Wazuh 4.12.0 + OpenSearch 2.19.2 + Filebeat Integration Guide#

Complete Setup for Alert Correlation and Advanced Visualization

Table of Contents#

Architecture Overview#

1
┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
2
│   Wazuh Agent   │    │   Wazuh Agent   │    │   Wazuh Agent   │
3
│   (Endpoints)   │    │   (Endpoints)   │    │   (Endpoints)   │
4
└─────────┬───────┘    └─────────┬───────┘    └─────────┬───────┘
5
          │                      │                      │
6
          └──────────────────────┼──────────────────────┘
7
                                 │
8
                    ┌─────────────▼─────────────┐
9
                    │     Wazuh Manager         │
10
                    │       (4.12.0)           │
11
                    │  - Alert Processing       │
12
                    │  - Rule Engine            │
13
                    │  - Correlation Engine     │
14
                    └─────────────┬─────────────┘
15
                                  │
16
                        ┌─────────▼─────────┐
17
                        │    Filebeat       │
18
                        │   (Official)      │
19
                        │ - Data Shipping   │
20
                        │ - SSL/TLS        │
21
                        └─────────┬─────────┘
22
                                  │
23
                    ┌─────────────▼─────────────┐
24
                    │    OpenSearch            │
25
                    │     (2.19.2)            │
26
                    │  - Data Storage          │
27
                    │  - Full-text Search      │
28
                    │  - Aggregations          │
29
                    └─────────────┬─────────────┘
30
                                  │
31
                    ┌─────────────▼─────────────┐
32
                    │ OpenSearch Dashboards    │
33
                    │     (2.19.2)            │
34
                    │  - Visualizations        │
35
                    │  - Custom Dashboards     │
36
                    │  - Real-time Monitoring  │
37
                    └───────────────────────────┘

Prerequisites#

System Requirements#

OS: Ubuntu 20.04/22.04 LTS, CentOS 7/8, RHEL 7/8
RAM: Minimum 8GB (16GB recommended for production)
CPU: 4+ cores
Disk: 100GB+ available space
Network: All nodes should communicate on required ports

Required Ports#

Service	Port	Protocol	Description
Wazuh Manager	1514	TCP/UDP	Agent communication
Wazuh Manager	1515	TCP	Agent enrollment
Wazuh API	55000	TCP	RESTful API
OpenSearch	9200	TCP	REST API
OpenSearch	9300	TCP	Transport (cluster)
OpenSearch Dashboards	5601	TCP	Web interface
Filebeat	-	-	Outbound to OpenSearch

Installation Steps#

Step 1: System Preparation#

1
# Update system packages
2
sudo apt update && sudo apt upgrade -y
3

4
# Install required dependencies
5
sudo apt install -y curl wget gnupg2 software-properties-common apt-transport-https ca-certificates
6

7
# Set system limits for OpenSearch
8
echo "* soft nofile 65536" | sudo tee -a /etc/security/limits.conf
9
echo "* hard nofile 65536" | sudo tee -a /etc/security/limits.conf
10
echo "* soft memlock unlimited" | sudo tee -a /etc/security/limits.conf
11
echo "* hard memlock unlimited" | sudo tee -a /etc/security/limits.conf
12

13
# Configure kernel parameters
14
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
15
sudo sysctl -p

Step 2: Install Java (Required for OpenSearch)#

1
# Install OpenJDK 11
2
sudo apt install -y openjdk-11-jdk
3

4
# Set JAVA_HOME
5
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' | sudo tee -a /etc/environment
6
source /etc/environment
7

8
# Verify installation
9
java -version

Step 3: Install OpenSearch#

1
# Add OpenSearch repository
2
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
3
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
4

5
# Update package list and install
6
sudo apt update
7
sudo apt install -y opensearch=2.19.2
8

9
# Configure OpenSearch
10
sudo cp opensearch.yml /etc/opensearch/opensearch.yml
11

12
# Enable and start service
13
sudo systemctl daemon-reload
14
sudo systemctl enable opensearch
15
sudo systemctl start opensearch
16

17
# Verify installation
18
curl -X GET "localhost:9200" -u admin:admin --insecure

Step 4: Install OpenSearch Dashboards#

1
# Install OpenSearch Dashboards
2
sudo apt install -y opensearch-dashboards=2.19.2
3

4
# Configure OpenSearch Dashboards
5
sudo cp opensearch_dashboards.yml /etc/opensearch-dashboards/opensearch_dashboards.yml
6

7
# Enable and start service
8
sudo systemctl enable opensearch-dashboards
9
sudo systemctl start opensearch-dashboards
10

11
# Access web interface
12
# https://localhost:5601 (admin/admin)

Step 5: Install Wazuh Manager#

1
# Add Wazuh repository
2
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
3
sudo chmod 644 /usr/share/keyrings/wazuh.gpg
4
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
5

6
# Install Wazuh Manager
7
sudo apt update
8
sudo apt install -y wazuh-manager=4.12.0-*
9

10
# Enable and start service
11
sudo systemctl enable wazuh-manager
12
sudo systemctl start wazuh-manager
13

