Cyber Security: Ubuntu 26.04: Wazuh Install

Prompt:

 install wazuh all-in-one docker di ubuntu 26.04.
 pastikan bisa dengan mudah akses alerts.json dan archives.json
 juga agar wazuh agents mudah report / connect

Berikut cara yang paling enak untuk Wazuh all-in-one / single-node Docker di Ubuntu 26.04, dengan akses langsung ke:

/opt/wazuh-data/logs/alerts/alerts.json
/opt/wazuh-data/logs/archives/archives.json

Docker Engine resmi sudah mendukung Ubuntu 26.04 LTS, dan Wazuh Docker single-node resmi berisi Wazuh manager, indexer, dan dashboard dalam container terpisah. Wazuh single-node minimal butuh kira-kira 4 core CPU, 8 GB RAM, dan 50 GB storage. ([Docker Documentation][1])

1. Install Docker di Ubuntu 26.04

sudo apt update
sudo apt -y install ca-certificates curl gnupg git jq netcat-openbsd

sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

sudo tee /etc/apt/sources.list.d/docker.sources <<EOF
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")
Components: stable
Architectures: $(dpkg --print-architecture)
Signed-By: /etc/apt/keyrings/docker.asc
EOF

sudo apt update
sudo apt -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker

docker --version
docker compose version

Docker juga mengingatkan bahwa port container yang diekspos bisa bypass aturan `ufw`, jadi jangan expose Wazuh ke Internet langsung. Pakai LAN/lab saja. ([Docker Documentation][1])

2. Set kernel parameter untuk Wazuh Indexer

Wazuh meminta `vm.max_map_count=262144`; kalau tidak, Wazuh indexer bisa gagal start. ([Wazuh][2])

echo 'vm.max_map_count=262144' | sudo tee /etc/sysctl.d/99-wazuh.conf
sudo sysctl --system

3. Clone Wazuh Docker stable

Saya sarankan pakai Wazuh 4.14.5 stable, bukan branch `main` atau beta. Dokumentasi Wazuh saat ini juga memakai `v4.14.5` untuk Docker deployment. ([Wazuh][2])

cd /opt
sudo git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.5
sudo chown -R $USER:$USER /opt/wazuh-docker
cd /opt/wazuh-docker/single-node

4. Buat folder host untuk log Wazuh

sudo mkdir -p /opt/wazuh-data/logs
sudo chown -R 1000:1000 /opt/wazuh-data
sudo chmod -R 750 /opt/wazuh-data

Sekarang ubah volume Wazuh manager supaya `/var/ossec/logs` di container langsung muncul di host:

cp docker-compose.yml docker-compose.yml.bak
sed -i 's=- wazuh_logs:/var/ossec/logs=- /opt/wazuh-data/logs:/var/ossec/logs=' docker-compose.yml

Cek hasilnya:

grep -n "/var/ossec/logs" docker-compose.yml

Harus terlihat kira-kira:

- /opt/wazuh-data/logs:/var/ossec/logs

5. Aktifkan `archives.json`

Default Wazuh archive biasanya disabled karena bisa makan storage besar. Untuk membuat `archives.json`, aktifkan `logall_json`. Wazuh menjelaskan bahwa `archives.json` dibuat di `/var/ossec/logs/archives/` jika JSON archiving aktif. ([Wazuh][3])

Edit config manager:

nano config/wazuh_cluster/wazuh_manager.conf

Pastikan bagian `<global>` seperti ini:

<global>
  <jsonout_output>yes</jsonout_output>
  <alerts_log>yes</alerts_log>
  <logall>no</logall>
  <logall_json>yes</logall_json>
</global>

Untuk lab ML/SOC, saya sarankan:

<logall>no</logall>
<logall_json>yes</logall_json>

Artinya hanya archive JSON yang aktif, bukan archive syslog text biasa. Ini lebih enak untuk Python, SIEM, ML, dan parsing.

