使用docker安装wazuh

使用docker安装wazuh

centos下安装wazuh
官方文档:
https://documentation.wazuh.com/3.9/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#wazuh-server-packages-centos

中文翻译版本:

https://www.cnblogs.com/backlion/p/10397092.html

sysctl -w vm.max_map_count=262144

docker的官方指引

https://documentation.wazuh.com/3.9/docker/wazuh-container.html

首先要安装docker和docker-compose

• 安装依赖包　　

sudo yum install -y yum-utils device-mapper-persistent-data lvm2

• 添加源　　

sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

• 安装和启动

sudo yum-config-manager --enable docker-ce-nightly
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker

• docker-compose安装:

  • 安装和测试docker-compose

    官网文档　https://docs.docker.com/compose/install/

    • 下载docker-compose可执行文件
      sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
    • 设可执行权限
      sudo chmod +x /usr/local/bin/docker-compose
    • 软连接到/usr/bin
      sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
    • 查看安装是否成功
      docker-compose --version

使用docker-compose安装

• 下载Wazuh repository

git clone https://github.com/wazuh/wazuh-docker.git -b 3.9.5_7.2.1 --single-branch

• 使用后台安装

  1. docker-compose up -d

• 默认端口

  1514 Wazuh UDP 1515 Wazuh TCP 514 Wazuh UDP 55000 Wazuh API 9200 Elasticsearch HTTP 80 Nginx http 443 Nginx https

官方的k8s部署.(照搬来了)

1. Deployment

   Clone this repository to deploy the necessary services and pods.

   $ git clone https://github.com/wazuh/wazuh-kubernetes.git
   $ cd wazuh-kubernetes

   3.1. Wazuh namespace and StorageClass

   The Wazuh namespace is used to handle all the Kubernetes elements (services, deployments, pods) necessary for Wazuh. In addition, you must create a StorageClass to use AWS EBS storage in our StatefulSet applications.

   $ kubectl apply -f base/wazuh-ns.yaml
   $ kubectl apply -f base/aws-gp2-storage-class.yaml

   3.2. Deploy Elasticsearch

   $ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-svc.yaml
   $ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-api-svc.yaml
   $ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-sts.yaml

   3.3. Deploy Kibana and Nginx

   In case you need to provide a domain name, update the domainName annotation value in the nginx-svc.yaml file before deploying that service. You should also set a valid AWS ACM certificate ARN in the nginx-svc.yaml for the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation. That certificate should match with the domainName.

   $ kubectl apply -f elastic_stack/kibana/kibana-svc.yaml
   $ kubectl apply -f elastic_stack/kibana/nginx-svc.yaml
   
   $ kubectl apply -f elastic_stack/kibana/kibana-deploy.yaml
   $ kubectl apply -f elastic_stack/kibana/nginx-deploy.yaml

   3.4. Deploy Logstash

   $ kubectl apply -f elastic_stack/logstash/logstash-svc.yaml
   $ kubectl apply -f elastic_stack/logstash/logstash-deploy.yaml

2. Deploy Wazuh

   $ kubectl apply -f wazuh_managers/wazuh-master-svc.yaml
   $ kubectl apply -f wazuh_managers/wazuh-cluster-svc.yaml
   $ kubectl apply -f wazuh_managers/wazuh-workers-svc.yaml
   
   $ kubectl apply -f wazuh_managers/wazuh-master-conf.yaml
   $ kubectl apply -f wazuh_managers/wazuh-worker-0-conf.yaml
   $ kubectl apply -f wazuh_managers/wazuh-worker-1-conf.yaml
   
   $ kubectl apply -f wazuh_managers/wazuh-master-sts.yaml
   $ kubectl apply -f wazuh_managers/wazuh-worker-0-sts.yaml
   $ kubectl apply -f wazuh_managers/wazuh-worker-1-sts.yaml

Verifying the deployment

Namespace

$ kubectl get namespaces | grep wazuh
wazuh         Active    12m

Services

$ kubectl get services -n wazuh
NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP        PORT(S)                          AGE
elasticsearch         ClusterIP      xxx.yy.zzz.24    <none>             9200/TCP                         12m
kibana                ClusterIP      xxx.yy.zzz.76    <none>             5601/TCP                         11m
logstash              ClusterIP      xxx.yy.zzz.41    <none>             5000/TCP                         10m
wazuh                 LoadBalancer   xxx.yy.zzz.209   internal-a7a8...   1515:32623/TCP,55000:30283/TCP   9m
wazuh-cluster         ClusterIP      None             <none>             1516/TCP                         9m
wazuh-elasticsearch   ClusterIP      None             <none>             9300/TCP                         12m
wazuh-nginx           LoadBalancer   xxx.yy.zzz.223   internal-a3b1...   80:31831/TCP,443:30974/TCP       11m
wazuh-workers         LoadBalancer   xxx.yy.zzz.26    internal-a7f9...   1514:31593/TCP                   9m

Deployments

$ kubectl get deployments -n wazuh
NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
wazuh-kibana     1         1         1            1           11m
wazuh-logstash   1         1         1            1           10m
wazuh-nginx      1         1         1            1           11m

Statefulset

$ kubectl get statefulsets -n wazuh
NAME                     DESIRED   CURRENT   AGE
wazuh-elasticsearch      1         1         13m
wazuh-manager-master     1         1         9m
wazuh-manager-worker-0   1         1         9m
wazuh-manager-worker-1   1         1         9m

Pods

$ kubectl get pods -n wazuh
NAME                              READY     STATUS    RESTARTS   AGE
wazuh-elasticsearch-0             1/1       Running   0          15m
wazuh-kibana-f4d9c7944-httsd      1/1       Running   0          14m
wazuh-logstash-777b7cd47b-7cxfq   1/1       Running   0          13m
wazuh-manager-master-0            1/1       Running   0          12m
wazuh-manager-worker-0-0          1/1       Running   0          11m
wazuh-manager-worker-1-0          1/1       Running   0          11m
wazuh-nginx-748fb8494f-xwwhw      1/1       Running   0          14m

Accesing Kibana

In case you created domain names for the services, you should be able to access Kibana using the proposed domain name: https://wazuh.your-domain.com.

Also, you can access using the DNS (Eg: https://internal-xxx-yyy.us-east-1.elb.amazonaws.com):

$ kubectl get services -o wide -n wazuh
NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP                                                    PORT(S)                          AGE       SELECTOR
wazuh-nginx           LoadBalancer   xxx.xx.xxx.xxx   internal-xxx-yyy.us-east-1.elb.amazonaws.com                   80:3