Wazuh matta you?

Installing Wazuh, Part II - The Revenge of the Pi

Wazuh matta you?
The long, winding path of learning. Photo by Mark König / Unsplash

Welcome back! When we last met, I installed Ubuntu Server on my Raspberry Pi 3B+. This, of course, came after trying various operating systems in an effort to get Wazuh working. Although I didn't install Wazuh successfully, the Raspberry Pi remains tucked away behind my wireless router and ready to work.

Fair warning, dear reader: as you progress through my story, you may find yourself lost, confused, or hungry. If you hoped for a happy ending, or a blog with lots of technical details, then this is not the story you seek. I've been dealing with a sick kindergartener this past week, and some of my weariness will have seeped through the narrative. So, let's begin.

Back in the Fight

First step, I log into the Raspberry Pi. During my prior endeavor, I used one of my monitors and a spare keyboard to control the Pi as I went back and forth on OS installations. Now that we have Ubuntu running, there's no need for the peripherals; I simply run an ethernet cable from the Raspberry Pi to my home router and SSH to the Pi from my computer. Easy day.

Ah, crap.

Forgot the IP address...

Ok, don't panic. Easy fix.

I have a few options to recall the IP address.

  • Option A: Pull up my router's web interface, find the Raspberry Pi on the network map, open the details section, and copy down the IP address.
  • Option B: Run Nmap to find my wandering Pi.
  • Option C: Press the 'Up' key on a PowerShell console to recall my historical commands since I validated SSH worked last time.

I chose Option A because I forgot everything else in my brief moment of panic. However, I was reminded of a key lesson learned from my last adventure: document everything. Time to pull up Microsoft Word and get to writing.

MacBook Pro near white open book
I hope to one day have an office that serves as a stock photo for other people's idea of an office. Photo by Nick Morrison / Unsplash

Ok. Now that we have some basic info recorded in a Word document, it's time to install Wazuh on this bad boy. First, I attempt to install Wazuh from sources.

$ sudo apt-get update
$ apt-get update
$ apt-get install python gcc g++ make libc6-dev curl policycoreutils automaker 
  autoconf libtool libssl-dev
$ curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
$ cd .. && rm -rf cmake-*
  

Look at this sweet code block, huh? It almost looks like I know what I'm doing.

We got a few errors for cmake, but, fuck it, we're going live. Next, I run the next few commands to continue the installation process.

$ curl -Ls https://github.com/wazuh/wazuh/archive/v4.6.0.tar.gz | tar zx
$ cd wazuh-4.6.0
$ ./install.sh

I'm prompted to choose a language. I select English. So far, so good, but then I get a "Permission denied" message. Looks like we need more SUDO. I try the install script one more time.

Now I'm prompted to select the type of installation (manager, agent, local, or hybrid).

Nope, false alarm. Apparently, it does, in fact, need 'cmake', which did not install correctly. After doing a review of the previous errors, the problem may involve OpenSSL or the lack thereof. Let's try running an install of OpenSSL.

$ git clone git://git.openssl.org/openssl.git
$ sudo apt update
$ sudo apt upgrade

A new kernel version is available, so we must reboot.

I attempt to log in and I'm denied.

I momentarily panic as I try three more times. At this point, I assume it's because the Pi is still booting up. Hopefully...

After five minutes of frantically attempting to SSH, we're in. The latest version of OpenSSL is now installed. Try installing cmake one more God damn time. The best I can tell is the target directory is not where the program thinks it is, so I modify the config file to direct it straight to OpenSSL. I run the installation script again, and we begin making some progress.

But the installation still stops short.

Plan B - Find Someone Smarter than Me

I am not the first person to attempt to install Wazuh on a Raspberry Pi. So, my next logical step is to find someone else who has done it already and compare notes. Fortunately, Jacob Riggs put together a great guide for installing Wazuh on the Pi.

The first step, install Java. Nowhere in the Wazuh documentation did it mention Java, but ok. I trust you, Jacob.

$ apt install openjdk-11-jdk -y

The latest version of Java is already installed. Good start thus far. Next, we need Elasticsearch OSS.

