Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

Note

Root user privileges are required to run all the commands described below.

Prerequisites

Some extra packages are needed for the installation, such us curl or unzip, that will be used in further steps:

Install all the necessary packages:

# yum install zip unzip curl

Adding the Elastic Stack repository

  1. Import the GPG key:

    # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    

Kibana installation and configuration

  1. Install the Kibana package:

    # yum install kibana-7.9.3
    
  2. The next step is the certificate placement, this guide assumes that a copy of certs.zip is placed in the root home folder (~/):

    # unzip ~/certs.zip -d ~/certs
    # rm -f ~/certs/ca/ca.key
    # mkdir /etc/kibana/certs/ca -p
    # cp ~/certs/ca/ca.crt /etc/kibana/certs/ca
    # cp ~/certs/kibana/* /etc/kibana/certs/
    # chown -R kibana: /etc/kibana/certs
    # chmod -R 500 /etc/kibana/certs
    # chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
    # rm -rf ~/certs ~/certs.zip
    
  3. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/kibana/7.x/kibana.yml
    

    Edit the /etc/kibana/kibana.yml file:

    server.host: <kibana_ip>
    elasticsearch.hosts: "https://<elasticsearch_ip>:9200"
    elasticsearch.password: <elasticsearch_password>
    

    Values to be replaced:

    • <kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same machine. To access Kibana from the outside it may be configured to listen on its network IP by replacing kibana_ip with Kibana's host IP.

    • <elasticsearch_ip>: the host's IP. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The nodes' IPs can be separated with commas. Eg. ["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]

    • <elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for the elastic user.

  4. Update the optimize and plugins directories permissions:

    # chown -R kibana:kibana /usr/share/kibana/optimize
    # chown -R kibana:kibana /usr/share/kibana/plugins
    
  5. Install the Wazuh Kibana plugin:

    The installation of the plugin must be done from the Kibana home directory.

    # cd /usr/share/kibana
    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.3-1.zip
    
  6. Link Kibana's socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
    
  8. Access the web interface using the password generated during the Elasticsearch installation process:

URL: https://<kibana_ip>
user: elastic
password: <PASSWORD_elastic>

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

With the first access attempt, the Wazuh Kibana plugin may prompt a message that indicates that it cannot communicate with the Wazuh API. To solve this issue edit the file /usr/share/kibana/optimize/wazuh/config/wazuh.yml and replace the url with the Wazuh server's address:

hosts:
  - default:
     url: https://localhost
     port: 55000
     username: wazuh
     password: wazuh
     run_as: false

Disabling repositories

This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.

With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.

We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

To uninstall Kibana, visit the uninstalling section.

Next steps

Once the Wazuh - Elastic Stack environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh installation guide is available for most operating systems and it can be found here.