14
# Verify installation
15
sudo systemctl status wazuh-manager

Step 6: Install and Configure Filebeat#

1
# Add Elastic repository
2
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
3
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
4

5
# Install Filebeat
6
sudo apt update
7
sudo apt install -y filebeat=7.10.2
8

9
# Download Wazuh Filebeat module
10
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
11

12
# Configure Filebeat for OpenSearch
13
sudo cp filebeat_opensearch_config.yml /etc/filebeat/filebeat.yml
14

15
# Download Wazuh template for OpenSearch
16
sudo curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.12.0/extensions/elasticsearch/7.x/wazuh-template.json
17

18
# Configure authentication
19
echo 'OPENSEARCH_USERNAME=admin' | sudo tee -a /etc/default/filebeat
20
echo 'OPENSEARCH_PASSWORD=admin' | sudo tee -a /etc/default/filebeat
21

22
# Enable and start Filebeat
23
sudo systemctl enable filebeat
24
sudo systemctl start filebeat
25

26
# Test Filebeat connection
27
sudo filebeat test output

Configuration#

Wazuh Manager Configuration#

Edit /var/ossec/etc/ossec.conf:

1
<ossec_config>
2
  <global>
3
    <jsonout_output>yes</jsonout_output>
4
    <alerts_log>yes</alerts_log>
5
    <logall>no</logall>
6
    <logall_json>no</logall_json>
7
  </global>
8

9
  <alerts>
10
    <log_alert_level>3</log_alert_level>
11
    <email_alert_level>12</email_alert_level>
12
  </alerts>
13

14
  <!-- Enable vulnerability detection -->
15
  <vulnerability-detection>
16
    <enabled>yes</enabled>
17
    <index-status>yes</index-status>
18
    <feed-update-interval>60m</feed-update-interval>
19
  </vulnerability-detection>
20

21
  <!-- Configure indexer connection -->
22
  <indexer>
23
    <enabled>yes</enabled>
24
    <hosts>
25
      <host>https://127.0.0.1:9200</host>
26
    </hosts>
27
    <ssl>
28
      <certificate_authorities>
29
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
30
      </certificate_authorities>
31
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
32
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
33
    </ssl>
34
  </indexer>
35
</ossec_config>

SSL Certificate Generation#

1
# Create certificate directory
2
sudo mkdir -p /etc/filebeat/certs
3

4
# Generate certificates using the provided script
5
sudo ./generate_certificates.sh
6

7
# Set proper permissions
8
sudo chown -R root:root /etc/filebeat/certs
9
sudo chmod 600 /etc/filebeat/certs/*

Alert Correlation Implementation#

Basic Correlation Rules#

The correlation rules provide:

Brute Force Detection: Multiple failed login attempts
Successful Compromise: Login success after failed attempts
Lateral Movement: Network activity after successful login
Privilege Escalation: Critical file modifications
Data Exfiltration: Suspicious data transfer activities
Multi-stage Attacks: Advanced persistent threat detection

Implementation Steps#

1
# Copy correlation rules
2
sudo cp custom_correlation_rules.xml /var/ossec/etc/rules/local_rules.xml
3

4
# Set proper ownership
5
sudo chown root:ossec /var/ossec/etc/rules/local_rules.xml
6
sudo chmod 640 /var/ossec/etc/rules/local_rules.xml
7

8
# Restart Wazuh manager to load new rules
9
sudo systemctl restart wazuh-manager
10

11
# Verify rules are loaded
12
sudo /var/ossec/bin/ossec-logtest < test_log.txt

Custom Correlation Example#

Create advanced correlation for detecting credential stuffing:

1
<!-- Detect multiple failed logins from different IPs for same user -->
2
<rule id="100100" level="8" frequency="5" timeframe="600">
3
  <if_matched_sid>5710</if_matched_sid>
4
  <same_user />
5
  <description>Multiple failed login attempts for same user from different IPs</description>
6
  <group>credential_stuffing,authentication_failures</group>
7
  <mitre>
8
    <id>T1110.004</id>
9
  </mitre>
10
</rule>
11

12
<!-- Detect successful login after credential stuffing -->
13
<rule id="100101" level="12" timeframe="1800">
14
  <if_matched_sid>100100</if_matched_sid>
15
  <if_sid>5715</if_sid>
16
  <same_user />
17
  <description>Successful login after credential stuffing attempts</description>
18
  <group>credential_stuffing_success</group>
19
  <mitre>
20
    <id>T1110.004</id>
21
    <id>T1078</id>
22
  </mitre>
23
</rule>

Dashboard Creation#

OpenSearch Index Pattern Setup#

1
# Use the dashboard manager script
2
python3 dashboard_manager.py \
3
  --url https://localhost:9200 \
4
  --username admin \
5
  --password admin \
6
  --action create-pattern \
7
  --pattern-name "wazuh-alerts-*"

Custom Visualizations#

Security Overview Dashboard
- Alert trends over time
- Top attack sources
- MITRE ATT&CK mapping
- Agent status overview
Correlation Analysis Dashboard
- Multi-stage attack timelines
- User behavior analytics
- Network traffic patterns
- File integrity monitoring
Compliance Dashboard
- PCI DSS compliance status
- GDPR data protection events
- HIPAA security incidents
- NIST framework coverage