$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss- 7.10.2-arm64.deb
$ dpkg -i elasticsearch-oss-7.10.2-arm64.deb
$ wget -qO - https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –

New error: no valid OpenPGP data found. Hmm. This isn't looking good, my friends. We press on.

$ echo "deb https://d3g5vo6xdbdb9a.cloudfront.net/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opendistroforelasticsearch.list
$ apt-get update -y

Nothing. Perhaps the instructions are outdated? Now I begin searching for elasticsearch documentation.

I verify that my system has the right dependencies (Java 11 and unzip). I skip ahead to the signing keys. The issue might be because I'm attempting to download from an unsigned repository. Should I force Linux to download what I need from an untrusted source? It's almost midnight, and I'm running on fumes, so you bet your ass I'm doing it. Now it's time to edit sources for apt. I'll replace a line in opendistroforelasticsearch.list with the following:

deb [trusted=yes] https://d3g5vo6xdbdb9a.cloudfront.net/apt stable main

Ok, let's try this again, aaaaaaaand it's archived.

Fuck... my... life....

I seem to have missed the memo that OpenSearch replaced elasticsearch. Moving on to the OpenSearch documentation. At least this install is much simpler. I run the below commands to install the required packages, import the public GPG key, and create an APT repository. From there, I run another update and verify the available versions.

$ sudo apt-get update && sudo apt-get -y install lsb-release ca-certificates curl gnupg2
$ curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
$ echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
$ sudo apt-get update
$ sudo apt list -a opensearch

I can see multiple versions displayed on the screen. So far, good. No need to choose a specific version; I’m going with the latest build (stable 2.11.0 arm64). Next, I run through the below commands to install, enable, and then start OpenSearch.

$ sudo apt-get install opensearch
$ sudo systemctl enable opensearch
$ sudo systemctl start opensearch

At this point, I've got to be making some kind of progress, right?

Of course not.

Nov 27 05:27:21 ubuntu systemd-entrypoint[51166]: Exception in thread "main" java.lang.RuntimeException: starting java failed with [1]
Nov 27 05:27:21 ubuntu systemd-entrypoint[51166]: output:
Nov 27 05:27:21 ubuntu systemd-entrypoint[51166]: #
Nov 27 05:27:21 ubuntu systemd-entrypoint[51166]: # There is insufficient memory for the Java Runtime Environment to continue.
Nov 27 05:27:21 ubuntu systemd-entrypoint[51166]: # Native memory allocation (mmap) failed to map 1073741824 bytes for committing reserved memory.

Here is the output when I attempted to start OpenSearch.

Insufficient memory. Some of the more technically savvy readers probably caught my error early on, but I definitely burned through several hours before I hit the dead end. Once again, I forgot that I was dealing with an aged piece of hardware that I had not cracked open in several years. The Raspberry Pi model I'm using only has 1 GB of onboard RAM. Technically, it's enough memory to run the OS but not nearly enough for OpenSearch, let alone the Wazuh manager.

Alas, my endeavor was doomed from the beginning. Fret not, dear reader, for I shall return once more to the task of running Wazuh. However, I'll just stick to spinning up a virtual machine next time.

blue whale in body of water
My quarry escaped me this time, but I will have my vengeance. Photo by Iswanto Arif / Unsplash

Lessons Learned

  1. Document, document, document. On the plus side, I recorded every command I used as I went through this process. Unfortunately, I did not record my shenanigans; I should have saved more screenshots as I progressed to help illustrate my experience. In the heat of the moment, I believed I had enough to work with later, but as I began writing, it became apparent that I needed visuals for the outputs. Not only does this help you, the reader, understand my position better, but it also allows others to spot errors in my troubleshooting methodology.
  2. Review hardware and software dependencies. I knew coming into this project that the Pi is a long shot. It's great for small projects, but anything that requires serious computing power requires better specs (or several Pis running together, but I have only one). Fortunately, my laptop specs allow me to run multiple VM's, so all is not lost.