Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch.

Note

Root user privileges are required to run all the commands described below.

Prerequisites

Before installing Kibana, some extra packages must be installed:

Install all the required utilities:

# yum install curl libcap

Install all the required utilities:

# apt install curl apt-transport-https libcap2-bin

Install all the required utilities:

# zypper install curl
# zypper install libcap-progs $debug || zypper install libcap2

Adding the Wazuh repository

This step is required only if Kibana will be installed on a separate host where Elasticsearch was installed.

  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  1. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    
  2. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    

Kibana installation and configuration

  1. Install the Kibana package:

    # yum install opendistroforelasticsearch-kibana
    
    # apt-get install opendistroforelasticsearch-kibana
    
    # zypper install opendistroforelasticsearch-kibana
    
  2. Download the Kibana configuration file:

    # curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana.yml
    

    Edit the /etc/kibana/kibana.yml file:

    server.host: <kibana_ip>
    elasticsearch.hosts: "https://<elasticsearch_ip>:9200"
    

    Values to be replaced:

    • <kibana_ip>: by default, Kibana only listens on the loopback interface (localhost), which means that it can be only accessed from the same host. To access Kibana from the outside it may be configured to listen on its network IP by replacing kibana_ip with Kibana’s host IP. The value 0.0.0.0 will accept all the available IPs of the host.

    • <elasticsearch_ip>: the host’s IP. In case of having more than one Elasticsearch node, Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. The IPs of the nodes can be separated with commas. Eg. ["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]

  3. Create the /usr/share/kibana/data directory:

    # mkdir /usr/share/kibana/data
    # chown -R kibana:kibana /usr/share/kibana/data
    
  4. Install the Wazuh Kibana plugin:

    The installation of the plugin must be done from the Kibana home directory:

    # cd /usr/share/kibana
    # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.0-1.zip
    
  5. The next step involves the certificates placement. This guide assumes that a copy of certs.tar is placed in the root home folder (~/):

    # mkdir /etc/kibana/certs
    # mv ~/certs.tar /etc/kibana/certs/
    # cd /etc/kibana/certs/
    # tar -xf certs.tar kibana_http.pem kibana_http.key root-ca.pem
    # mv /etc/kibana/certs/kibana_http.key /etc/kibana/certs/kibana.key
    # mv /etc/kibana/certs/kibana_http.pem /etc/kibana/certs/kibana.pem
    # rm -f certs.tar
    
  6. Link Kibana’s socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
    
  7. Enable and start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
    

    Choose one option according to the operating system used:

    1. RPM based operating system:

    # chkconfig --add kibana
    # service kibana start
    
    1. Debian based operating system:

    # update-rc.d kibana defaults 95 10
    # service kibana start
    
  8. Access the web interface:

URL: https://<kibana_ip>
user: admin
password: admin

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

It is highly recommended to change Elasticsearch’s default passwords for the users found at the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml file. More information about this process can be found here.

With the first access attempt, the Wazuh Kibana plugin may prompt a message that indicates that it cannot communicate with the Wazuh API. To solve this issue edit the file /usr/share/kibana/data/wazuh/config/wazuh.yml and replace the url by the Wazuh server’s address:

hosts:
  - default:
     url: https://localhost
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

Once Kibana is running it is necessary to assign each user its corresponding role. To learn more visit the Setting up the Wazuh Kibana plugin section.

To uninstall Kibana, visit the uninstalling section.

Next steps

Once the Wazuh environment is ready, a Wazuh agent can be installed in every endpoint to be monitored. The Wazuh agent installation guide is available for most operating systems and can be found here.