Re: [security-onion] Integreating Wazuh interface in so-kibana
1,741 views
Skip to first unread message
Message has been deleted
Wes Lambert
Feb 21, 2019, 9:28:21 AM2/21/19
to securit...@googlegroups.com
Hi Lucian,
Thanks,
Wes
On Thu, Feb 21, 2019 at 6:10 AM Lucian Ioan Nitescu <nites...@gmail.com> wrote:
Is there a way to enable/integrate the Wazuh interface (as seen in the attached file) with current docker image of so-kibana?
Following the wazuh documentation (https://github.com/wazuh/wazuh-kibana-app) I tried to perform the following actions:
```
6c08bd96a6b8 securityonionsolutions/so-kibana "/bin/sh -c /usr/loc…" 20 hours ago Up 20 hours 127.0.0.1:5601->5601/tcp so-kibana
```
```
docker exec -it 6c08bd96a6b8 bash
```
```
bash-4.2$ NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip
Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip
Transferring 17762644 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
```
But the process just hangs for hours with no luck of ever installing. Am I doing something wrong?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Kevin Branch
Feb 21, 2019, 10:04:54 AM2/21/19
to securit...@googlegroups.com
Hi Lucian,
I have not heard of anyone having achieved this yet, though I am certainly looking forward to it. There are several issues to overcome.
- Persistent Wazuh Kibana App plugin installation. To correctly add a plugin to Kibana under Security Onion, you need to make the directory and run the sed command mentioned in https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana#plugins
sudo mkdir -p /nsm/kibana/plugins sudo sed -i 's|KIBANA_OPTIONS=""|KIBANA_OPTIONS="--volume /nsm/kibana/plugins:/usr/share/kibana/plugins:ro"|g' /etc/nsm/securityonion.confbut do not just download the plugin into that directory, as this particular app must be installed via the Kibana plugin installer. Instead use the method you described to get a shell in to the Kibana container and run the installer as described in the Wazuh documentation.
Expect the optimizing step to easily take 5 minutes or so. However if after perhaps 10 minutes it still isn't done, check /var/log/kibana/kibana.log. If you see a line like "Optimization of bundles for ... wazuh ... complete in NNN seconds" then the install was actually successful but got harmlessly stuck at the end. In that case you can safely interrupt the process in your Docker shell.
The last step here is to restart Kibana with "so-kibana-restart". - Installation of the Wazuh API
If you installed the app you should see a Wazuh icon on the left side of the Kibana page now, but when you click on it you will not be able to use anything until you have connected it to the Wazuh API (see Wazuh documentation) which is not installed yet. That is because the Wazuh Kibana app not only digs through the Elasticsearch indices but also through data only available via the Wazuh API such as agent connection status and many other things specific to Wazuh.
The Wazuh API is not yet being packaged for Security Onion. Do NOT install the wazuh-api via APT repo or deb package or you will break things. That is because installing the wazuh-api deb will also install the dependency wazuh-manager, which is the standard Wazuh installation package that is already installed under a legacy name ossec-hids-server in Security Onion. You don't want to overwrite Security Onion's ossec-hids-server package with the wazuh-manager package. To avoid that you can install the Wazuh API from source as explained in the Wazuh documentation. - Installing the Wazuh template
Per Wazuh documentation you have to install the Wazuh templates with the command below from the SO command line. Note the Wazuh version embedded in this command will need to change from "3.7.2" to "3.8" when Security Onion releases the 3.8.2 package.curl https://raw.githubusercontent.com/wazuh/wazuh/3.7.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- - Logstash configuration
The Wazuh Kibana app can only be pointed at an index pattern which is subject to the Wazuh template (by default wazuh-alerts-3.x-*) so that field mappings and types are all compatible with the app. The Security Onion dashboards use *:logstash-* and are aligned with the Security Onion template and Security Onion Logstash parsing and transformations which are quite different from what the Wazuh Kibana app expects. What I presently have in mind is to add a little custom configuration to Security Onion's Logstash that takes all JSON logs arriving from Wazuh agents and reroutes then to only go through a simple Wazuh Logstash pipeline (example: https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/logstash/01-wazuh-local.conf). This would basically result in Wazuh agent logs being expressed through Wazuh Kibana app dashboards, and everything else like Suricata, Snort, and Bro logs being expressed through the Security Onion dashboard set. I have not tried this yet as my Wazuh installations involving connected agents are all on completely separate platforms from Security Onion.
Kevin Branch
Wazuh Trainer
Tom
May 8, 2019, 7:56:55 PM5/8/19
to security-onion
On Thursday, February 21, 2019 at 10:04:54 AM UTC-5, Kevin Branch wrote:
> Hi Lucian,
>
>
> I have not heard of anyone having achieved this yet, though I am certainly looking forward to it. There are several issues to overcome.
> Persistent Wazuh Kibana App plugin installation.