Creating Custom Searches#

1
{
2
  "query": {
3
    "bool": {
4
      "must": [
5
        {
6
          "range": {
7
            "rule.level": {
8
              "gte": 7
9
            }
10
          }
11
        },
12
        {
13
          "terms": {
14
            "rule.groups": ["attack", "authentication_failures"]
15
          }
16
        }
17
      ],
18
      "filter": [
19
        {
20
          "range": {
21
            "timestamp": {
22
              "gte": "now-24h"
23
            }
24
          }
25
        }
26
      ]
27
    }
28
  }
29
}

Troubleshooting#

Common Issues and Solutions#

1. Filebeat Connection Issues#

1
# Check Filebeat logs
2
sudo journalctl -u filebeat -f
3

4
# Test connection
5
sudo filebeat test output
6

7
# Common fixes:
8
# - Verify SSL certificates
9
# - Check OpenSearch credentials
10
# - Ensure proper file permissions

2. OpenSearch Memory Issues#

1
# Increase heap size in /etc/opensearch/jvm.options
2
-Xms4g
3
-Xmx4g
4

5
# Monitor memory usage
6
curl -X GET "localhost:9200/_nodes/stats/jvm?pretty" -u admin:admin --insecure

3. Wazuh Rule Loading Issues#

1
# Check rule syntax
2
sudo /var/ossec/bin/ossec-logtest
3

4
# Verify rule loading
5
sudo tail -f /var/ossec/logs/ossec.log
6

7
# Test specific rules
8
echo "test log message" | sudo /var/ossec/bin/ossec-logtest

4. Dashboard Loading Issues#

1
# Check OpenSearch Dashboards logs
2
sudo journalctl -u opensearch-dashboards -f
3

4
# Verify index patterns
5
curl -X GET "localhost:9200/_cat/indices/wazuh-*?v" -u admin:admin --insecure
6

7
# Clear browser cache and cookies

Performance Optimization#

OpenSearch Optimization#

1
cluster.routing.allocation.disk.threshold.enabled: true
2
cluster.routing.allocation.disk.watermark.low: 85%
3
cluster.routing.allocation.disk.watermark.high: 90%
4

5
# Index settings
6
indices.fielddata.cache.size: 40%
7
indices.breaker.fielddata.limit: 60%
8
indices.breaker.request.limit: 40%
9
indices.breaker.total.limit: 70%

Wazuh Manager Optimization#

1
<global>
2
  <max_agents>5000</max_agents>
3
  <white_list>127.0.0.1</white_list>
4
  <white_list>localhost</white_list>
5
</global>
6

7
<alerts>
8
  <log_alert_level>5</log_alert_level>
9
  <email_alert_level>12</email_alert_level>
10
</alerts>

Filebeat Optimization#

1
queue.mem:
2
  events: 8192
3
  flush.min_events: 1024
4
  flush.timeout: 5s
5

6
output.elasticsearch:
7
  worker: 2
8
  bulk_max_size: 2048
9
  template.settings:
10
    index.refresh_interval: 10s

Security Considerations#

SSL/TLS Configuration#

Ensure all communications are encrypted:

Wazuh Manager ↔ Agents
Filebeat ↔ OpenSearch
OpenSearch ↔ OpenSearch Dashboards
Client ↔ OpenSearch Dashboards

Access Control#

1
# Create restricted user for Filebeat
2
curl -X POST "localhost:9200/_plugins/_security/api/internalusers/filebeat" \
3
  -u admin:admin --insecure \
4
  -H 'Content-Type: application/json' \
5
  -d '{
6
    "password": "SecurePassword123!",
7
    "roles": ["filebeat_writer"]
8
  }'

Network Security#

Configure firewall rules
Use VPNs for remote agents
Implement network segmentation
Monitor for suspicious network activity

Monitoring and Maintenance#

Health Checks#

1
#!/bin/bash
2
echo "=== Wazuh Manager Status ==="
3
sudo systemctl status wazuh-manager
4

5
echo "=== OpenSearch Status ==="
6
curl -X GET "localhost:9200/_cluster/health?pretty" -u admin:admin --insecure
7

8
echo "=== Filebeat Status ==="
9
sudo systemctl status filebeat
10

11
echo "=== Agent Status ==="
12
sudo /var/ossec/bin/agent_control -l

Log Rotation#

1
# Configure logrotate for Wazuh logs
2
sudo cat > /etc/logrotate.d/wazuh << EOF
3
/var/ossec/logs/alerts/alerts.log {
4
    daily
5
    rotate 30
6
    compress
7
    delaycompress
8
    missingok
9
    notifempty
10
    postrotate
11
        /bin/kill -HUP `cat /var/ossec/var/run/ossec-logd*.pid 2> /dev/null` 2> /dev/null || true
12
    endscript
13
}
14
EOF

Conclusion#

This comprehensive setup provides:

Real-time security monitoring
Advanced threat correlation
Rich visualization capabilities
Scalable architecture
Compliance reporting
Performance optimization

For additional support, refer to: