wkhtmltopdf with SO form login to do Kibana dashboard PDF report generation?

[Ulrich Lang]

Hi!

Security Onion is a great project, thank you!I am experimenting with the ELK build right now. X-Pack includes reporting for Kibana but is not free/open source.

My goal: I like to send myself periodic flashy PDFs of dashboards ;)

In a previous build, I used a simple cron job script that used wkhtmltopdf and ssmtp to log into an ELSA dashboard, generate a PDF and email it out. This worked because the login in that older build (apparently) used basic authentication. wkthmltopdf can automatically log into such pages.

The SO ELK build uses apache form authentication. Looks nice, but now wkhtmltopdf somehow isn't able to log in anymore. I looked at the http traffic and there are some redirects happening etc.

What I tried was to use wkhtmltopdf to POST the parameters httpd_username and http_password to https://localhost/dologin.html. I also used "--cookie-jar" to get the session cookie into a file. I can see the cookie in the cookie jar file after that, so that part appears to work.

The theory is that I should then be able to use wkhtmltopdf with the cookie jar parameter and same file after that to access the dashboard within the same session (from the cookie), e.g. https://localhost/app/kibana.

But it's not working, all I get is a PDF of the login page. It seems that there are quite a few redirects under the hood when mod_auth_forms happens, and maybe these don't quite translate to wkhtmltopdf.

So...long story cut short, the way SO does single sign-on prevents this sort of dashboard PDF ... or I screwed up something with wkhtmltopdf.

Did anyone get this to work?

Best
Ulrich
ObjectSecurity

[Wes]

Does it need to be a PDF? X-Pack now provides CSV reporting in its free version of XPack. Otherwise, I can't really offer much advice, as we don't support any other types of integrations at this time.

Thanks,
Wes

[Ulrich Lang]

Hi Wes

Thanks. I'll look into it. To be honest I was also a bit confused how to install X-pack across the various docker containers in SO. I installed it in the containers and as a result broke everything ;) so I'm not quite sure I want to go down that route 'just' for a CSV ;)

Best
Ulrich

[Doug Burks]

Here's another option to consider. If you run wkhtmltopdf on the
Security Onion box itself, you are effectively inside the firewall and
you should be able to connect directly to Kibana on port 5601. So
have you tried setting wkhtmltopdf to http://localhost:5601? Please
note that this works today but we can't guarantee that it will work
long-term as we continue to tweak Docker networks and settings.

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

[Ulrich Lang]

Hi Doug

Thanks, I will try that out when I'm back in front of the box. Will keep you posted.

Maybe https://github.com/sirensolutions/sentinl is a viable alternative too?

Best
Ulrich

[Audrius J]

The one big problem with such projects is, that cummunity helps to catch bugs and later they just make it as a commercial plugin with new versions.
Siren is no exception. Previously you could use their siren-join plugin and now they transformed it to vanguard and changed policy, so you can just play, but not deploy in production...
Of course I may be wrong...

Audrius

[Ulrich Lang]

I'll play with it and report back...will take a little though due to other urgent tasks

[Ulrich Lang]

ok so this doesn't seem to work. Looks like wkhtmltopdf doesn't render the actual widgets, so even after delaying the printing it just shows the left-side menu and a black background. Well, it was worth a try...