Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
You need root user privileges to run all the commands described below.
Some extra packages are needed for the installation, such as
unzip, that will be used in further steps:
Install the Kibana package:
The next step is the certificate placement, this guide assumes that a copy of
certs.zipis placed in the root home folder (~/):
# unzip ~/certs.zip -d ~/certs # rm -f ~/certs/ca/ca.key # mkdir /etc/kibana/certs/ca -p # cp ~/certs/ca/ca.crt /etc/kibana/certs/ca # cp ~/certs/kibana/* /etc/kibana/certs/ # chown -R kibana: /etc/kibana/certs # chmod -R 500 /etc/kibana/certs # chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.* # rm -rf ~/certs ~/certs.zip
Download the Kibana configuration file:
Starting Elasticsearch 7.11.0, a DNS name must be specified in the
elasticsearch.hostsfield since IP addresses are no longer allowed.
# curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/4.3/tpl/elastic-basic/kibana.yml
server.host: <kibana_ip> elasticsearch.hosts: "https://<elasticsearch_DN>:9200" elasticsearch.password: <elasticsearch_password>
Values to be replaced:
<kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same machine. To access Kibana from the outside, it may be configured to listen on its network IP address by replacing
kibana_ipwith Kibana host IP address.
<elasticsearch_DN>: the host's domain name. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The nodes' domain names can be separated with commas. Eg.
<elasticsearch_password>: the password generated during the Elasticsearch installation and configuration for the
# mkdir /usr/share/kibana/data # chown -R kibana:kibana /usr/share/kibana
Install the Wazuh Kibana plugin:
The installation of the plugin must be done from the Kibana home directory.
# cd /usr/share/kibana # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.10_7.17.6-1.zip
Link Kibana's socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
Only for distributed deployments
/usr/share/kibana/data/wazuh/config/wazuh.ymlfile and replace the
urlvalue with the IP address or hostname of the Wazuh server master node.
hosts: - default: url: https://localhost port: 55000 username: wazuh-wui password: wazuh-wui run_as: false
Access the web interface using the password generated during the Elasticsearch installation process:
URL: https://<kibana_ip> user: elastic password: <PASSWORD_elastic>
Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the
root-ca.pemfile previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally, which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
To uninstall Kibana, visit the uninstalling section.
Once the Wazuh - Elastic Stack environment is ready, a Wazuh agent can be installed on every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems.