This is the documentation for Wazuh 3.7. Check out the docs for the latest version of Wazuh!

Configure X-Pack users

This section helps to configure the X-Pack users and roles mentioned on the previous article, using the interface provided by Kibana.

Using Kibana UI with the elastic user

  1. Login into Kibana using the elastic user:
  1. Go to Management > Security > Roles:
  1. Create the wazuh-admin role:
  1. Create the wazuh-basic role:
  1. Create the wazuh-api-admin role:
  1. Go to Management > Security > Users:
  1. Create the Wazuh administrator user:
  1. Create a standard user:

Note

This user is not able to add/remove/edit a Wazuh API, use the Wazuh administrator user instead (step 7).

  1. Create the Kibana system user:

Warning

Ensure the password is strong enough, it will be the superuser for your environment.

  1. Set the right user credentials on the kibana.yml file:
# vi /etc/kibana/kibana.yml

elasticsearch.username: "wazuhsystem"
elasticsearch.password: "<wazuhsystem_password>"
  1. Restart Kibana:
# systemctl restart kibana

Using the command-line interface (CLI)

  1. Create the wazuh-admin role:
# curl -X POST "http://localhost:9200/_xpack/security/role/wazuh-admin" -H 'Content-Type: application/json' -d'
{
  "cluster": [ "manage", "manage_index_templates" ],
  "indices": [
    {
      "names": [ ".old-wazuh", ".wazuh", ".wazuh-version", "wazuh-*" ],
      "privileges": ["all"]
    }
  ]
}' -u elastic:elastic_password

{"role":{"created":true}}
  1. Create the wazuh-basic role:
# curl -X POST "http://localhost:9200/_xpack/security/role/wazuh-basic" -H 'Content-Type: application/json' -d'
{
  "cluster": [],
  "indices": [
    {
      "names": [ ".kibana", ".wazuh", ".wazuh-version", "wazuh-alerts-3.x-*", "wazuh-monitoring-3.x-*" ],
      "privileges": ["read"]
    }
  ]
}' -u elastic:elastic_password

{"role":{"created":true}}
  1. Create the wazuh-api-admin role:
# curl -X POST "http://localhost:9200/_xpack/security/role/wazuh-api-admin" -H 'Content-Type: application/json' -d'
{
  "cluster": [],
  "indices": [
    {
      "names": [ ".wazuh" ],
      "privileges": ["all"]
    }
  ]
}' -u elastic:elastic_password

{"role":{"created":true}}
  1. Create the Kibana system user:

Warning

Ensure the password is strong enough, it will be the superuser for your environment.

# curl -X POST "http://localhost:9200/_xpack/security/user/wazuhsystem" -H 'Content-Type: application/json' -d'
{
  "password": "wazuhsystem",
  "roles":["wazuh-admin","kibana_system"],
  "full_name":"Wazuh System",
  "email":"wazuhsystem@wazuh.com"
}' -u elastic:elastic_password

{"user":{"created":true}}
  1. Create the Wazuh administrator user:
# curl -X POST "http://localhost:9200/_xpack/security/user/jack" -H 'Content-Type: application/json' -d'
{
  "password": "jackjack",
  "roles":["wazuh-basic","wazuh-api-admin"],
  "full_name":"Jack",
  "email":"jack@wazuh.com"
}' -u elastic:elastic_password

{"user":{"created":true}}
  1. Create a standard user:

Note

This user is not able to add/remove/edit a Wazuh API, use the Wazuh administrator user instead (step 5).

# curl -X POST "http://localhost:9200/_xpack/security/user/john" -H 'Content-Type: application/json' -d'
{
  "password": "johnjohn",
  "roles":["wazuh-basic"],
  "full_name":"John",
  "email":"john@wazuh.com"
}' -u elastic:elastic_password

{"user":{"created":true}}
  1. Set the right user credentials on the kibana.yml file:
# vi /etc/kibana/kibana.yml

elasticsearch.username: "wazuhsystem"
elasticsearch.password: "<wazuhsystem_password>"
  1. Restart Kibana:
# systemctl restart kibana