使用docker安裝wazuh
centos下安裝wazuh
官方文檔:
https://documentation.wazuh.com/3.9/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#wazuh-server-packages-centos
中文翻譯版本:
https://www.cnblogs.com/backlion/p/10397092.html
需要改動此數值,不然wazuh/wazuh-elasticsearch:3.9.3_7.2.0這個容器會啟動失敗的.
max_map_count文件包含限制一個進程可以擁有的VMA(虛擬內存區域)的數量。虛擬內存區域是一個連續的虛擬地址空間區域。在進程的生命周期中,每當程序嘗試在內存中映射文件,鏈接到共享內存段,或者分配堆空間的時候,這些區域將被創建。調優這個值將限制進程可擁有VMA的數量。限制一個進程擁有VMA的總數可能導致應用程序出錯,因為當進程達到了VMA上線但又只能釋放少量的內存給其他的內核進程使用時,操作系統會拋出內存不足的錯誤。如果你的操作系統在NORMAL區域僅占用少量的內存,那么調低這個值可以幫助釋放內存給內核用。默認值是65535
262144是默認值的4倍.
sysctl -w vm.max_map_count=262144
docker的官方指引
https://documentation.wazuh.com/3.9/docker/wazuh-container.html
首先要安裝docker和docker-compose
- 安裝依賴包
sudo yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
- 添加源
sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
- 安裝和啟動
sudo yum-config-manager --enable docker-ce-nightly
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker
-
docker-compose安裝:
-
安裝和測試docker-compose
- 下載docker-compose可執行文件
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - 設可執行權限
sudo chmod +x /usr/local/bin/docker-compose - 軟連接到/usr/bin
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose - 查看安裝是否成功
docker-compose --version
- 下載docker-compose可執行文件
-
使用docker-compose安裝
- 下載
Wazuh repository
git clone https://github.com/wazuh/wazuh-docker.git -b 3.9.5_7.2.1 --single-branch
-
使用后台安裝
-
docker-compose up -d
-
-
默認端口
1514 Wazuh UDP 1515 Wazuh TCP 514 Wazuh UDP 55000 Wazuh API 9200 Elasticsearch HTTP 80 Nginx http 443 Nginx https
官方的k8s部署.(照搬來了)
-
Deployment
Clone this repository to deploy the necessary services and pods.
$ git clone https://github.com/wazuh/wazuh-kubernetes.git $ cd wazuh-kubernetes3.1. Wazuh namespace and StorageClass
The Wazuh namespace is used to handle all the Kubernetes elements (services, deployments, pods) necessary for Wazuh. In addition, you must create a StorageClass to use AWS EBS storage in our StatefulSet applications.
$ kubectl apply -f base/wazuh-ns.yaml $ kubectl apply -f base/aws-gp2-storage-class.yaml3.2. Deploy Elasticsearch
$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-svc.yaml $ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-api-svc.yaml $ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-sts.yaml3.3. Deploy Kibana and Nginx
In case you need to provide a domain name, update the domainName annotation value in the
nginx-svc.yamlfile before deploying that service. You should also set a valid AWS ACM certificate ARN in thenginx-svc.yamlfor the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation. That certificate should match with the domainName.$ kubectl apply -f elastic_stack/kibana/kibana-svc.yaml $ kubectl apply -f elastic_stack/kibana/nginx-svc.yaml $ kubectl apply -f elastic_stack/kibana/kibana-deploy.yaml $ kubectl apply -f elastic_stack/kibana/nginx-deploy.yaml3.4. Deploy Logstash
$ kubectl apply -f elastic_stack/logstash/logstash-svc.yaml $ kubectl apply -f elastic_stack/logstash/logstash-deploy.yaml -
Deploy Wazuh
$ kubectl apply -f wazuh_managers/wazuh-master-svc.yaml $ kubectl apply -f wazuh_managers/wazuh-cluster-svc.yaml $ kubectl apply -f wazuh_managers/wazuh-workers-svc.yaml $ kubectl apply -f wazuh_managers/wazuh-master-conf.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-0-conf.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-1-conf.yaml $ kubectl apply -f wazuh_managers/wazuh-master-sts.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-0-sts.yaml $ kubectl apply -f wazuh_managers/wazuh-worker-1-sts.yaml
Verifying the deployment
Namespace
$ kubectl get namespaces | grep wazuh wazuh Active 12m
Services
$ kubectl get services -n wazuh NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE elasticsearch ClusterIP xxx.yy.zzz.24 <none> 9200/TCP 12m kibana ClusterIP xxx.yy.zzz.76 <none> 5601/TCP 11m logstash ClusterIP xxx.yy.zzz.41 <none> 5000/TCP 10m wazuh LoadBalancer xxx.yy.zzz.209 internal-a7a8... 1515:32623/TCP,55000:30283/TCP 9m wazuh-cluster ClusterIP None <none> 1516/TCP 9m wazuh-elasticsearch ClusterIP None <none> 9300/TCP 12m wazuh-nginx LoadBalancer xxx.yy.zzz.223 internal-a3b1... 80:31831/TCP,443:30974/TCP 11m wazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31593/TCP 9m
Deployments
$ kubectl get deployments -n wazuh NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE wazuh-kibana 1 1 1 1 11m wazuh-logstash 1 1 1 1 10m wazuh-nginx 1 1 1 1 11m
Statefulset
$ kubectl get statefulsets -n wazuh NAME DESIRED CURRENT AGE wazuh-elasticsearch 1 1 13m wazuh-manager-master 1 1 9m wazuh-manager-worker-0 1 1 9m wazuh-manager-worker-1 1 1 9m
Pods
$ kubectl get pods -n wazuh NAME READY STATUS RESTARTS AGE wazuh-elasticsearch-0 1/1 Running 0 15m wazuh-kibana-f4d9c7944-httsd 1/1 Running 0 14m wazuh-logstash-777b7cd47b-7cxfq 1/1 Running 0 13m wazuh-manager-master-0 1/1 Running 0 12m wazuh-manager-worker-0-0 1/1 Running 0 11m wazuh-manager-worker-1-0 1/1 Running 0 11m wazuh-nginx-748fb8494f-xwwhw 1/1 Running 0 14m
Accesing Kibana
In case you created domain names for the services, you should be able to access Kibana using the proposed domain name:
https://wazuh.your-domain.com.Also, you can access using the DNS (Eg:
https://internal-xxx-yyy.us-east-1.elb.amazonaws.com):$ kubectl get services -o wide -n wazuh NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR wazuh-nginx LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:3