OpenEuler部署Wazuh

1. 简述

记录在OpenEuler24.03 (LTS-SP2) 部署Wazuh开源安全平台。

2. 部署

   • 服务器信息

     $ getenforce
      Disabled
     $ ulimit -n
     65535
     $ ldd --version | grep ldd
     ldd (GNU libc) 2.38

   • 下载离线包（通过可上网机器下载）

     $ curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh
     
     $ chmod 744 wazuh-install.sh
     
     $ sh wazuh-install.sh -dw rpm -da x86_64
     
     $ curl -sO https://packages.wazuh.com/4.14/config.yml
     
     $ vim config.yml
     nodes:
       # Wazuh indexer nodes
       indexer:
         - name: node-1
           ip: "192.168.0.119"
         #- name: node-2
         #  ip: "<indexer-node-ip>"
         #- name: node-3
         #  ip: "<indexer-node-ip>"
     
       # Wazuh server nodes
       # If there is more than one Wazuh server
       # node, each one must have a node_type
       server:
         - name: wazuh-1
           ip: "192.168.0.119"
         #  node_type: master
         #- name: wazuh-2
         #  ip: "<wazuh-manager-ip>"
         #  node_type: worker
         #- name: wazuh-3
         #  ip: "<wazuh-manager-ip>"
         #  node_type: worker
     
       # Wazuh dashboard nodes
       dashboard:
         - name: dashboard
           ip: "192.168.0.119"
     
     
     $ sh wazuh-install.sh -g
     
     28/11/2025 15:34:50 INFO: Starting Wazuh installation assistant. Wazuh version: 4.14.1
     28/11/2025 15:34:50 INFO: Verbose logging redirected to /var/log/wazuh-install.log
     28/11/2025 15:34:50 INFO: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Amazon Linux 2023; Ubuntu 16.04, 18.04, 20.04, 22.04; Rocky Linux 9.4.
     28/11/2025 15:34:50 WARNING: The current system does not match with the list of recommended systems. The installation may not work properly.
     28/11/2025 15:34:51 INFO: --- Dependencies ---
     28/11/2025 15:34:51 INFO: Installing tar.
     28/11/2025 15:34:52 INFO: Verifying that your system meets the recommended minimum hardware requirements.
     28/11/2025 15:34:53 INFO: --- Configuration files ---
     28/11/2025 15:34:53 INFO: Generating configuration files.
     28/11/2025 15:34:53 INFO: Generating the root certificate.
     28/11/2025 15:34:53 INFO: Generating Admin certificates.
     28/11/2025 15:34:53 INFO: Generating Wazuh indexer certificates.
     28/11/2025 15:34:53 INFO: Generating Filebeat certificates.
     28/11/2025 15:34:53 INFO: Generating Wazuh dashboard certificates.
     28/11/2025 15:34:54 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
     28/11/2025 15:34:54 INFO: --- Dependencies ---
     28/11/2025 15:34:54 INFO: Removing tar.
     
     $ ls -l
     wazuh-install-files.tar
     wazuh-install.sh
     wazuh-offline.tar.gz

   • 拷贝至服务端

     $ mkdir -p /data
     
     $ tar xf wazuh-offline.tar.gz
     $ tar xf wazuh-install-files.tar
     
     $ rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH

   • wazuh-indexer

     $ rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-indexer*.rpm
     
     # 与config.yml 中保持一致
     $ NODE_NAME=node-1
     
     $ mkdir /etc/wazuh-indexer/certs
     $ mv -n wazuh-install-files/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
     $ mv -n wazuh-install-files/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
     $ mv wazuh-install-files/admin-key.pem /etc/wazuh-indexer/certs/
     $ mv wazuh-install-files/admin.pem /etc/wazuh-indexer/certs/
     $ cp wazuh-install-files/root-ca.pem /etc/wazuh-indexer/certs/
     $ chmod 500 /etc/wazuh-indexer/certs
     $ chmod 400 /etc/wazuh-indexer/certs/*
     $ chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
     
