nurhambali/Install ELK & Wazu

## Install ELK & Wazu
install wazuh & ELK


#Add Repo
cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF


#install Wazuh Manager

yum install wazuh-manager -y

systemctl start wazuh-manager
systemctl enable wazuh-manager
systemctl status wazuh-manager


#Install Wazuh API

 yum install wazuh-api -y
 systemctl start wazuh-api
 systemctl enable wazuh-api
 systemctl status wazuh-api

##Install ELK

#install Java

yum install java -y

#Add Repo elk

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch


cat > /etc/yum.repos.d/elasticsearch.repo <<\EOF
[logstash-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

# install ELK
 yum install elasticsearch kibana logstash -y

# hilangkan tanda # pada line 40 di /etc/elasticsearch/elasticsearch.yml

 bootstrap.memory_lock: true
 network.host: localhost
 http.port: 9200

#hilangkan tanda # pada /usr/lib/systemd/system/elasticsearch.service

nano /usr/lib/systemd/system/elasticsearch.service

LimitMEMLOCK=infinity

#hilangkan tanda # pada nano /etc/sysconfig/elasticsearch

nano nano /etc/sysconfig/elasticsearch
MAX_LOCKED_MEMORY=unlimited

#start service elasticsearch

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch

#hilang tanda # pada /etc/kibana/kibana.yml

nano /etc/kibana/kibana.yml

## cari file di bawah ini

server.port: 5601
server.host: "localhost"
elasticsearch.url: "http://localhost:9200"

#start service kibana
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
systemctl status kibana

#start service Logstash
systemctl daemon-reload
systemctl enable logstash
systemctl start logstash
systemctl status logstash

#install nginx
yum install epel-release -y
yum install nginx httpd-tools -y


#tambah kan tanda # pada  /etc/nginx/nginx.conf

dari mulai tulisan server { }

#buat fle baru seperti di bawah ini
cat  /etc/nginx/conf.d/elk.conf <<\EOF
server {
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 default_server;
    listen            [::]:443;
    ssl on;
    ssl_certificate /opt/ssl.pem;
    ssl_certificate_key /opt/ssl.key;
    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://localhost:5601/;
    }
}
EOF

#start service nginx

systemctl start nginx
systemctl enable nginx
systemctl status nginx

#lakukan Perintah ini
htpasswd -c /etc/nginx/conf.d/kibana.htpasswd admin


#stop firewalld
systemctl stop firewalld
systemctl disable firewalld

# rubah file selinux SELINUX=enforcing menjadi enforcing=disabled

nano  /etc/sysconfig/selinux

#Load the Wazuh template for Elasticsearch

curl https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

#Download the Wazuh configuration file for Logstash:
curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/logstash/01-wazuh-local.conf

usermod -a -G ossec logstash

#load Kibana APP
 /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1_6.4.2.zip


#lakukan resatrt

reboot


# Add authentikasi API Wazuh https://documentation.wazuh.com/current/user-manual/kibana-app/connect-kibana-app.html
cd /var/ossec/api/configuration/auth
node htpasswd -c user admin
	install wazuh & ELK


	#Add Repo
	cat > /etc/yum.repos.d/wazuh.repo <<\EOF
	[wazuh_repo]
	gpgcheck=1
	gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
	enabled=1
	name=Wazuh repository
	baseurl=https://packages.wazuh.com/3.x/yum/
	protect=1
	EOF


	#install Wazuh Manager

	yum install wazuh-manager -y

	systemctl start wazuh-manager
	systemctl enable wazuh-manager
	systemctl status wazuh-manager


	#Install Wazuh API

	yum install wazuh-api -y
	systemctl start wazuh-api
	systemctl enable wazuh-api
	systemctl status wazuh-api

	##Install ELK

	#install Java

	yum install java -y

	#Add Repo elk

	rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch


	cat > /etc/yum.repos.d/elasticsearch.repo <<\EOF
	[logstash-6.x]
	name=Elastic repository for 6.x packages
	baseurl=https://artifacts.elastic.co/packages/6.x/yum
	gpgcheck=1
	gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
	enabled=1
	autorefresh=1
	type=rpm-md
	EOF

	# install ELK
	yum install elasticsearch kibana logstash -y

	# hilangkan tanda # pada line 40 di /etc/elasticsearch/elasticsearch.yml

	bootstrap.memory_lock: true
	network.host: localhost
	http.port: 9200

	#hilangkan tanda # pada /usr/lib/systemd/system/elasticsearch.service

	nano /usr/lib/systemd/system/elasticsearch.service

	LimitMEMLOCK=infinity

	#hilangkan tanda # pada nano /etc/sysconfig/elasticsearch

	nano nano /etc/sysconfig/elasticsearch
	MAX_LOCKED_MEMORY=unlimited

	#start service elasticsearch

	systemctl daemon-reload
	systemctl enable elasticsearch
	systemctl start elasticsearch
	systemctl status elasticsearch

	#hilang tanda # pada /etc/kibana/kibana.yml

	nano /etc/kibana/kibana.yml

	## cari file di bawah ini

	server.port: 5601
	server.host: "localhost"
	elasticsearch.url: "http://localhost:9200"

	#start service kibana
	systemctl daemon-reload
	systemctl enable kibana
	systemctl start kibana
	systemctl status kibana

	#start service Logstash
	systemctl daemon-reload
	systemctl enable logstash
	systemctl start logstash
	systemctl status logstash

	#install nginx
	yum install epel-release -y
	yum install nginx httpd-tools -y


	#tambah kan tanda # pada /etc/nginx/nginx.conf

	dari mulai tulisan server { }

	#buat fle baru seperti di bawah ini
	cat /etc/nginx/conf.d/elk.conf <<\EOF
	server {
	listen 80;
	listen [::]:80;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 default_server;
	listen [::]:443;
	ssl on;
	ssl_certificate /opt/ssl.pem;
	ssl_certificate_key /opt/ssl.key;
	access_log /var/log/nginx/nginx.access.log;
	error_log /var/log/nginx/nginx.error.log;
	location / {
	auth_basic "Restricted";
	auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
	proxy_pass http://localhost:5601/;
	}
	}
	EOF

	#start service nginx

	systemctl start nginx
	systemctl enable nginx
	systemctl status nginx

	#lakukan Perintah ini
	htpasswd -c /etc/nginx/conf.d/kibana.htpasswd admin


	#stop firewalld
	systemctl stop firewalld
	systemctl disable firewalld

	# rubah file selinux SELINUX=enforcing menjadi enforcing=disabled

	nano /etc/sysconfig/selinux

	#Load the Wazuh template for Elasticsearch

	curl https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/elasticsearch/wazuh-elastic6-template-alerts.json \| curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

	#Download the Wazuh configuration file for Logstash:
	curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/logstash/01-wazuh-local.conf

	usermod -a -G ossec logstash

	#load Kibana APP
	/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1_6.4.2.zip


	#lakukan resatrt

	reboot




	# Add authentikasi API Wazuh https://documentation.wazuh.com/current/user-manual/kibana-app/connect-kibana-app.html
	cd /var/ossec/api/configuration/auth
	node htpasswd -c user admin