⚙️Configure Wazuh and Hive

After doing all of these, our next step is to configure hive and the Wazuh. As a first step let start the configuration of the hive.

First will focus on the Cassandra which is database of the hive. to do the configuration of the Cassandra navigate to the following.

/etc/cassandra/cassandra.yaml

First Change the Cassandra Cluster name.

Cassandra Cluster Name

Next change the listen address from localhost to your hive address. in my example that is 192.168.200.200

Cassandra Listen Address

Now change the rpc_address. Replace the localhost with your hive IP address same as the above listen_address- In my case 192.168.200.200

Cassandra rpc_address

Next change the seed address. but please remember do not change the port number 7000.

Cassandra Seeds Port

Then stop the cassandra service.

systemctl stop cassandra.service

After that you can remove the older files which is in the Cassandra by using the below command.

sudo rm -rf /var/lib/cassandra/*

Now you can start the Cassandra service using this command

systemctl start cassandra.service

To make sure whether the Cassandra service is running or not, you can use the below command.

systemctl start cassandra.service

As you can see the service is running after our changes.

Cassandra service is active and running

The next thing we have to configure is Elasticsearch. the purpose of the Elasticsearch is querying the data. you can find the config file of the Elasticsearch under,

/etc/elasticseach/elasticsearch.yml

What you have to do is, find the cluster name and rename it as you want. in my example I'm changing my cluster name in to “ thehive”

Elasticsearch Cluster Name

Also uncomment the node.name and leave it as node-1

Elasticsearch Node Name

When you scrolling down you will see the network.host IP address. uncomment that and added your hive IP address. in my case IP address was 192.168.200.200

Elasticsearch Network Host IP

In Elasticsearch by default http port is 9200. if you want you can uncomment that and enable the port and use customer port number. I'm going to uncomment that and enable that but using the same port.

Elasticsearch http port

In order to start the Elasticsearch, it will need the discovery seed or cluster initial master node. In my case I'm going to uncomment the initial master node like below. and please keep remember to remove the node 2 because we don't have a node-2 at this stage. if you are planning to setup or you are setting up a node-2 you can keep it as it is.

Elasticsearch Master Nodes

Now save all the configurations and go ahead and start the Elasticsearch service by using below command.

systemctl start elasticseach
Elasticsearch Start

Once this is done, we can enable the service using below command

systemctl enable elasticsearch
Elasticsearch service enable

To make sure the service you can run this command.

systemctl status elasticseach

As you can see it is active and running..

Elasticsearch service running

Once you have done that please make a note to double check that Cassandra service as well. some times that service may hanged or stopped.

systemctl status cassandra.service
Cassandra Service is Running

PreviousThe Hive InstallationNextConfigure Hive

Last updated