Kibana
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Note
You need root user privileges to run all the commands described below.
Prerequisites
Some extra packages are needed for the installation, such as curl
or unzip
, that will be used in further steps:
Install all the necessary packages:
# yum install zip unzip curl
Install all the necessary packages:
# apt-get install lsb-release curl apt-transport-https zip unzip gnupg
Adding the Elastic Stack repository
Import the GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install the GPG key:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information:
# apt-get update
Kibana installation and configuration
Install the Kibana package:
# yum install kibana-7.17.13
# apt-get install kibana=7.17.13
The next step is the certificate placement, this guide assumes that a copy of
certs.zip
is placed in the root home folder (~/):# unzip ~/certs.zip -d ~/certs # rm -f ~/certs/ca/ca.key # mkdir /etc/kibana/certs/ca -p # cp ~/certs/ca/ca.crt /etc/kibana/certs/ca # cp ~/certs/kibana/* /etc/kibana/certs/ # chown -R kibana: /etc/kibana/certs # chmod -R 500 /etc/kibana/certs # chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.* # rm -rf ~/certs ~/certs.zip
Download the Kibana configuration file:
Note
Starting Elasticsearch 7.11.0, a DNS name must be specified in the
elasticsearch.hosts
field since IP addresses are no longer allowed.# curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/kibana.yml
Edit the
/etc/kibana/kibana.yml
file:server.host: <kibana_ip> elasticsearch.hosts: "https://<elasticsearch_DN>:9200" elasticsearch.password: <elasticsearch_password>
Values to be replaced:
<kibana_ip>
: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same machine. To access Kibana from the outside, it may be configured to listen on its network IP address by replacingkibana_ip
with Kibana host IP address.<elasticsearch_DN>
: the host's domain name. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The nodes' domain names can be separated with commas. Eg.["https://elasticsearch_DN1:9200", "https://elasticsearch_DN2:9200","https://elasticsearch_DN3:9200"]
<elasticsearch_password>
: the password generated during the Elasticsearch installation and configuration for theelastic
user.
Create the
/usr/share/kibana/data
directory:# mkdir /usr/share/kibana/data # chown -R kibana:kibana /usr/share/kibana
Install the Wazuh Kibana plugin:
The installation of the plugin must be done from the Kibana home directory.
# cd /usr/share/kibana # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.5.4_7.17.13-1.zip
Link Kibana's socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana # systemctl start kibana
Choose one option according to the OS used:
Debian based OS
# update-rc.d kibana defaults 95 10 # service kibana start
RPM based OS
# chkconfig --add kibana # service kibana start
Only for distributed deployments
Edit the
/usr/share/kibana/data/wazuh/config/wazuh.yml
file and replace theurl
value with the IP address or hostname of the Wazuh server master node.hosts: - default: url: https://localhost port: 55000 username: wazuh-wui password: wazuh-wui run_as: false
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<kibana_ip> user: elastic password: <PASSWORD_elastic>Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the
root-ca.pem
file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
Disabling repositories
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally, which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
To uninstall Kibana, visit the uninstalling section.
Next steps
Once the Wazuh - Elastic Stack environment is ready, a Wazuh agent can be installed on every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems.