使用docker安装wazuh
centos下安装wazuh
官方文档:
https://documentation.wazuh.com/3.9/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#wazuh-server-packages-centos
中文翻译版本:
https://www.cnblogs.com/backlion/p/10397092.html
需要改动此数值,不然wazuh/wazuh-elasticsearch:3.9.3_7.2.0这个容器会启动失败的.
max_map_count文件包含限制一个进程可以拥有的VMA(虚拟内存区域)的数量。虚拟内存区域是一个连续的虚拟地址空间区域。在进程的生命周期中,每当程序尝试在内存中映射文件,链接到共享内存段,或者分配堆空间的时候,这些区域将被创建。调优这个值将限制进程可拥有VMA的数量。限制一个进程拥有VMA的总数可能导致应用程序出错,因为当进程达到了VMA上线但又只能释放少量的内存给其他的内核进程使用时,操作系统会抛出内存不足的错误。如果你的操作系统在NORMAL区域仅占用少量的内存,那么调低这个值可以帮助释放内存给内核用。默认值是65535
262144是默认值的4倍.
sysctl -w vm.max_map_count=262144
docker的官方指引
https://documentation.wazuh.com/3.9/docker/wazuh-container.html
首先要安装docker和docker-compose
- 安装依赖包
sudo yum install -y yum-utils
device-mapper-persistent-data
lvm2
- 添加源
sudo yum-config-manager
--add-repo
https://download.docker.com/linux/centos/docker-ce.repo
- 安装和启动
sudo yum-config-manager --enable docker-ce-nightly
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker
-
docker-compose安装:
-
安装和测试docker-compose
- 下载docker-compose可执行文件
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - 设可执行权限
sudo chmod +x /usr/local/bin/docker-compose - 软连接到/usr/bin
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose - 查看安装是否成功
docker-compose --version
- 下载docker-compose可执行文件
-
使用docker-compose安装
- 下载
Wazuh repository
git clone https://github.com/wazuh/wazuh-docker.git -b 3.9.5_7.2.1 --single-branch
-
使用后台安装
-
docker-compose up -d
-
-
默认端口
1514 Wazuh UDP 1515 Wazuh TCP 514 Wazuh UDP 55000 Wazuh API 9200 Elasticsearch HTTP 80 Nginx http 443 Nginx https
官方的k8s部署.(照搬来了)
-
Deployment
Clone this repository to deploy the necessary services and pods.
$ git clone https://github.com/wazuh/wazuh-kubernetes.git $ cd wazuh-kubernetes3.1. Wazuh namespace and StorageClass
The Wazuh namespace is used to handle all the Kubernetes elements (services, deployments, pods) necessary for Wazuh. In addition, you must create a StorageClass to use AWS EBS storage in our StatefulSet applications.
$ kubectl apply -f base/wazuh-ns.yaml $ kubectl apply -f base/aws-gp2-storage-class.yaml3.2. Deploy Elasticsearch
$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-svc.yaml $ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-api-svc.yaml $ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-sts.yaml3.3. Deploy Kibana and Nginx
In case you need to provide a domain name, update the domainName annotation value in the
nginx-svc.yamlfile before deploying that service. You should also set a valid AWS ACM certificate ARN in thenginx-svc.yamlfor the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation. That certificate should match with the domainName.$ kubectl apply -f elastic_stack/kibana/kibana-svc.yaml $ kubectl apply -f elastic_stack/kibana/nginx-svc.yaml $ kubectl apply -f elastic_stack/kibana/kibana-deploy.yaml $ kubectl apply -f elastic_stack/kibana/nginx-deploy.yaml3.4. Deploy Logstash
$ kubectl apply -f elastic_stack/logstash/logstash-svc.yaml $ kubectl apply -f elastic_stack/logstash/logstash-deploy.yaml -
Deploy Wazuh
$ kubectl apply -f wazuh_managers/wazuh-master-svc.yaml $ kubectl apply -f wazuh_managers/wazuh-cluster-svc.yaml $ kubectl apply -f wazuh_managers/wazuh-workers-svc.yaml $ kubectl apply -f wazuh_managers/wazuh-master-conf.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-0-conf.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-1-conf.yaml $ kubectl apply -f wazuh_managers/wazuh-master-sts.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-0-sts.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-1-sts.yaml
Verifying the deployment
Namespace
$ kubectl get namespaces | grep wazuh wazuh Active 12m
Services
$ kubectl get services -n wazuh NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE elasticsearch ClusterIP xxx.yy.zzz.24 <none> 9200/TCP 12m kibana ClusterIP xxx.yy.zzz.76 <none> 5601/TCP 11m logstash ClusterIP xxx.yy.zzz.41 <none> 5000/TCP 10m wazuh LoadBalancer xxx.yy.zzz.209 internal-a7a8... 1515:32623/TCP,55000:30283/TCP 9m wazuh-cluster ClusterIP None <none> 1516/TCP 9m wazuh-elasticsearch ClusterIP None <none> 9300/TCP 12m wazuh-nginx LoadBalancer xxx.yy.zzz.223 internal-a3b1... 80:31831/TCP,443:30974/TCP 11m wazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31593/TCP 9m
Deployments
$ kubectl get deployments -n wazuh NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE wazuh-kibana 1 1 1 1 11m wazuh-logstash 1 1 1 1 10m wazuh-nginx 1 1 1 1 11m
Statefulset
$ kubectl get statefulsets -n wazuh NAME DESIRED CURRENT AGE wazuh-elasticsearch 1 1 13m wazuh-manager-master 1 1 9m wazuh-manager-worker-0 1 1 9m wazuh-manager-worker-1 1 1 9m
Pods
$ kubectl get pods -n wazuh NAME READY STATUS RESTARTS AGE wazuh-elasticsearch-0 1/1 Running 0 15m wazuh-kibana-f4d9c7944-httsd 1/1 Running 0 14m wazuh-logstash-777b7cd47b-7cxfq 1/1 Running 0 13m wazuh-manager-master-0 1/1 Running 0 12m wazuh-manager-worker-0-0 1/1 Running 0 11m wazuh-manager-worker-1-0 1/1 Running 0 11m wazuh-nginx-748fb8494f-xwwhw 1/1 Running 0 14m
Accesing Kibana
In case you created domain names for the services, you should be able to access Kibana using the proposed domain name:
https://wazuh.your-domain.com.Also, you can access using the DNS (Eg:
https://internal-xxx-yyy.us-east-1.elb.amazonaws.com):$ kubectl get services -o wide -n wazuh NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR wazuh-nginx LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:3