Install Wazuh Indexer
Ubuntu 24.04

sudo apt update && sudo apt upgrade -y

sudo reboot now - if upgrade requires restart

curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.8/config.yml

sudo nano config.yml

Change nodes to the host name and ip of where the applications are going to be installed

Change description of wazuh sever to Graylog server as filbert will not be used

sudo bash wazuh-install.sh -i --generate-config-files (-I is ignoring os version due to 24.04 not natively supported)

sudo tar -xvf ./wazuh-install-files.tar -C ./

sudo bash wazuh-install.sh -i --wazuh-indexer security
Change security to node name

sudo nano /etc/wazuh-indexer/opensearch.yml

Add bootstrap.memory_lock: true

sudo nano /usr/lib/systemd/system/wazuh-indexer.service
Add
LimitMEMLOCK=infinity

To the [Service] section

sudo nano /etc/wazuh-indexer/jvm.options

Xms represents the initial size of total heap space no more than 50% total ram
Xmx represents the maximum size of total heap space set the same as above
-Xms4g
-Xmx4g

sudo bash wazuh-install.sh -i --start-cluster

Testing the cluster installation
Get admin password
sudo tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1

Test Connection

curl -k -u admin:’password from above’
https://nodeip:9200

Install Wazuh-dashboard

sudo apt install -y debhelper tar curl libcap2-bin
sudo bash wazuh-install.sh -i --wazuh-dashboard security
Change security to node name

Note the username and password down
User:
Password:

Install Graylog

First install mongoldb

curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc |
sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg
--dearmor

echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list

sudo apt-get update

sudo apt-get install -y mongodb-org

sudo systemctl daemon-reload

sudo systemctl enable mongod

sudo systemctl restart mongod

Check mongo is running

sudo systemctl --type=service --state=active | grep mongod

Install Graylog

sudo apt install apt-transport-https openjdk-17-jre-headless uuid-runtime pwgen dirmngr gnupg wget

wget https://packages.graylog2.org/repo/packages/graylog-6.0-repository_latest.deb
sudo dpkg -i graylog-6.0-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

Copy certs for java store

sudo mkdir /etc/graylog/server/certs
sudo cp -a /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts /etc/graylog/server/certs/cacerts
sudo cp /etc/wazuh-indexer/certs/root-ca.pem /etc/graylog/server/certs/root-ca.pem
sudo keytool -importcert -keystore /etc/graylog/server/certs/cacerts -storepass changeit -alias root_ca -file /etc/graylog/server/certs/root-ca.pem

Change keystore password

export KEYSTORE_PASS=$(openssl rand -base64 16)
echo "Generated keystore password: $KEYSTORE_PASS"

Update the password for the cacerts keystore

sudo apt install pwgen

sudo keytool -storepasswd -new $KEYSTORE_PASS -keystore /etc/graylog/server/certs/cacerts -storepass changeit

sudo nano /etc/default/graylog-server
comment out this line
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"
and add this line below
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true -Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

sudo nano /etc/graylog/server/server.conf

Add passwords for password_secret and root_password_sha2

password_secret
Randomly generate one pwgen -N 1 -s 96

root_password_sha2
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

elasticsearch_hosts
https://user:pass@wazuh-indexerhostname:9200

Create username and password in wazuh under security and internal users, call the user graylog chuck a password in and set backend role as admin
Change the user:pass to what was set in internal users change wazuh-indexerhostname to the node ip address

sudo systemctl enable graylog-server.service

sudo systemctl start graylog-server.service

Browse to http://nodeip:9000
Log in with admin and password created for root_password_sha2