Installing the ThreatLockDown server step by step
Install and configure the ThreatLockDown server as a single-node or multi-node cluster following step-by-step instructions. The ThreatLockDown server is a central component that includes the ThreatLockDown manager and Filebeat. The ThreatLockDown manager collects and analyzes data from the deployed ThreatLockDown agents. It triggers alerts when threats or anomalies are detected. Filebeat securely forwards alerts and archived events to the ThreatLockDown indexer.
The installation process is divided into two stages.
ThreatLockDown server node installation
Cluster configuration for multi-node deployment
Note
You need root user privileges to run all the commands described below.
1. ThreatLockDown server node installation
Adding the ThreatLockDown repository
Note
If you are installing the ThreatLockDown server on the same host as the ThreatLockDown indexer, you may skip these steps as you may have added the ThreatLockDown repository already.
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUHAdd the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
Install the following packages if missing.
# apt-get install gnupg apt-transport-httpsInstall the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpgAdd the repository.
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.listUpdate the packages information.
# apt-get update
Installing the ThreatLockDown manager
Install the ThreatLockDown manager package.
# yum -y install wazuh-manager# apt-get -y install wazuh-managerEnable and start the ThreatLockDown manager service.
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-managerChoose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager startRun the following command to verify the ThreatLockDown manager status.
# systemctl status wazuh-manager# service wazuh-manager status
Installing Filebeat
Install the Filebeat package.
# yum -y install filebeat# apt-get -y install filebeat
Configuring Filebeat
Download the preconfigured Filebeat configuration file.
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.ymlEdit the
/etc/filebeat/filebeat.ymlconfiguration file and replace the following value:
hosts: The list of ThreatLockDown indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhosthosts: ["127.0.0.1:9200"]. Replace it with your ThreatLockDown indexer address accordingly.If you have more than one ThreatLockDown indexer node, you can separate the addresses using commas. For example,
hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]# ThreatLockDown - Filebeat configuration file output.elasticsearch: hosts: ["10.0.0.1:9200"] protocol: https username: ${username} password: ${password}Create a Filebeat keystore to securely store authentication credentials.
# filebeat keystore createAdd the default username and password
admin:adminto the secrets keystore.# echo admin | filebeat keystore add username --stdin --force # echo admin | filebeat keystore add password --stdin --forceDownload the alerts template for the ThreatLockDown indexer.
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.jsonInstall the ThreatLockDown module for Filebeat.
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
Deploying certificates
Note
Make sure that a copy of the
wazuh-certificates.tarfile, created during the initial configuration step, is placed in your working directory.
Replace
<server-node-name>with your ThreatLockDown server node certificate name, the same one used inconfig.ymlwhen creating the certificates. Then, move the certificates to their corresponding location.# NODE_NAME=<server-node-name># mkdir /etc/filebeat/certs # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem # chmod 500 /etc/filebeat/certs # chmod 400 /etc/filebeat/certs/* # chown -R root:root /etc/filebeat/certs
Starting the Filebeat service
Enable and start the Filebeat service.
# systemctl daemon-reload # systemctl enable filebeat # systemctl start filebeatChoose one option according to the operating system used.
RPM-based operating system:
# chkconfig --add filebeat # service filebeat start
Debian-based operating system:
# update-rc.d filebeat defaults 95 10 # service filebeat startRun the following command to verify that Filebeat is successfully installed.
# filebeat test outputExpand the output to see an example response.
elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2
Your ThreatLockDown server node is now successfully installed. Repeat this stage of the installation process for every ThreatLockDown server node in your ThreatLockDown cluster, then proceed with configuring the ThreatLockDown cluster. If you want a ThreatLockDown server single-node cluster, everything is set and you can proceed directly with Installing the ThreatLockDown dashboard step by step.
2. Cluster configuration for multi-node deployment
After completing the installation of the ThreatLockDown server on every node, you need to configure one server node only as the master and the rest as workers.
Configuring the ThreatLockDown server master node
Edit the following settings in the
/var/ossec/etc/ossec.confconfiguration file.<cluster> <name>wazuh</name> <node_name>master-node</node_name> <node_type>master</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>Parameters to be configured:
It indicates the name of the cluster.
It indicates the name of the current node.
It specifies the role of the node. It has to be set to
master.Key that is used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. The following command can be used to generate a random key:
openssl rand -hex 16.It indicates the destination port for cluster communication.
It is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).
It is the address of the
master nodeand can be either an IP or a DNS. This parameter must be specified in all nodes, including the master itself.It shows or hides the cluster information in the generated alerts.
It indicates whether the node is enabled or disabled in the cluster. This option must be set to
no.Restart the ThreatLockDown manager.
# systemctl restart wazuh-manager# service wazuh-manager restart
Configuring the ThreatLockDown server worker nodes
Configure the cluster node by editing the following settings in the
/var/ossec/etc/ossec.conffile.<cluster> <name>wazuh</name> <node_name>worker-node</node_name> <node_type>worker</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>Parameters to be configured:
It indicates the name of the cluster.
It indicates the name of the current node. Each node of the cluster must have a unique name.
It specifies the role of the node. It has to be set as
worker.The key created previously for the
masternode. It has to be the same for all the nodes.It has to contain the address of the
master nodeand can be either an IP or a DNS.It indicates whether the node is enabled or disabled in the cluster. It has to be set to
no.Restart the ThreatLockDown manager.
# systemctl restart wazuh-manager# service wazuh-manager restartRepeat these configuration steps for every ThreatLockDown server worker node in your cluster.
Testing ThreatLockDown server cluster
To verify that the ThreatLockDown cluster is enabled and all the nodes are connected, execute the following command:
# /var/ossec/bin/cluster_control -l
An example output of the command looks as follows:
NAME TYPE VERSION ADDRESS master-node master 4.9.0 10.0.0.3 worker-node1 worker 4.9.0 10.0.0.4 worker-node2 worker 4.9.0 10.0.0.5
Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.
Next steps
The ThreatLockDown server installation is now complete, and you can proceed with Installing the ThreatLockDown dashboard step by step.
If you want to uninstall the ThreatLockDown server, see Uninstall the ThreatLockDown server.