Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.


Root user privileges are required to run all the commands described below.

Adding the Wazuh repository

This step is required only if Kibana will be installed on a separate host where Elasticsearch was installed.

  1. Install the necessary packages for the installation:

    # yum install curl libcap
  2. Import the GPG key:

    # rpm --import
  3. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    name=EL-\$releasever - Wazuh
  1. Install the necessary packages for the installation:

    # apt install curl apt-transport-https libcap2-bin
  2. Install the GPG key:

    # curl -s | apt-key add -
  3. Add the repository:

    # echo "deb stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  4. Update the package information:

    # apt-get update
  1. Install the necessary packages for the installation:

    # zypper install curl
    # zypper install libcap-progs || zypper install libcap2
  2. Import the GPG key:

    # rpm --import
  3. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    name=EL-$releasever - Wazuh

Kibana installation and configuration

  1. Install the Kibana package:

    # yum install opendistroforelasticsearch-kibana
    # apt-get install opendistroforelasticsearch-kibana
    # zypper install opendistroforelasticsearch-kibana
  2. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml

    Edit the /etc/kibana/kibana.yml file: <kibana_ip>
    elasticsearch.hosts: "https://<elasticsearch_ip>:9200"

    Values to be replaced:

    • <kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same host. To access Kibana from the outside it may be configured to listen on its network IP address by replacing kibana_ip with Kibana’s host IP. The value will accept all the available IPs of the host.

    • <elasticsearch_ip>: the host’s IP address. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The IPs of the nodes can be separated with commas. Eg. ["", "",""]

  3. Create the /usr/share/kibana/data directory:

    # mkdir /usr/share/kibana/data
    # chown -R kibana:kibana /usr/share/kibana/data
  4. Install the Wazuh Kibana plugin:

    The installation of the plugin must be done from the Kibana home directory:

    # cd /usr/share/kibana
    # sudo -u kibana bin/kibana-plugin install
  5. Replace kibana-node-name with your Kibana node name, the same used in instances.yml to create the certificates, and move the certificates to their corresponding location. This guide assumes that a copy of certs.tar, created during the Elasticsearch installation, has been placed in the root home folder (~/).

    # node_name=kibana-node-name
    # mkdir /etc/kibana/certs
    # mv ~/certs.tar /etc/kibana/certs/
    # cd /etc/kibana/certs/
    # tar -xf certs.tar $node_name.pem $node_name-key.pem root-ca.pem
    # mv /etc/kibana/certs/$node_name.pem /etc/kibana/certs/kibana.pem
    # mv /etc/kibana/certs/$node_name-key.pem /etc/kibana/certs/kibana-key.pem
    # chown kibana:kibana /etc/kibana/certs/*
    # rm -f certs.tar
  6. Link Kibana’s socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana

    Choose one option according to the operating system used:

    1. RPM-based operating system:

    # chkconfig --add kibana
    # service kibana start
    1. Debian-based operating system:

    # update-rc.d kibana defaults 95 10
    # service kibana start
  8. Access the web interface:

URL: https://<kibana_ip>
user: admin
password: admin

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

It is highly recommended to change Elasticsearch’s default passwords for the users found at the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml file. More information about this process can be found here.

With the first access attempt, the Wazuh Kibana plugin may prompt a message that indicates that it cannot communicate with the Wazuh API. To solve this issue edit the file /usr/share/kibana/data/wazuh/config/wazuh.yml and replace the url by the Wazuh server’s address:

  - default:
     url: https://localhost
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

To uninstall Kibana, visit the uninstalling section.

Next steps

Once the Wazuh environment is ready, a Wazuh agent can be installed on every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found here.