6. Generate certificate Wazuh

Wazuh Docker perlu certificate untuk komunikasi antar komponen. Perintah resminya adalah `generate-indexer-certs.yml`. ([Wazuh][2])

docker compose -f generate-indexer-certs.yml run --rm generator

7. Jalankan Wazuh all-in-one / single-node

docker compose pull
docker compose up -d

Cek status:

docker compose ps

Lihat log kalau dashboard belum siap:

docker compose logs -f wazuh.indexer
docker compose logs -f wazuh.manager
docker compose logs -f wazuh.dashboard

Akses dashboard:

https://IP_SERVER_WAZUH/

Login default biasanya:

username: admin
password: SecretPassword

Untuk production, password default harus diganti; Wazuh juga merekomendasikan penggantian password default pada Docker environment. ([Wazuh][4])

8. Pastikan port agent terbuka

Wazuh single-node Docker mengekspos port utama berikut: `1514`, `1515`, `514/udp`, `55000`, `9200`, dan `443`. Untuk agent, yang paling penting adalah 1514/TCP untuk komunikasi agent, 1515/TCP untuk enrollment, dan 55000/TCP untuk API enrollment/troubleshooting. ([Wazuh][2])

Kalau pakai UFW:

sudo ufw allow 443/tcp
sudo ufw allow 1514/tcp
sudo ufw allow 1515/tcp
sudo ufw allow 55000/tcp
sudo ufw allow 514/udp
sudo ufw reload
sudo ufw status

Tes dari mesin agent:

nc -zv IP_SERVER_WAZUH 1514 1515 55000

9. Cek file `alerts.json` dan `archives.json`

Setelah Wazuh hidup:

sudo ls -lah /opt/wazuh-data/logs
sudo ls -lah /opt/wazuh-data/logs/alerts
sudo ls -lah /opt/wazuh-data/logs/archives

Tail alert:

sudo tail -f /opt/wazuh-data/logs/alerts/alerts.json

Tail archive:

sudo tail -f /opt/wazuh-data/logs/archives/archives.json

Kalau `archives.json` belum ada, generate event dulu dari agent, lalu restart manager:

docker compose restart wazuh.manager

== 10. Install Wazuh agent Linux agar connect ke Docker Wazuh

Di mesin agent Linux:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
sudo chmod 644 /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

sudo apt update
sudo WAZUH_MANAGER="IP_SERVER_WAZUH" WAZUH_AGENT_NAME="$(hostname)" apt install -y wazuh-agent

sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
sudo systemctl status wazuh-agent

Wazuh agent Linux memang bisa di-deploy dengan variable seperti `WAZUH_MANAGER`, dan service agent perlu di-enable/start via systemd. ([Wazuh][5])

Cek log agent:

sudo tail -f /var/ossec/logs/ossec.log

Cek dari Wazuh manager container:

cd /opt/wazuh-docker/single-node
docker compose exec wazuh.manager /var/ossec/bin/agent_control -l

Ringkasan lokasi penting

Dashboard:

https://IP_SERVER_WAZUH/

Compose:

/opt/wazuh-docker/single-node/docker-compose.yml

Config Wazuh manager:

/opt/wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf

Alert JSON di host:

/opt/wazuh-data/logs/alerts/alerts.json

Archive JSON di host:

/opt/wazuh-data/logs/archives/archives.json

Port agent:

1514/tcp  = agent kirim event
1515/tcp  = enrollment
55000/tcp = Wazuh API

Ini setup yang paling enak untuk lab SOC/ML karena `alerts.json` dan `archives.json` bisa langsung dibaca Python dari host tanpa perlu `docker cp` atau masuk container.

[1]: https://docs.docker.com/engine/install/ubuntu/ "Install Docker Engine on Ubuntu | Docker Docs"
[2]: https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html "Wazuh Docker  deployment - Deployment on Docker · Wazuh documentation"
[3]: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html "Event logging - Wazuh server · Wazuh documentation"
[4]: https://documentation.wazuh.com/current/deployment-options/docker/changing-default-password.html "Changing the default password of Wazuh users - Deployment on Docker"
[5]: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html?utm_source=chatgpt.com "Deploying Wazuh agents on Linux endpoints"