     
     # 编辑opensearch配置（wazuh-indexer）
     $ vim /etc/wazuh-indexer/opensearch.yml
     network.host: "0.0.0.0"
     node.name: "node-1"
     cluster.initial_master_nodes:
     - "node-1"
     
     $ systemctl daemon-reload
     $ systemctl enable wazuh-indexer
     $ systemctl start wazuh-indexer
     
     # 生成证书
     $ sh /usr/share/wazuh-indexer/bin/indexer-security-init.sh
     
     # 默认端口9200 默认密码 admin/admin
     $ curl -XGET https://127.0.0.1:9200 -u admin:admin -k

   • wazuh-server

     $ rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-manager*.rpm
     
     # 将索引器（通常是 Elasticsearch / OpenSearch）的访问凭据（用户名和密码）安全地保存到 Wazuh 的密钥管理系统（keystore）
     $ echo admin | /var/ossec/bin/wazuh-keystore -f indexer -k username
     $ echo admin | /var/ossec/bin/wazuh-keystore -f indexer -k password
     
     $ systemctl daemon-reload
     $ systemctl enable wazuh-manager
     $ systemctl start wazuh-manager

   • filebeat

     $ rpm -ivh ./wazuh-offline/wazuh-packages/filebeat*.rpm
     
     $ cp ./wazuh-offline/wazuh-files/filebeat.yml /etc/filebeat/ &&\
     cp ./wazuh-offline/wazuh-files/wazuh-template.json /etc/filebeat/ &&\
     chmod go+r /etc/filebeat/wazuh-template.json
     
     $ vim /etc/filebeat/filebeat.yml
     
     output.elasticsearch:
       hosts: ["192.168.0.119:9200"]
       protocol: https
       # 这里会取filebeat keystore里的username及password
       username: ${username}
       password: ${password}
       ssl.certificate_authorities:
         - /etc/filebeat/certs/root-ca.pem
       ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
       ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
     
     
     $ filebeat keystore create
     # 将敏感信息username、password以加密方式存储到 Filebeat 的 Keystore 中
     $ echo admin | filebeat keystore add username --stdin --force
     $ echo admin | filebeat keystore add password --stdin --force
     
     # 加载module
     $ tar -xzf ./wazuh-offline/wazuh-files/wazuh-filebeat-0.4.tar.gz -C /usr/share/filebeat/module
     
     # 与config.yml 中保持一致
     $ NODE_NAME=wazuh-1
     
     $ mkdir /etc/filebeat/certs
     $ mv -n wazuh-install-files/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
     $ mv -n wazuh-install-files/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
     $ cp wazuh-install-files/root-ca.pem /etc/filebeat/certs/
     $ chmod 500 /etc/filebeat/certs
     $ chmod 400 /etc/filebeat/certs/*
     $ chown -R root:root /etc/filebeat/certs
     
     $ systemctl daemon-reload
     $ systemctl enable filebeat
     $ systemctl start filebeat
     
     # 验证
     $ filebeat test output

   • wazuh-dashboard

     $ rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-dashboard*.rpm
     
     # 与config.yml 中保持一致
     $ NODE_NAME=dashboard
     
     $ mkdir /etc/wazuh-dashboard/certs
     $ mv -n wazuh-install-files/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
     $ mv -n wazuh-install-files/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
     $ cp wazuh-install-files/root-ca.pem /etc/wazuh-dashboard/certs/
     $ chmod 500 /etc/wazuh-dashboard/certs
     $ chmod 400 /etc/wazuh-dashboard/certs/*
     $ chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
     
     $ vim /etc/wazuh-dashboard/opensearch_dashboards.yml
     
     server.host: 0.0.0.0
     server.port: 443
     opensearch.hosts: https://192.168.0.119:9200
     
     $ systemctl daemon-reload
     $ systemctl enable wazuh-dashboard
     $ systemctl start wazuh-dashboard

   • wazuh-web-api

     $ vim /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
     
     hosts:
       - default:
           url: https://<WAZUH_SERVER_IP_ADDRESS>
           port: 55000
           username: wazuh-wui
           password: wazuh-wui
           run_as: false

   • 重置密码

     /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh

离线部署方式Offline installation guide - Installation alternatives