if you know current API password sudo /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -au -ap -A # Method B: if you don't know it, edit the API user file directly # (See Wazuh docs — involves editing /var/ossec/api/configuration/security/users.yaml # and running a Python tool) ``` After resetting the API password, update it in the dashboard's Wazuh app config: ```bash sudo nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml # Update the password field for the API connection sudo systemctl restart wazuh-dashboard ``` ### Common gotchas - **`ERR: Seems there is no OpenSearch running on 127.0.0.1:9200`** — indexer is down or unhealthy. Don't proceed; fix indexer first. - **Tool hangs on "wait for YELLOW clusterstate"** — cluster is red OR memory-starved (check heap via `ps -ef | grep Xmx`). Fix cluster first. - **`AccessDeniedException: /etc/wazuh-indexer/backup`** — directory ownership wrong. `chown -R wazuh-indexer:wazuh-indexer`. - **Dashboard "Server is not ready yet" + `[ResponseError]` loop** — keystore credentials don't match what's in the indexer. Re-run the keystore update with kibanaserver creds. - **Don't reuse passwords across users** — script auto-generates strong unique ones, just save them. ## Agents ### Starting/restarting services Linux: ``` sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent sudo tail -f /var/ossec/logs/ossec.log ``` Macs: ``` sudo /Library/Ossec/bin/wazuh-control restart ``` Windows: ``` NET STOP WazuhSvc NET START WazuhSvc ```