https://groups.google.com/forum/#!topic/wazuh/qTwOj_MQHNU

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

server { listen 80; listen [::]:80; listen 5601; listen [::]:5601; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } }

Why are you listening on 5601?

proxy_pass http://localhost:5601/; will redirect 5601 to 443

That is no longer in the file, I was testing with it. The below is current.

server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl on; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/;

This is how you change the password.

While I would generally agree with that, it feels as if I'm just missing 1 step to this process.

@DustinB3403 said in Wazuh - operational and can add agents - now what:

@IRJ said in Wazuh - operational and can add agents - now what:

So you already filtered it. Just click discover on top right

Doh that is so easy that I didn't even think that was it.

@DustinB3403

3a8e8726-f742-493d-a2cd-5f54c82ce4fb-image.png

It sucks that you cant create rules by group yet. The devs have submitted a feature request for it on my behalf so hopefully soon 🙂

@wirestyle22 said in Wazuh Manager Install - Ubuntu:

A few things:

The manager label is wrong. It says manger instead of manager.

@IRJ said in Wazuh Manager Install - Ubuntu:

Install Filebeat

There are two entries for "Install Filebeat"

I tried to install Filebeat going command by command and it can't find it.

Thanks I fixed the guide.

What you need to do is this:

#*********************************************************** #Install GPG keys and add repository #*********************************************************** curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list #*********************************************************** # APT Update #*********************************************************** sudo apt update #*********************************************************** #Install Filebeat #*********************************************************** sudo apt install -y filebeat=6.7.1 #*********************************************************** #Download Filebeat config file to forward logs #*********************************************************** sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml #*********************************************************** #Edit Filebeat config file to point to Elastic Server IP (In this lab environment I am using 127.0.0.1) #*********************************************************** sed -i 's/YOUR_ELASTIC_SERVER_IP/192.168.122.181/' /etc/filebeat/filebeat.yml #*********************************************************** #Start Filebeat service and configure it to automatically start at boot #*********************************************************** sudo systemctl daemon-reload sudo systemctl enable filebeat.service sudo systemctl start filebeat.service

make sure to change 192.168.122.181 with your ip or localhost if you are using a single server for wazuh and ELK

@JaredBusch said in Wazuh Agent Install - CentOS:

Why are you disabling agent updates?

Wazuh doesn't understand how to maintain their own repository, so when OSSIM updates their stuff, it breaks Wazuh. It's silly, easily fixable, and I don't have the time to maintain the thing myself.

@JaredBusch said in Installing Java/JRE on Fedora 29 - Error Conflicting Requests:

@wrx7m said in Installing Java/JRE on Fedora 29 - Error Conflicting Requests:

@JaredBusch said in Installing Java/JRE on Fedora 29 - Error Conflicting Requests:

@wrx7m said in Installing Java/JRE on Fedora 29 - Error Conflicting Requests:

@JaredBusch said in Installing Java/JRE on Fedora 29 - Error Conflicting Requests:

@scottalanmiller said in Installing Java/JRE on Fedora 29 - Error Conflicting Requests:

@wrx7m said in Installing Java/JRE on Fedora 29 - Error Conflicting Requests:

OK. I found I could run

yum install java-1.8.0-openjdk

to install version 8. After that, I was able to install logstash successfully.

Is there a reason that you want an old version?

Also wtf are you using yum for?

It's wazuh's documentation. They have specific repos for other things too. Not sure why they are still using yum instead of dnf.

Pull your head out of your ass and don't blindly type what any guide says. Even one of mine.

If you are using Fedora, you use dnf period. Yes, currently Fedora still has a reroute/alias for it to dnf, but you should not assume it will be there.

8ab6bf8b-22c1-4b99-a848-c68040ee4a26-image.png

#chilloutbro You can leave off the first part of that sentence and still provide a constructive answer.

You need to think, and you, clearly, are not. So yeah, perfectly fitting.

So if I didn't know, it has nothing to do with not thinking. I just didn't know. Now I do.

@IRJ said in Wazuh - Agents.Error. globalAgent is null:

@wrx7m said in Wazuh - Agents.Error. globalAgent is null:

I didn't get the error when looking at the list of agents today. Looks like the update or reboot of the Wazuh server fixed it.

I know this is a necropost, but it's good to mention that mismatched version of manager and agent will almost always cause issues. It is recommended to comment out the repository until you are ready to update agents and manager at the same time.

That is interesting. I have been upgrading some of the agents on Linux systems when they are released, and later, upgrading the server side (I comment out/disable the repos for the server side, per their docs).

@wrx7m said in Wazuh on Fedora 28:

Thanks @JaredBusch

That seems to have solved the initial problem. For other newbs - After disabling SELinux, you should reboot.

Well, that depends on how you disable it.

After asking the Wazuh employee I had been speaking to about Kibana 5.6.3, the GitHub repo was updated to include it.