First, follow the instructions in this post to build a firewall host.

In AWS EC2, launch the CentOS 7 wazuh instance.

Attach 1 interface eth0 to the wazuh instance.

Subnet Interface Address
DMZ eth0 10.20.1.15

The wazuh instance will use 10.20.0.1 for its default gateway.

From the firewall instance, you should be able to login to the wazuh instance using your ssh key.

ssh -i key.pem centos@10.20.1.15

Install some utilities

yum install net-tools

yum install mlocate
sh /etc/cron.daily/mlocate

yum install dos2unix
yum install sysstat
yum install lsof
yum install tcpdump
yum install nmap-ncat
yum install bind-utils
yum install tree

Modify the following files

vi /etc/dhclient.conf
------------------------------ cut here ------------------------------
supersede host-name "wazuh-host.domain";
supersede domain-name "domain";
supersede routers 10.20.1.1;
------------------------------ cut here ------------------------------

vi /etc/hostname
------------------------------ cut here ------------------------------
wazuh-host
------------------------------ cut here ------------------------------

vi /etc/hosts
------------------------------ cut here ------------------------------
::1         localhost localhost.domain
127.0.0.1   localhost localhost.domain
10.20.1.10  firewall-host.domain firewall-host
10.20.0.15  wazuh-host.domain wazuh-host
------------------------------ cut here ------------------------------

vi /etc/sysconfig/network
------------------------------ cut here ------------------------------
NETWORKING=yes
NETWORKING_IPV6=no
NOZEROCONF=yes
------------------------------ cut here ------------------------------

vi /etc/cloud/cloud.cfg
------------------------------ cut here ------------------------------
preserve_hostname: true
------------------------------ cut here ------------------------------

vi /etc/sysconfig/network-scripts/ifcfg-eth0
------------------------------ cut here ------------------------------
DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Ethernet"
USERCTL="yes"
PEERDNS="yes"
IPV6INIT="no"
PERSISTENT_DHCLIENT="1"
------------------------------ cut here ------------------------------

vi /etc/resolv.conf
------------------------------ cut here ------------------------------
search domain
nameserver 10.20.0.2
------------------------------ cut here ------------------------------

vi /etc/sysctl.conf
------------------------------ cut here ------------------------------
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.default.secure_redirects=0
vm.swappiness=10
vm.vfs_cache_pressure=50
------------------------------ cut here ------------------------------

Add swap file

dd if=/dev/zero of=/swapfile count=1024 bs=1MiB
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

free -h
------------------------------ cut here ------------------------------
              total        used        free      shared  buff/cache   available
Mem:           991M         74M         67M         12M        848M        738M
Swap:          1.0G          0B        1.0G
------------------------------ cut here ------------------------------

vi /etc/fstab
------------------------------ cut here ------------------------------
/swapfile none swap sw 0 0
------------------------------ cut here ------------------------------

Install development tools and other utilities

yum groupinstall 'Development Tools'
yum install wget

mkdir /root/src
cd /root/src
wget http://downloads.laffeycomputer.com/current_builds/rpl-1.4.1.tar.gz
tar zxf rpl-1.4.1.tar.gz
cd rpl-1.4.1
./configure
make
make install

cd /root/src
wget http://utenti.gufi.org/~gmarco/files/distfiles/xtail-2.1.tar.gz
tar zxf xtail-2.1.tar.gz
cd xtail-2.1
./configure
make
make install

Adjust sshd

vi /etc/ssh/sshd_config
------------------------------ cut here ------------------------------
ClientAliveInterval 900
IgnoreRhosts yes
LoginGraceTime 30
MaxAuthTries 3
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
------------------------------ cut here ------------------------------

service sshd restart

Adjust syslog

vi /etc/rsyslog.conf
------------------------------ cut here ------------------------------
*.*                                                /var/log/all.log
------------------------------ cut here ------------------------------

touch /var/log/all.log
chmod 600 /var/log/all.log

systemctl restart rsyslog.service

vi /etc/logrotate.d/syslog
------------------------------ cut here ------------------------------
/var/log/all.log
------------------------------ cut here ------------------------------

Enable NTP

yum install ntp

systemctl is-enabled ntpd.service
systemctl enable ntpd.service
systemctl restart ntpd.service

