Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Root user privileges are required to run all the commands described below.
Some extra packages are needed for the installation, such us
unzip, that will be used in further steps:
Install the Kibana package:
The next step is the certificate placement, this guide assumes that a copy of
certs.zipis placed in the root home folder (~/):
# unzip ~/certs.zip -d ~/certs # rm -f ~/certs/ca/ca.key # mkdir /etc/kibana/certs/ca -p # cp ~/certs/ca/ca.crt /etc/kibana/certs/ca # cp ~/certs/kibana/* /etc/kibana/certs/ # chown -R kibana: /etc/kibana/certs # chmod -R 500 /etc/kibana/certs # chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.* # rm -rf ~/certs ~/certs.zip
Download the Kibana configuration file:
# curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/kibana/7.x/kibana.yml
server.host: <kibana_ip> elasticsearch.hosts: "https://<elasticsearch_ip>:9200" elasticsearch.password: <elasticsearch_password>
Values to be replaced:
<kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same machine. To access Kibana from the outside it may be configured to listen on its network IP by replacing
kibana_ipwith Kibana's host IP.
<elasticsearch_ip>: the host's IP. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The nodes' IPs can be separated with commas. Eg.
<elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for the
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
Install the Wazuh Kibana plugin:
The installation of the plugin must be done from the Kibana home directory.
# cd /usr/share/kibana # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.3-1.zip
Link Kibana's socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<kibana_ip> user: elastic password: <PASSWORD_elastic>
Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the
root-ca.pemfile previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
With the first access attempt, the Wazuh Kibana plugin may prompt a message that indicates that it cannot communicate with the Wazuh API. To solve this issue edit the file
/usr/share/kibana/optimize/wazuh/config/wazuh.yml and replace the
url with the Wazuh server's address:
hosts: - default: url: https://localhost port: 55000 username: wazuh password: wazuh run_as: false
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
To uninstall Kibana, visit the uninstalling section.
Once the Wazuh - Elastic Stack environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh installation guide is available for most operating systems and it can be found here.