Kibana
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Note
Root user privileges are required to run all the commands described below.
Prerequisites
Before installing Kibana, some extra packages must be installed:
Install all the required utilities:
# yum install curl libcap
Install all the required utilities:
# apt install curl apt-transport-https libcap2-bin
Install all the required utilities:
# zypper install curl # zypper install libcap-progs $debug || zypper install libcap2
Adding the Wazuh repository
This step is required only if Kibana will be installed on a separate host where Elasticsearch was installed.
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add the repository:
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Kibana installation and configuration
Install the Kibana package:
# yum install opendistroforelasticsearch-kibana-1.11.0-1
# apt-get install opendistroforelasticsearch-kibana=1.11.0
# zypper install opendistroforelasticsearch-kibana-1.11.0-1
Download the Kibana configuration file:
# curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/kibana/7.x/kibana.yml
Edit the
/etc/kibana/kibana.ymlfile:server.host: <kibana_ip> elasticsearch.hosts: "https://<elasticsearch_ip>:9200"
Values to be replaced:
<kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same host. To access Kibana from the outside it may be configured to listen on its network IP by replacingkibana_ipwith Kibana's host IP. The value0.0.0.0will accept all the available IPs of the host.<elasticsearch_ip>: the host's IP. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The IPs of the nodes can be separated with commas. Eg.["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]
Update the
optimizeandpluginsdirectories permissions:# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
Install the Wazuh Kibana plugin:
The installation of the plugin must be done from the Kibana home directory:
# cd /usr/share/kibana # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.1-1.zip
The next step involves the certificates placement. This guide assumes that a copy of
certs.taris placed in the root home folder (~/):# mkdir /etc/kibana/certs # mv ~/certs.tar /etc/kibana/certs/ # cd /etc/kibana/certs/ # tar -xf certs.tar kibana_http.pem kibana_http.key root-ca.pem # mv /etc/kibana/certs/kibana_http.key /etc/kibana/certs/kibana.key # mv /etc/kibana/certs/kibana_http.pem /etc/kibana/certs/kibana.pem # rm -f certs.tar
Link Kibana's socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana # systemctl start kibana
Choose one option according to the OS used:
RPM based OS:
# chkconfig --add kibana # service kibana start
Debian based OS:
# update-rc.d kibana defaults 95 10 # service kibana start
Access the web interface:
URL: https://<kibana_ip> user: admin password: admin
Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
It is highly recommended to change Elasticsearch’s default passwords for the users found at the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml file. More information on this process can be found in the Elasticsearch tuning section.
With the first access attempt, the Wazuh Kibana plugin may display a message indicating that it cannot communicate with the Wazuh API. To solve this issue edit the file /usr/share/kibana/optimize/wazuh/config/wazuh.yml and replace the url with the Wazuh server address:
hosts:
- default:
url: https://localhost
port: 55000
username: wazuh
password: wazuh
run_as: false
Once Kibana is running it is necessary to assign each user their corresponding role. To learn more visit the Setting up the Wazuh Kibana plugin section.
To uninstall Kibana, visit the uninstalling section.
Next steps
Once the Wazuh environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found in our installation guide.