Skip to content

anhtn512/SIEM-EM-k8s

BranchesTags

Repository files navigation

Wazuh, Elasticsearch, and Kibana Kubernetes Deployment

This repository contains Kubernetes manifests for deploying a complete monitoring and security stack consisting of:

  • Wazuh Manager (security monitoring)
  • Wazuh Indexer
  • Elasticsearch (2-node cluster)
  • Kibana (visualization dashboard)

Prerequisites

  • Before deploying, ensure you have:

  • Kubernetes cluster running on VMware vSphere

  • kubectl installed and configured to access your cluster

  • Sufficient resources in your vSphere environment:

    • At least 6 vCPUs and 8GB RAM available
    • At least 100GB of storage capacity

  • Ingress controller installed in your cluster (e.g., NGINX Ingress)

  • Domain names configured for accessing Kibana and Wazuh API

Deployment Instructions

1. Clone this repository

git clone https://github.com/yourusername/wazuh-elk-k8s.git
cd wazuh-elk-k8s

2. Update configuration files

Before deploying, update the following:

  • In elasticsearch-secret.yaml and wazuh-secret.yaml:
  • Change the default passwords (base64 encode your passwords)
echo -n "your-secure-password" | base64
  • In ingress.yaml:
  • Update the hostnames to match your domain names

3. Create the monitoring namespace

kubectl apply -f namespace.yaml

4. Create the vSphere storage class

kubectl apply -f vsphere-storage-class.yaml

5. Create secrets

kubectl apply -f elasticsearch-secret.yaml
kubectl apply -f wazuh-secret.yaml

6. Deploy Elasticsearch

kubectl apply -f elasticsearch-statefulset.yaml

Wait for the Elasticsearch pods to be in Running state:

kubectl get pods -n monitoring -l app=elasticsearch -w

7. Deploy Wazuh components

First, create the persistent volume claims:

kubectl apply -f wazuh-manager-pvcs.yaml

Then deploy the Wazuh indexer:

kubectl apply -f wazuh-indexer-statefulset.yaml

Wait for the Wazuh indexer pod to be in Running state:

kubectl get pods -n monitoring -l app=wazuh-indexer -w

Finally, deploy the Wazuh manager:

kubectl apply -f wazuh-manager-deployment.yaml

8. Deploy Kibana

kubectl apply -f kibana-deployment.yaml

Wait for the Kibana pod to be in Running state:

kubectl get pods -n monitoring -l app=kibana -w

9. Create the ingress for external access

kubectl apply -f ingress.yaml

Post-Deployment Configuration

Verify all components are running

kubectl get pods -n monitoring

All pods should be in the Running state.

Access Kibana

  1. Navigate to https://kibana.yourdomain.com in your browser
  2. Log in with:
  3. Username: elastic
  4. Password: (the password you set in elasticsearch-secret.yaml)

Configure Wazuh in Kibana

  1. In Kibana, navigate to the Wazuh app (you may need to install it from the Kibana plugin menu)
  2. Configure the connection to the Wazuh manager:
  3. URL: https://wazuh.yourdomain.com
  4. Port: 55000
  5. Username: wazuh
  6. Password: (the password you set in wazuh-secret.yaml)

Add Agents to Wazuh

  1. In the Wazuh app in Kibana, go to "Agents" and click "Deploy new agent"
  2. Follow the instructions to deploy agents on your systems

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published