Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

Wazuh provides a security solution for monitoring your infrastructure and detecting threats, intrusion attempts, system anomalies, poorly configured applications, and unauthorized user actions. It also provides a framework for incident response and regulatory compliance.

Deploying a Marketplace App

The Linode Marketplace allows you to easily deploy software on a Compute Instance using the Cloud Manager. See Get Started with Marketplace Apps for complete steps.

  1. Log in to the Cloud Manager and select the Marketplace link from the left navigation menu. This displays the Linode Create page with the Marketplace tab pre-selected.

  2. Under the Select App section, select the app you would like to deploy.

  3. Complete the form by following the steps and advice within the Creating a Compute Instance guide. Depending on the Marketplace App you selected, there may be additional configuration options available. See the Configuration Options section below for compatible distributions, recommended plans, and any additional configuration options available for this Marketplace App.

  4. Click the Create Linode button. Once the Compute Instance has been provisioned and has fully powered on, wait for the software installation to complete. If the instance is powered off or restarted before this time, the software installation will likely fail.

To verify that the app has been fully installed, see Get Started with Marketplace Apps > Verify Installation. Once installed, follow the instructions within the Getting Started After Deployment section to access the application and start using it.

Note
Estimated deployment time: Wazuh should be fully installed within 10-15 minutes after the Compute Instance has finished provisioning.

Configuration Options

  • Supported distributions: Ubuntu 22.04 LTS
  • Recommended plan: Wazuh recommends a minimum of a 4GB Linode, though an 8-core plan (32GB and up) is recommended for production.

Wazuh Options

  • Email address (required): Enter the email address to use for generating the SSL certificates.

Limited User (Optional)

You can optionally fill out the following fields to automatically create a limited user for your new Compute Instance. This is recommended for most deployments as an additional security measure. This account will be assigned to the sudo group, which provides elevated permission when running commands with the sudo prefix.

  • Limited sudo user: Enter your preferred username for the limited user.
  • Password for the limited user: Enter a strong password for the new user.
  • SSH public key for the limited user: If you wish to login as the limited user through public key authentication (without entering a password), enter your public key here. See Creating an SSH Key Pair and Configuring Public Key Authentication on a Server for instructions on generating a key pair.
  • Disable root access over SSH: To block the root user from logging in over SSH, select Yes (recommended). You can still switch to the root user once logged in and you can also log in as root through Lish.

Custom Domain (Optional)

If you wish to automatically configure a custom domain, you first need to configure your domain to use Linode’s name servers. This is typically accomplished directly through your registrar. See Use Linode’s Name Servers with Your Domain. Once that is finished, you can fill out the following fields for the Marketplace App:

  • Linode API Token: If you wish to use the Linode’s DNS Manager to manage DNS records for your custom domain, create a Linode API Personal Access Token on your account with Read/Write access to Domains. If this is provided along with the subdomain and domain fields (outlined below), the installation attempts to create DNS records via the Linode API. See Get an API Access Token. If you do not provide this field, you need to manually configure your DNS records through your DNS provider and point them to the IP address of the new instance.
  • Subdomain: The subdomain you wish to use, such as www for www.example.com.
  • Domain: The domain name you wish to use, such as example.com.

Warning
Do not use a double quotation mark character (") within any of the App-specific configuration fields, including user and database password fields. This special character may cause issues during deployment.

Getting Started after Deployment

View Credentials

  1. Log into your new Compute Instance through LISH or SSH using the root user and the password you entered when creating the instance.

  2. The usernames and passwords have been saved in a .deployment-secrets.txt file located in your root directory. You can view this file in your preferred text editor or through the cat command.

    cat /root/.deployment-secrets.txt

    This file contains all of your Wazuh credentials. The admin user and its associated password are needed when following the Access the Wazuh App section below.

    File: /root/.deployment-secrets.txt
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    
    # Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
      indexer_username: 'admin'
      indexer_password: '3O*NRpS5B5*sohufTz?TuM.Vef6zoN5d'
    
    # Wazuh dashboard user for establishing the connection with Wazuh indexer
      indexer_username: 'kibanaserver'
      indexer_password: 'Z.0M8rorxRS+DQfefe96N?.Cb+?byn7k'
    
    # Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index
      indexer_username: 'kibanaro'
      indexer_password: 'W?PVE08Pk2AYE8*brrg4Ni+LXAbBKJl++2II'
    
    # Filebeat user for CRUD operations on Wazuh indices
      indexer_username: 'logstash'
      indexer_password: 'FGH6rDIgrg.zvXz?qZfQ1dv?2QAAQuiX7'
    
    # User with READ access to all indices
      indexer_username: 'readall'
      indexer_password: 'jVVugegfB0ldF+fNN?0bS0iMviFe8RnY'
    
    # User with permissions to perform snapshot and restore operations
      indexer_username: 'snapshotrestore'
      indexer_password: 'YN17mfegnWy*efeL30KC1Zz.7yrhCma7'
    
    # Password for wazuh API user
      api_username: 'wazuh'
      api_password: 'PtE5y+esjMmB74g4ttjY+ds0lGfP??uk'
    
    # Password for wazuh-wui API user
      api_username: 'wazuh-wui'
      api_password: '6?PPR1o0fwfgefLiBjbYxBz+icG0rGojT'

Access the Wazuh App

  1. Open a web browser and navigate to the domain you entered when creating the instance: https://domain.tld. If you did not enter a domain, use your Compute Instance’s default rDNS domain (192-0-2-1.ip.linodeusercontent.com). See the Managing IP Addresses guide for information on viewing the rDNS value. Ensure that you are securely accessing the website by prefixing https to the URL.

  2. In the login screen that appears, enter admin as the username and enter its corresponding password (which can be found by following the View Credentials section).

    Screenshot of the login page

Now that you’ve accessed your Wazuh instance, you need to configure a Wazuh Agent on the server you’d like to monitor with Wazuh.

For more documentation on Wazuh, check out the official Wazuh documentation to learn how to further utilize your instance.

Note
Currently, Linode does not manage software and systems updates for Marketplace Apps. It is up to the user to perform routine maintenance on software deployed in this fashion.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.