Make SELinux permissive

vi /etc/sysconfig/selinux
------------------------------ cut here ------------------------------
SELINUX=permissive
------------------------------ cut here ------------------------------

restorecon -RFv /etc

Update CentOS

yum update

Install Wazuh manager

cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=CentOS-$releasever - Wazuh
baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
protect=1
EOF

yum install wazuh-manager

curl --silent --location https://rpm.nodesource.com/setup_6.x | bash -
yum install nodejs
yum install wazuh-api

curl -Lo jre-8-linux-x64.rpm --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u144-b01/090f390dda5b47b9b721c7dfaa008135/jre-8u144-linux-x64.rpm"

rpm -qlp jre-8-linux-x64.rpm > /dev/null 2>&1 && echo "Java package downloaded successfully" || echo "Java package did not download successfully"

yum install jre-8-linux-x64.rpm
rm jre-8-linux-x64.rpm

Install Elasticsearch

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

cat > /etc/yum.repos.d/elastic.repo << EOF
[elastic-5.x]
name=Elastic repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

yum install elasticsearch

systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service

curl https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/template_file.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

curl https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-

vi /etc/elasticsearch/elasticsearch.yml
------------------------------ cut here ------------------------------
bootstrap.memory_lock: true
------------------------------ cut here ------------------------------

mkdir -p /etc/systemd/system/elasticsearch.service.d

vi /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
------------------------------ cut here ------------------------------
[Service]
LimitMEMLOCK=infinity
------------------------------ cut here ------------------------------

systemctl daemon-reload
systemctl restart elasticsearch.service

curl https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/elasticsearch/wazuh-elastic5-template.json -o w-elastic-template.json

vi w-elastic-template.json
------------------------------ cut here ------------------------------
    "index.refresh_interval": "5s",
    "number_of_shards" :   1,
    "number_of_replicas" : 0
------------------------------ cut here ------------------------------

curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @w-elastic-template.json

curl -XPUT 'localhost:9200/wazuh-*/_settings?pretty' -H 'Content-Type: application/json' -d'
{
    "settings": {
        "number_of_replicas" : 0
    }
}
'

Install Logstash

yum install logstash

curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/logstash/01-wazuh.conf
curl -so /etc/logstash/wazuh-elastic5-template.json https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/elasticsearch/wazuh-elastic5-template.json

vi /etc/logstash/conf.d/01-wazuh.conf
------------------------------ cut here ------------------------------
## Remote Wazuh Manager - Filebeat input
#input {
#    beats {
#        port => 5000
#        codec => "json_lines"
##        ssl => true
##        ssl_certificate => "/etc/logstash/logstash.crt"
##        ssl_key => "/etc/logstash/logstash.key"
#    }
#}
## Local Wazuh Manager - JSON file input
input {
   file {
       type => "wazuh-alerts"
       path => "/var/ossec/logs/alerts/alerts.json"
       codec => "json"
   }
}
------------------------------ cut here ------------------------------

usermod -a -G ossec logstash

vi /etc/logstash/startup.options
------------------------------ cut here ------------------------------
LS_GROUP=ossec
------------------------------ cut here ------------------------------

/usr/share/logstash/bin/system-install

systemctl daemon-reload
systemctl enable logstash.service
systemctl start logstash.service

Install Kibana and Wazuh UI

yum install kibana

vi /etc/kibana/kibana.yml
------------------------------ cut here ------------------------------
server.host: "localhost"
------------------------------ cut here ------------------------------

/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip

Install nginx

cat > /etc/yum.repos.d/nginx.repo <<\EOF
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
EOF

yum install nginx

mkdir -p /etc/pki/tls/certs /etc/pki/tls/private

Install SSL public certificate in /etc/pki/tls/certs/kibana-access.pem

Install SSL private key in /etc/pki/tls/private/kibana-access.key

cat > /etc/nginx/conf.d/default.conf <<\EOF
server {
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 default_server;
    listen            [::]:443;
    ssl on;
    ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
    ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://localhost:5601/;
    }
}
EOF

yum install httpd-tools

htpasswd -c /etc/nginx/conf.d/kibana.htpasswd wazuh

systemctl restart nginx

systemctl daemon-reload
systemctl enable kibana.service
systemctl start kibana.service

Configure Wazuh manager

cd /var/ossec/api/configuration/auth
node htpasswd -c user admin

systemctl restart nginx.service
systemctl restart wazuh-api.service

Install SSL public certificate in /var/ossec/etc/sslmanager.cert

Install SSL private key in /var/ossec/etc/sslmanager.key

/var/ossec/bin/ossec-authd -i

vi /var/ossec/etc/ossec.conf
------------------------------ cut here ------------------------------
  <wodle name="open-scap">
    <disabled>no</disabled>
------------------------------ cut here ------------------------------

/var/ossec/bin/ossec-control restart

/var/ossec/bin/update_ruleset.py

vi /etc/cron.weekly/wazuh
------------------------------ cut here ------------------------------
#!/bin/sh
cd /var/ossec/bin && ./update_ruleset.py -r
------------------------------ cut here ------------------------------

yum install openscap-scanner

/sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0
/sbin/sysctl -w net.ipv4.route.flush=1
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
/sbin/sysctl -w net.ipv4.route.flush=1
/sbin/sysctl -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -w net.ipv4.conf.default.log_martians=1
/sbin/sysctl -w net.ipv4.route.flush=1