Migrating to the Wazuh dashboard

Follow this guide to migrate from Open Distro for Elasticsearch Kibana 1.13 to the Wazuh dashboard. These instructions are intended for a standard Wazuh installation, you may need to make some changes to adapt them to your environment.

To guarantee a correct operation of Wazuh, make sure to also migrate from Open Distro for Elasticsearch to the Wazuh indexer. To learn more, see the Migrating to the Wazuh indexer documentation.

Note

You need root user privileges to run all the commands described below.

  1. Stop the Kibana service.

    # systemctl stop kibana
    
  2. Add the Wazuh repository. You can skip this step if the repository is already present and enabled on your server.

    1. Import the GPG key.

      # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
      
    2. Add the repository.

      # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
      
  3. Install the Wazuh dashboard package.

    # yum -y install wazuh-dashboard
    

    Note

    Make sure that your Wazuh manager is updated to the latest version. To learn more, see Upgrading the Wazuh server.

  4. Create the /etc/wazuh-dashboard/certs directory, copy your old certificates to the new location and change ownership and permissions.

    # mkdir /etc/wazuh-dashboard/certs
    # cp /etc/kibana/certs/kibana.pem /etc/wazuh-dashboard/certs/dashboard.pem
    # cp /etc/kibana/certs/kibana-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
    # cp /etc/kibana/certs/root-ca.pem /etc/wazuh-dashboard/certs/root-ca.pem
    # chmod 500 /etc/wazuh-dashboard/certs
    # chmod 400 /etc/wazuh-dashboard/certs/*
    # chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
    
  5. Port your settings from /etc/kibana/kibana.yml to the /etc/wazuh-dashboard/opensearch_dashboards.yml file. You can omit the opensearch.username and the opensearch.password settings as they are now stored in the Wazuh dashboard keystore.

    server.host: 0.0.0.0
    server.port: 443
    opensearch.hosts: https://localhost:9200
    opensearch.ssl.verificationMode: certificate
    #opensearch.username:
    #opensearch.password:
    opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
    opensearch_security.multitenancy.enabled: false
    opensearch_security.readonly_mode.roles: ["kibana_read_only"]
    server.ssl.enabled: true
    server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
    server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
    opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
    uiSettings.overrides.defaultRoute: /app/wazuh
    
  6. Add the password of the kibanaserver user to the Wazuh dashboard keystore. Execute the command below and follow the instructions. You may find your old password in the /etc/kibana/kibana.yml configuration file.

    /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.password
    

    Optional action - To change the default user, run the following command. You will need to change the password accordingly.

    /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.username
    
  7. Enable and start the Wazuh dashboard service.

    # systemctl daemon-reload
    # systemctl enable wazuh-dashboard
    # systemctl start wazuh-dashboard
    
  8. Port your settings from /usr/share/kibana/data/wazuh/config/wazuh.yml to /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml. It is recommended to copy the content from /usr/share/kibana/data/wazuh/downloads/ as well.

  9. Access the Wazuh web interface at https://<dashboard_ip> with your credentials and make sure that everything is working as expected.

  10. Uninstall Kibana.

    # yum remove opendistroforelasticsearch-kibana
    

    There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user's responsibility. It can be done by removing the folder /var/lib/kibana and /etc/kibana.