Kibana Wazuh Agent isn't showing anything in integrity

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

9200 is elasticsearch not Kibana, What happens when you restart elasticsearch? does it throw any errors?

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

9200 is elasticsearch not Kibana, What happens when you restart elasticsearch? does it throw any errors?

Give me a moment.

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.

Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.

If ELK and wazuh are separated then you absolutely need it. You still need SSL for accessing kibana of course.

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.

Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.

Same VM

If ELK and wazuh are separated then you absolutely need it.

Same VM

You still need SSL for accessing kibana of course.

All on the LAN, nothing publicly hosted, the desire is to just lock it away from anyone who shouldn't be on it (even though the bulk of those would be our employees)

DustinB3403

And SSL on an Internal only webpage is a PITA.

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["warning","searchguard"],"pid":942,"message":"\"Do not fail on forbidden\" is not enabled. Please refer to the documentation: https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-elasticsearch-enable-do-not-fail-on-forbidden"}
Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["status","plugin:[email protected]","info"],"pid":942,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500        ERROR        pipeline/output.go:100        Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF
Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500        INFO        pipeline/output.go:93        Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 6 reconnect attempt(s)
Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500        ERROR        pipeline/output.go:100        Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF
Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500        INFO        pipeline/output.go:93        Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 7 reconnect attempt(s)

DustinB3403

Which that is tied in specifically with the Safe Guard plugin

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

Which that is tied in specifically with the Safe Guard plugin

If its on the same host, then just do a nginx reverse proxy.

IRJ

Also do iptables rules to block all incoming 9200 and 5601 traffic as you will not need it

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

Which that is tied in specifically with the Safe Guard plugin

If its on the same host, then just do a nginx reverse proxy.

(I've never set one up)

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

Which that is tied in specifically with the Safe Guard plugin

If its on the same host, then just do a nginx reverse proxy.

(I've never set one up)

Install NGINX

apt-get -y install nginx

Generate self-signed cert for Kibana

mkdir -p /etc/ssl/certs /etc/ssl/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pem

Setup config file for NGINX

cat > /etc/nginx/sites-available/default <<\EOF
server {
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 default_server;
    listen            [::]:443;
    ssl on;
    ssl_certificate /etc/ssl/certs/kibana-access.pem;
    ssl_certificate_key /etc/ssl/private/kibana-access.key;
    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://localhost:5601/;
    }
}
EOF

Enable authentication by password for Kibana

apt-get -y install apache2-utils

Set username and password for Kibana access. Replace <user> with your desired username

htpasswd -c /etc/nginx/conf.d/kibana.htpasswd <user>

Restart NGINX

systemctl restart nginx

DustinB3403

@IRJ Okay, ran all of that.

How do I confirm the reverse proxy is working properly now?

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ Okay, ran all of that.

How do I confirm the reverse proxy is working properly now?

access kibana on 443 and it should prompt you for a pw

DustinB3403

@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?

DustinB3403

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?

Not that. . .

DustinB3403

Nginx just isn't doing it. Being the first time I've set this up doesn't really help either.

DustinB3403

Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

server {
	listen 80;
	listen [::]:80;
	listen 5601;
	listen [::]:5601;
	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl;
	listen [::]:443;
	ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
	ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
	access_log            /var/log/nginx/nginx.access.log;
	error_log            /var/log/nginx/nginx.error.log;
	location / {
		auth_basic "Restricted";
		auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
		proxy_pass http://localhost:5601/;
	}
}

DustinB3403

Without the 5601 ports and if I add under server ssl on; the connection just never responds and times out.