Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.
Root user privileges are required to run all the commands described below.
Adding the Wazuh repository¶
This step is required only if Kibana will be installed on a separate host where Elasticsearch was installed.
Kibana installation and configuration¶
Install the Kibana package:
Download the Kibana configuration file:
# curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.1/open-distro/kibana/7.x/kibana.yml
server.host: <kibana_ip> elasticsearch.hosts: "https://<elasticsearch_ip>:9200"
Values to be replaced:
<kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same host. To access Kibana from the outside it may be configured to listen on its network IP by replacing
kibana_ipwith Kibana’s host IP. The value
0.0.0.0will accept all the available IPs of the host.
<elasticsearch_ip>: the host’s IP. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The IPs of the nodes can be separated with commas. Eg.
# mkdir /usr/share/kibana/data # chown -R kibana:kibana /usr/share/kibana/data
Install the Wazuh Kibana plugin:
The installation of the plugin must be done from the Kibana home directory:
# cd /usr/share/kibana # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.2-1.zip
kibana-node-namewith your Kibana node name, the same used in
instances.ymlto create the certificates, and move the certificates to their corresponding location. This guide assumes that a copy of
certs.tar, created during the Elasticsearch installation, has been placed in the root home folder (
# mkdir /etc/kibana/certs # mv ~/certs.tar /etc/kibana/certs/ # chown kibana:kibana /etc/kibana/certs/* # cd /etc/kibana/certs/ # tar -xf certs.tar $node_name.pem $node_name-key.pem root-ca.pem # mv /etc/kibana/certs/$node_name.pem /etc/kibana/certs/kibana.pem # mv /etc/kibana/certs/$node_name-key.pem /etc/kibana/certs/kibana-key.pem # rm -f certs.tar
Link Kibana’s socket to privileged port 443:
# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Enable and start the Kibana service:
Access the web interface:
URL: https://<kibana_ip> user: admin password: admin
Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the
root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
It is highly recommended to change Elasticsearch’s default passwords for the users found at the
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml file. More information about this process can be found here.
With the first access attempt, the Wazuh Kibana plugin may prompt a message that indicates that it cannot communicate with the Wazuh API. To solve this issue edit the file
/usr/share/kibana/data/wazuh/config/wazuh.yml and replace the
url by the Wazuh server’s address:
hosts: - default: url: https://localhost port: 55000 username: wazuh-wui password: wazuh-wui run_as: false
Once Kibana is running it is necessary to assign each user its corresponding role. To learn more visit the Setting up the Wazuh Kibana plugin section.
To uninstall Kibana, visit the uninstalling section.
Once the Wazuh environment is ready, a Wazuh agent can be installed on every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found here.