Kibana Wazuh Agent isn't showing anything in integrity
-
-
FIM logs are transmitted over 1514 UDP just like other logs. So if you are getting other logs this is not a network or wazuh agent issue
-
Forget Kibana for now... Are these events showing up in
/var/osssec/logs/ossec.log
?
-
-
@IRJ I saw things in there, yes.
'/var/osssec/logs/ossec.log'
-
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
9200 is elasticsearch not Kibana, What happens when you restart elasticsearch? does it throw any errors?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
9200 is elasticsearch not Kibana, What happens when you restart elasticsearch? does it throw any errors?
Give me a moment.
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.
Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.
If ELK and wazuh are separated then you absolutely need it. You still need SSL for accessing kibana of course.
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.
Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.
Same VM
If ELK and wazuh are separated then you absolutely need it.
Same VM
You still need SSL for accessing kibana of course.
All on the LAN, nothing publicly hosted, the desire is to just lock it away from anyone who shouldn't be on it (even though the bulk of those would be our employees)
-
And SSL on an Internal only webpage is a PITA.
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["warning","searchguard"],"pid":942,"message":"\"Do not fail on forbidden\" is not enabled. Please refer to the documentation: https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-elasticsearch-enable-do-not-fail-on-forbidden"} Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["status","plugin:elasticsearch@7.4.2","info"],"pid":942,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"} Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500 INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 6 reconnect attempt(s) Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500 INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 7 reconnect attempt(s)
-
Which that is tied in specifically with the Safe Guard plugin
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
-
Also do iptables rules to block all incoming 9200 and 5601 traffic as you will not need it
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
Install NGINX
apt-get -y install nginx
Generate self-signed cert for Kibana
mkdir -p /etc/ssl/certs /etc/ssl/private openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pem
Setup config file for NGINX
cat > /etc/nginx/sites-available/default <<\EOF server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 default_server; listen [::]:443; ssl on; ssl_certificate /etc/ssl/certs/kibana-access.pem; ssl_certificate_key /etc/ssl/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } } EOF
Enable authentication by password for Kibana
apt-get -y install apache2-utils
Set username and password for Kibana access. Replace <user> with your desired username
htpasswd -c /etc/nginx/conf.d/kibana.htpasswd <user>
Restart NGINX
systemctl restart nginx
-
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
access kibana on 443 and it should prompt you for a pw
-
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
Not that. . .