部署wazuh实现对多台 Ubuntu 主机进行集中监控
对多台 Ubuntu 主机(例如 Ubuntu 18.04)进行集中监控,同时实现 **主机入侵检测(HIDS)** 和 **行为监控**,以下是一个轻量级、实用的集中监控方案,适用于中小型企业:
### ✅ 方案目标
* 实现主机入侵检测(Host-based IDS)
* 实现进程、登录、系统变更等行为监控
* 支持集中化日志采集与统一展示
* 成本低、依赖少,易于部署和维护
## 🧩 架构组件
| 角色 | 工具 | 说明 |
| ------------------- | ------------------------------------------------- | ---------------------------- |
| Agent(每台 Ubuntu 主机) | [Wazuh Agent](https://documentation.wazuh.com) | 实时监控主机安全事件(文件完整性、登录、root提权等) |
| 集中服务器 | Wazuh Manager + Filebeat + Elasticsearch + Kibana | 管理所有 Agent 数据,并提供可视化界面 |
| 日志转发 | Filebeat | 将日志高效传输至 Elasticsearch |
| 可选轻量级替代 | [OSSEC](https://www.ossec.net/) + Graylog | 更轻的方案,但功能相对简单 |
---
## 🛠️ 部署简要步骤
### 1. 安装 Wazuh Server(集中监控端)
部署在一台专用 Ubuntu 主机(建议 ≥4C/8G)
cp /etc/apt/sources.list /etc/apt/sources.list.bak
cat > /etc/apt/sources.list << EOF
deb https://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
EOF
apt update && apt upgrade -y
linux系统通过代理上网
vi ~/.bashrc
在文件末尾添加以下内容
cat >> ~/.bashrc << EOF
export http_proxy="http://192.168.8.5:1080"
export https_proxy="http://192.168.8.5:1080"
export ftp_proxy="http://192.168.8.5:1080"
export no_proxy="localhost,127.0.0.1,::1"
EOF
保存关闭
source ~/.bashrc
sudo vi /etc/apt/apt.conf.d/95proxies
添加以下内容:
Acquire::http::Proxy "http://192.168.8.5:1080";
Acquire::https::Proxy "http://192.168.8.5:1080";
Acquire::ftp::Proxy "http://192.168.8.5:1080";
在系统级别配置代理,以便所有应用程序都使用代理服务器
sudo vi /etc/environment
http_proxy="http://192.168.8.5:1080"
https_proxy="http://192.168.8.5:1080"
ftp_proxy="http://192.168.8.5:1080"
no_proxy="localhost,127.0.0.1,::1"
保存关闭
sudo reboot
http_proxy="http://10.2.2.24:1080"
https_proxy="http://10.2.2.24:1080"
ftp_proxy="http://10.2.2.24:1080"
no_proxy="localhost,127.0.0.1,::1"
如果你还需要Docker通过代理上网,可以通过以下步骤配置Docker代理。
创建Docker的systemd目录(如果不存在):
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf
添加以下内容:
[Service]
Environment="HTTP_PROXY=http://192.168.8.5:1080"
Environment="HTTPS_PROXY=http://192.168.8.5:1080"
Environment="NO_PROXY=localhost,127.0.0.1,::1"
保存关闭
sudo systemctl daemon-reload
sudo systemctl restart docker
curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
在 Wazuh 4.x(包括你安装的 4.12.0)中,`admin` 是一个系统保留账户,不允许通过 Web 界面或 API 直接重设密码。
## ✅ 正确的解决方法:
### 🛠 方法一:在命令行重置 `admin` 密码
你可以在 **Wazuh Dashboard 所在的主机上**运行以下命令来重置密码:
这将:
* 生成一个新密码
* 输出密码(请记得保存)
### 🛠 方法二:手动设置密码(推荐)
例如:
执行后会看到提示密码修改成功。
## ✅ 修改后重启 Wazuh Dashboard(可选)
如果你登录仍有问题,可重启 Dashboard 服务:
systemctl restart wazuh-dashboard
安装agent
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
WAZUH_MANAGER="192.168.30.49" apt-get install wazuh-agent
ubuntu安装客户端
service wazuh-agent start
service wazuh-agent status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...