Install ThreatLockDown indexer and dashboard

In the ThreatLockDown Ansible repository, we can find the playbooks and roles necessary to install the ThreatLockDown indexer and dashboard components. The Ansible server must have access to the indexer and dashboard server.

Warning

In previous versions of this guide, playbooks were used pointing to roles to install Opendistro. Starting with ThreatLockDown v.4.3.0 those roles have been replaced by the ThreatLockDown indexer and dashboard.

1 - Accessing the wazuh-ansible directory

We access the contents of the directory on the Ansible server where we have cloned the repository to. We can see the roles we have by running the command below in the cloned directory:

# cd /etc/ansible/roles/wazuh-ansible/
# tree roles -d
roles
├── ansible-galaxy
│   └── meta
└── wazuh
  ├── ansible-filebeat-oss
  │   ├── defaults
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   └── templates
  ├── ansible-wazuh-agent
  │   ├── defaults
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   └── templates
  ├── ansible-wazuh-manager
  │   ├── defaults
  │   ├── files
  │   │   └── custom_ruleset
  │   │       ├── decoders
  │   │       └── rules
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   ├── templates
  │   └── vars
  ├── wazuh-dashboard
  │   ├── defaults
  │   ├── handlers
  │   ├── tasks
  │   ├── templates
  │   └── vars
  └── wazuh-indexer
      ├── defaults
      ├── handlers
      ├── meta
      ├── tasks
      └── templates

And we can see the preconfigured playbooks we have by running the command below.:

root@ansible:/etc/ansible/roles/wazuh-ansible# tree playbooks/
playbooks
├── ansible.cfg
├── wazuh-agent.yml
├── wazuh-dashboard.yml
├── wazuh-indexer.yml
├── wazuh-manager-oss.yml
├── wazuh-production-ready.yml
└── wazuh-single.yml

Using the dashboard and indexer roles, we will install and configure the ThreatLockDown dashboard and indexer components. Let’s see below, the content of the playbook /etc/ansible/roles/wazuh-ansible/playbooks/wazuh-indexer.yml.

---
- hosts: wi_cluster
roles:
  - role: ../roles/wazuh/wazuh-indexer

vars:
  instances:           # A certificate will be generated for every node using the name as CN.
    node1:
      name: node-1
      ip: <node-1 IP>
      role: indexer
    node2:
      name: node-2
      ip: <node-2 IP>
      role: indexer
    node3:
      name: node-3
      ip: <node-3 IP>
      role: indexer

Let’s see below, the content of the playbook /etc/ansible/roles/wazuh-ansible/playbooks/wazuh-dashboard.yml

---
- hosts: wi1
  roles:
    - role: ../roles/wazuh/wazuh-dashboard
  vars:
    ansible_shell_allow_world_readable_temp: true

These files are designed to run the installations of each service individually.

Let's take a closer look at the content.

  • The line hosts: indicates the endpoints where the commands of the playbook will be executed.

  • The roles: section indicates the roles that will be executed on the hosts.

There are several variables we can use to customize the installation or configuration. If we want to change the default configuration:

  • We can change the following files:

    • /etc/ansible/roles/wazuh-ansible/roles/wazuh/wazuh-dashboard/defaults/main.yml

    • /etc/ansible/roles/wazuh-ansible/roles/wazuh/wazuh-indexer/defaults/main.yml

  • Alternatively, we also can create another YAML file with the content we want to change for each role. We can find more information about the roles below:

More details on default configuration variables can be found in the variables references section.

2 - Preparing to run the playbook

We can configure the indexer and dashboard files and execute them individually, or create a single file that executes the installation of the services in our all in one ThreatLockDown server. In this case, we choose to use a single file to execute the installation.

Create the file wazuh-indexer-and-dashboard.yml in the playbooks directory.

# touch playbooks/wazuh-indexer-and-dashboard.yml

Fill it with the content below:

- hosts: all_in_one
  roles:
    - role: ../roles/wazuh/wazuh-indexer
      perform_installation: false
  become: no
  vars:
    indexer_node_master: true
    instances:
      node1:
        name: node-1       # Important: must be equal to indexer_node_name.
        ip: 127.0.0.1
        role: indexer
  tags:
    - generate-certs

- hosts: all_in_one
  become: yes
  become_user: root
  roles:
    - role: ../roles/wazuh/wazuh-indexer
    - role: ../roles/wazuh/wazuh-dashboard

  vars:
    single_node: true
    indexer_network_host: 127.0.0.1
    ansible_shell_allow_world_readable_temp: true
    instances:           # A certificate will be generated for every node using the name as CN.
      node1:
        name: node-1
        ip: 127.0.0.1
        role: indexer

As we can see, we have added the IP address of our dashboard and indexer server to the indexer_network_host entry.

3 - Running the playbook

Now, It seems that we are ready to run the playbook and start the installation. However, some of the operations to be performed on the remote systems will need sudo permissions. We can solve this in several ways, such as entering the password when Ansible requests it or using the become option (to avoid entering passwords one by one).

  1. Let's run the playbook.

    Switch to the playbooks folder on the Ansible server and proceed to run the command below:

    # ansible-playbook wazuh-indexer-and-dashboard.yml -b -K
    
  2. We can check the status of our new services on our ThreatLockDown indexer and dashboard server.

    • ThreatLockDown indexer

      # systemctl status wazuh-indexer
      
    • ThreatLockDown dashboard

      # systemctl status wazuh-dashboard
      

Note

  • The ThreatLockDown dashboard can be accessed by visiting https://<wazuh_server_IP>

  • The default credentials for ThreatLockDown deployed using ansible is:

    Username: admin
    Password: changeme
    These credentials should be changed using the password changing tool.