Advice needed on the Wazuh Architecture
119 views
Skip to first unread message
prachi katakwar
Apr 22, 2022, 5:37:08 AM4/22/22
to Wazuh mailing list
Hi Wazuh Team,
Hope you are all doing great and happy!!
So here we have wazuh manager,elasticsearch ,filebeat and Kibana on one single Centos 8 VM.
Below are the component versions that we have in Wazuh and using Nginx for the SSL authentication for Kibana.
Below are the points where I need your advice:
1. Is it good to enable xpack security feature in elasticsearch with our current setup?
2. Since we have installed wazuh with basic license setup, how good is it to move with the opendistro installation process?
3. Should we disable Nginx and use Kibana itself for authentication? currently using server port 5601 in kibana.yml instead of 443.
| Components | Version |
| Wazuh | 4.2 |
| Elasticsearch | 7.14.2 |
| Filebeat | 7.14.2 |
| Kibana | 7.14.2 |
BR
//Prachi
Alfonso Ruiz-Bravo
Apr 25, 2022, 3:40:10 AM4/25/22
to Wazuh mailing list
Hello Prachi!
3. Should we disable Nginx and use Kibana itself for authentication? currently using server port 5601 in kibana.yml instead of 443.
We hope you are well too.
You ask very interesting questions, we proceed to answer you.
1. Is it good to enable xpack security feature in elasticsearch with our current setup?
It is very desirable to enable this feature. Note that Wazuh has the ability to report vulnerabilities of your monitored environments. These vulnerabilities can generate alerts that are indexed in your Elasticsearch and will be visible from your WUI. If access to Elasticsearch or your WUI is not well protected an attacker can access and view vulnerabilities in your monitored environments and exploit them.
If you enable Xpack security you will have more protection layers against these possible malicious accesses.
If you enable Xpack security you will have more protection layers against these possible malicious accesses.
2. Since we have installed wazuh with basic license setup, how good is it to move with the opendistro installation process?
Open Distro offers a solution quite similar to Elastic Stack but it is an entirely Open Source tool. With Open Distro you will be able to enjoy certain plugins (security among others) that are not available in Elastic Stack and vice versa.
We hope to add in our next release the use of Open Search. I think it would be best if you could wait until Wazuh v4.3 is released ( coming soon) to make the change.
I attach the OpenSearch documentation for more information: https://opensearch.org/docs/latest/
We hope to add in our next release the use of Open Search. I think it would be best if you could wait until Wazuh v4.3 is released ( coming soon) to make the change.
I attach the OpenSearch documentation for more information: https://opensearch.org/docs/latest/
3. Should we disable Nginx and use Kibana itself for authentication? currently using server port 5601 in kibana.yml instead of 443.
Personally, I believe that it is not necessary to use Nginx for that purpose. If you choose to enable Xpack, one of its advantages is authentication in Elastic Stack. You are probably paying for the additional security that Elastic Stack offers and any problems related to it will be supported by your payment.
If you use Open Distro or OpenSearch, authentication is enabled by default and they also have security indices that can log all types of access to your environment, making the use of Nginx non-vital.
If you use Open Distro or OpenSearch, authentication is enabled by default and they also have security indices that can log all types of access to your environment, making the use of Nginx non-vital.
I hope I have been helpful
Best regards,
Alfonso Ruiz-Bravo
prachi katakwar
Apr 25, 2022, 5:27:15 AM4/25/22
to Alfonso Ruiz-Bravo, Wazuh mailing list
Hello Alfonso,
Thank you so much, you have so beautifully explained each point.
I have the same opinion, will wait for Wazuh 4.3 release, so our points 1 and 3 will automatically be resolved instead of messing all the components with Open Distro at the moment.
Hope the OpenSearch would be free of charge or do we need to pay something for the license to install that in the 4.3 release?
Also as an end-user, want to give a small suggestion please mention how to disable Nginx in the future documentation in the Upgrade part of the 4.2 to 4.3 release. It would be useful for us:)
And really the Wazuh documentation is great as I completely follow it while doing anything on my Wazuh server, at least we get an idea of how to resolve the problem.
Thank you, Alfonso.
BR
//Prachi
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d3f4de3c-47f6-4f66-b7b7-1a3cea8940f8n%40googlegroups.com.
Alfonso Ruiz-Bravo
Apr 25, 2022, 5:54:48 AM4/25/22
to prachi katakwar, Wazuh mailing list
Hello Prachi!!
Thank you for your kind words.
We hope to be able to offer our Wazuh-Indexer package in Wazuh version v4.3, based on OpenSearch and totally free of charge.
I take note of your suggestion regarding Nginx and will open an issue in the Wazuh documentation repository as soon as I can.
Best regards,
 | Alfonso Ruiz-Bravo Cloud computing engineer  The Open Source Security Platform |
prachi katakwar
Apr 25, 2022, 9:19:22 AM4/25/22
to Alfonso Ruiz-Bravo, Wazuh mailing list
Thank you Alfonso:)
Have a nice day!!
BR
//Prachi
Reply all
Reply to author
Forward
0 new messages