使用docker安装wazuh
centos下安装wazuh
官方文档:中文翻译版本:
需要改动此数值,不然wazuh/wazuh-elasticsearch:3.9.3_7.2.0这个容器会启动失败的.
max_map_count文件包含限制一个进程可以拥有的VMA(虚拟内存区域)的数量。虚拟内存区域是一个连续的虚拟地址空间区域。在进程的生命周期中,每当程序尝试在内存中映射文件,链接到共享内存段,或者分配堆空间的时候,这些区域将被创建。调优这个值将限制进程可拥有VMA的数量。限制一个进程拥有VMA的总数可能导致应用程序出错,因为当进程达到了VMA上线但又只能释放少量的内存给其他的内核进程使用时,操作系统会抛出内存不足的错误。如果你的操作系统在NORMAL区域仅占用少量的内存,那么调低这个值可以帮助释放内存给内核用。默认值是65535
sysctl -w vm.max_map_count=262144
docker的官方指引
首先要安装docker和docker-compose
- 安装依赖包
sudo yum install -y yum-utils \device-mapper-persistent-data \lvm2
- 添加源
sudo yum-config-manager \--add-repo \https://download.docker.com/linux/centos/docker-ce.repo
- 安装和启动
sudo yum-config-manager --enable docker-ce-nightlysudo yum install docker-ce docker-ce-cli containerd.iosudo systemctl start docker
docker-compose安装:
安装和测试docker-compose
官网文档
- 下载docker-compose可执行文件
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - 设可执行权限
sudo chmod +x /usr/local/bin/docker-compose - 软连接到/usr/bin
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose - 查看安装是否成功
docker-compose --version
- 下载docker-compose可执行文件
使用docker-compose安装
- 下载
Wazuh repository
git clone https://github.com/wazuh/wazuh-docker.git -b 3.9.5_7.2.1 --single-branch
使用后台安装
docker-compose up -d
默认端口
1514 Wazuh UDP 1515 Wazuh TCP 514 Wazuh UDP 55000 Wazuh API 9200 Elasticsearch HTTP 80 Nginx http 443 Nginx https
官方的k8s部署.(照搬来了)
Deployment
Clone this repository to deploy the necessary services and pods.
$ git clone https://github.com/wazuh/wazuh-kubernetes.git$ cd wazuh-kubernetes
3.1. Wazuh namespace and StorageClass
The Wazuh namespace is used to handle all the Kubernetes elements (services, deployments, pods) necessary for Wazuh. In addition, you must create a StorageClass to use AWS EBS storage in our StatefulSet applications.
$ kubectl apply -f base/wazuh-ns.yaml$ kubectl apply -f base/aws-gp2-storage-class.yaml
3.2. Deploy Elasticsearch
$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-svc.yaml$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-api-svc.yaml$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-sts.yaml
3.3. Deploy Kibana and Nginx
In case you need to provide a domain name, update the domainName annotation value in the
nginx-svc.yamlfile before deploying that service. You should also set a valid AWS ACM certificate ARN in thenginx-svc.yamlfor the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation. That certificate should match with the domainName.$ kubectl apply -f elastic_stack/kibana/kibana-svc.yaml$ kubectl apply -f elastic_stack/kibana/nginx-svc.yaml$ kubectl apply -f elastic_stack/kibana/kibana-deploy.yaml$ kubectl apply -f elastic_stack/kibana/nginx-deploy.yaml
3.4. Deploy Logstash
$ kubectl apply -f elastic_stack/logstash/logstash-svc.yaml$ kubectl apply -f elastic_stack/logstash/logstash-deploy.yaml
Deploy Wazuh
$ kubectl apply -f wazuh_managers/wazuh-master-svc.yaml$ kubectl apply -f wazuh_managers/wazuh-cluster-svc.yaml$ kubectl apply -f wazuh_managers/wazuh-workers-svc.yaml$ kubectl apply -f wazuh_managers/wazuh-master-conf.yaml$ kubectl apply -f wazuh_managers/wazuh-worker-0-conf.yaml$ kubectl apply -f wazuh_managers/wazuh-worker-1-conf.yaml$ kubectl apply -f wazuh_managers/wazuh-master-sts.yaml$ kubectl apply -f wazuh_managers/wazuh-worker-0-sts.yaml$ kubectl apply -f wazuh_managers/wazuh-worker-1-sts.yaml
Verifying the deployment
Namespace
$ kubectl get namespaces | grep wazuhwazuh Active 12m
Services
$ kubectl get services -n wazuhNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEelasticsearch ClusterIP xxx.yy.zzz.249200/TCP 12mkibana ClusterIP xxx.yy.zzz.76 5601/TCP 11mlogstash ClusterIP xxx.yy.zzz.41 5000/TCP 10mwazuh LoadBalancer xxx.yy.zzz.209 internal-a7a8... 1515:32623/TCP,55000:30283/TCP 9mwazuh-cluster ClusterIP None 1516/TCP 9mwazuh-elasticsearch ClusterIP None 9300/TCP 12mwazuh-nginx LoadBalancer xxx.yy.zzz.223 internal-a3b1... 80:31831/TCP,443:30974/TCP 11mwazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31593/TCP 9m
Deployments
$ kubectl get deployments -n wazuhNAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGEwazuh-kibana 1 1 1 1 11mwazuh-logstash 1 1 1 1 10mwazuh-nginx 1 1 1 1 11m
Statefulset
$ kubectl get statefulsets -n wazuhNAME DESIRED CURRENT AGEwazuh-elasticsearch 1 1 13mwazuh-manager-master 1 1 9mwazuh-manager-worker-0 1 1 9mwazuh-manager-worker-1 1 1 9m
Pods
$ kubectl get pods -n wazuhNAME READY STATUS RESTARTS AGEwazuh-elasticsearch-0 1/1 Running 0 15mwazuh-kibana-f4d9c7944-httsd 1/1 Running 0 14mwazuh-logstash-777b7cd47b-7cxfq 1/1 Running 0 13mwazuh-manager-master-0 1/1 Running 0 12mwazuh-manager-worker-0-0 1/1 Running 0 11mwazuh-manager-worker-1-0 1/1 Running 0 11mwazuh-nginx-748fb8494f-xwwhw 1/1 Running 0 14m
Accesing Kibana
In case you created domain names for the services, you should be able to access Kibana using the proposed domain name:
https://wazuh.your-domain.com.Also, you can access using the DNS (Eg:
https://internal-xxx-yyy.us-east-1.elb.amazonaws.com):$ kubectl get services -o wide -n wazuhNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTORwazuh-nginx LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:3