Kibana
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Note
Root user privileges are required to run all the commands described below.
Prerequisites
Some extra packages are needed for the installation, such us curl
or unzip
, that will be used in further steps:
Install all the necessary packages:
# yum install zip unzip curl
Install all the necessary packages:
# apt-get install lsb-release curl apt-transport-https zip unzip gnupg2
Install all the necessary packages:
# zypper install zip unzip curl
Adding the Elastic Stack repository
Import the GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install the GPG key:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
Add the repository:
# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/zypp/repos.d/elastic.repo <<\EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Kibana installation and configuration
Install the Kibana package:
# yum install kibana-7.9.3
# apt-get install kibana=7.9.3
# zypper install kibana-7.9.3
The next step is the certificate placement, this guide assumes that a copy of
certs.zip
is placed in the root home folder (~/):# unzip ~/certs.zip -d ~/certs # rm -f ~/certs/ca/ca.key # mkdir /etc/kibana/certs/ca -p # cp ~/certs/ca/ca.crt /etc/kibana/certs/ca # cp ~/certs/kibana/* /etc/kibana/certs/ # chown -R kibana: /etc/kibana/certs # chmod -R 500 /etc/kibana/certs # chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.* # rm -rf ~/certs ~/certs.zip
Download the Kibana configuration file:
# curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/kibana/7.x/kibana.yml
Edit the
/etc/kibana/kibana.yml
file:server.host: <kibana_ip> elasticsearch.hosts: "https://<elasticsearch_ip>:9200" elasticsearch.password: <elasticsearch_password>
Values to be replaced:
<kibana_ip>
: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same machine. To access Kibana from the outside it may be configured to listen on its network IP by replacingkibana_ip
with Kibana's host IP.<elasticsearch_ip>
: the host's IP. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The nodes' IPs can be separated with commas. Eg.["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]
<elasticsearch_password>
: the password generated during the Elasticsearch installation and configuration for theelastic
user.
Update the
optimize
andplugins
directories permissions:# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
Install the Wazuh Kibana plugin:
The installation of the plugin must be done from the Kibana home directory.
# cd /usr/share/kibana # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.3-1.zip
Link Kibana's socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana # systemctl start kibana
Choose one option according to the OS used:
Debian based OS
# update-rc.d kibana defaults 95 10 # service kibana start
RPM based OS
# chkconfig --add kibana # service kibana start
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<kibana_ip> user: elastic password: <PASSWORD_elastic>Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the
root-ca.pem
file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
With the first access attempt, the Wazuh Kibana plugin may prompt a message that indicates that it cannot communicate with the Wazuh API. To solve this issue edit the file /usr/share/kibana/optimize/wazuh/config/wazuh.yml
and replace the url
with the Wazuh server's address:
hosts:
- default:
url: https://localhost
port: 55000
username: wazuh
password: wazuh
run_as: false
Disabling repositories
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo
To uninstall Kibana, visit the uninstalling section.
Next steps
Once the Wazuh - Elastic Stack environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh installation guide is available for most operating systems and it can be found here.