Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

Note

Root user privileges are required to run all the commands described below.

Prerequisites

Before installing Kibana, some extra packages must be installed:

Install all the required utilities:

# yum install curl libcap

Adding the Wazuh repository

This step is required only if Kibana will be installed on a separate host where Elasticsearch was installed.

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Kibana installation and configuration

  1. Install the Kibana package:

    # yum install opendistroforelasticsearch-kibana-1.11.0-1
    
  2. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/kibana/7.x/kibana.yml
    

    Edit the /etc/kibana/kibana.yml file:

    server.host: <kibana_ip>
    elasticsearch.hosts: "https://<elasticsearch_ip>:9200"
    

    Values to be replaced:

    • <kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same host. To access Kibana from the outside it may be configured to listen on its network IP by replacing kibana_ip with Kibana's host IP. The value 0.0.0.0 will accept all the available IPs of the host.

    • <elasticsearch_ip>: the host's IP. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The IPs of the nodes can be separated with commas. Eg. ["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]

  3. Update the optimize and plugins directories permissions:

    # chown -R kibana:kibana /usr/share/kibana/optimize
    # chown -R kibana:kibana /usr/share/kibana/plugins
    
  4. Install the Wazuh Kibana plugin:

    The installation of the plugin must be done from the Kibana home directory:

    # cd /usr/share/kibana
    # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.1-1.zip
    
  5. The next step involves the certificates placement. This guide assumes that a copy of certs.tar is placed in the root home folder (~/):

    # mkdir /etc/kibana/certs
    # mv ~/certs.tar /etc/kibana/certs/
    # cd /etc/kibana/certs/
    # tar -xf certs.tar kibana_http.pem kibana_http.key root-ca.pem
    # mv /etc/kibana/certs/kibana_http.key /etc/kibana/certs/kibana.key
    # mv /etc/kibana/certs/kibana_http.pem /etc/kibana/certs/kibana.pem
    # rm -f certs.tar
    
  6. Link Kibana's socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
    
  8. Access the web interface:

URL: https://<kibana_ip>
user: admin
password: admin

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

It is highly recommended to change Elasticsearch’s default passwords for the users found at the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml file. More information on this process can be found in the Elasticsearch tuning section.

With the first access attempt, the Wazuh Kibana plugin may display a message indicating that it cannot communicate with the Wazuh API. To solve this issue edit the file /usr/share/kibana/optimize/wazuh/config/wazuh.yml and replace the url with the Wazuh server address:

hosts:
  - default:
     url: https://localhost
     port: 55000
     username: wazuh
     password: wazuh
     run_as: false

Once Kibana is running it is necessary to assign each user their corresponding role. To learn more visit the Setting up the Wazuh Kibana plugin section.

To uninstall Kibana, visit the uninstalling section.

Next steps

Once the Wazuh environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found in our installation guide.