>
>
>
> To correctly add a plugin to Kibana under Security Onion, you need to make the directory and run the sed command mentioned in https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana#plugins
> sudo mkdir -p /nsm/kibana/plugins
> sudo sed -i 's|KIBANA_OPTIONS=""|KIBANA_OPTIONS="--volume /nsm/kibana/plugins:/usr/share/kibana/plugins:ro"|g' /etc/nsm/securityonion.conf
>
>
> but do not just download the plugin into that directory, as this particular app must be installed via the Kibana plugin installer. Instead use the method you described to get a shell in to the Kibana container and run the installer as described in the Wazuh documentation.
> Expect the optimizing step to easily take 5 minutes or so. However if after perhaps 10 minutes it still isn't done, check /var/log/kibana/kibana.log. If you see a line like "Optimization of bundles for ... wazuh ... complete in NNN seconds" then the install was actually successful but got harmlessly stuck at the end. In that case you can safely interrupt the process in your Docker shell.
>
> The last step here is to restart Kibana with "so-kibana-restart".
>
> Installation of the Wazuh API
>
> If you installed the app you should see a Wazuh icon on the left side of the Kibana page now, but when you click on it you will not be able to use anything until you have connected it to the Wazuh API (see Wazuh documentation) which is not installed yet. That is because the Wazuh Kibana app not only digs through the Elasticsearch indices but also through data only available via the Wazuh API such as agent connection status and many other things specific to Wazuh.
>
> The Wazuh API is not yet being packaged for Security Onion. Do NOT install the wazuh-api via APT repo or deb package or you will break things. That is because installing the wazuh-api deb will also install the dependency wazuh-manager, which is the standard Wazuh installation package that is already installed under a legacy name ossec-hids-server in Security Onion. You don't want to overwrite Security Onion's ossec-hids-server package with the wazuh-manager package. To avoid that you can install the Wazuh API from source as explained in the Wazuh documentation.
>
> Installing the Wazuh template
>
> Per Wazuh documentation you have to install the Wazuh templates with the command below from the SO command line. Note the Wazuh version embedded in this command will need to change from "3.7.2" to "3.8" when Security Onion releases the 3.8.2 package.
>
> curl https://raw.githubusercontent.com/wazuh/wazuh/3.7.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-Logstash configuration
> Hi Lucian,
>
>
> I have not heard of anyone having achieved this yet, though I am certainly looking forward to it. There are several issues to overcome.
> Persistent Wazuh Kibana App plugin installation.
>
>
>
> To correctly add a plugin to Kibana under Security Onion, you need to make the directory and run the sed command mentioned in https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana#plugins
> sudo mkdir -p /nsm/kibana/plugins
> sudo sed -i 's|KIBANA_OPTIONS=""|KIBANA_OPTIONS="--volume /nsm/kibana/plugins:/usr/share/kibana/plugins:ro"|g' /etc/nsm/securityonion.conf
>
>
> but do not just download the plugin into that directory, as this particular app must be installed via the Kibana plugin installer. Instead use the method you described to get a shell in to the Kibana container and run the installer as described in the Wazuh documentation.
> Expect the optimizing step to easily take 5 minutes or so. However if after perhaps 10 minutes it still isn't done, check /var/log/kibana/kibana.log. If you see a line like "Optimization of bundles for ... wazuh ... complete in NNN seconds" then the install was actually successful but got harmlessly stuck at the end. In that case you can safely interrupt the process in your Docker shell.
>
> The last step here is to restart Kibana with "so-kibana-restart".
>
> Installation of the Wazuh API
>
> If you installed the app you should see a Wazuh icon on the left side of the Kibana page now, but when you click on it you will not be able to use anything until you have connected it to the Wazuh API (see Wazuh documentation) which is not installed yet. That is because the Wazuh Kibana app not only digs through the Elasticsearch indices but also through data only available via the Wazuh API such as agent connection status and many other things specific to Wazuh.
>
> The Wazuh API is not yet being packaged for Security Onion. Do NOT install the wazuh-api via APT repo or deb package or you will break things. That is because installing the wazuh-api deb will also install the dependency wazuh-manager, which is the standard Wazuh installation package that is already installed under a legacy name ossec-hids-server in Security Onion. You don't want to overwrite Security Onion's ossec-hids-server package with the wazuh-manager package. To avoid that you can install the Wazuh API from source as explained in the Wazuh documentation.
>
> Installing the Wazuh template
>
> Per Wazuh documentation you have to install the Wazuh templates with the command below from the SO command line. Note the Wazuh version embedded in this command will need to change from "3.7.2" to "3.8" when Security Onion releases the 3.8.2 package.
>
>
> The Wazuh Kibana app can only be pointed at an index pattern which is subject to the Wazuh template (by default wazuh-alerts-3.x-*) so that field mappings and types are all compatible with the app. The Security Onion dashboards use *:logstash-* and are aligned with the Security Onion template and Security Onion Logstash parsing and transformations which are quite different from what the Wazuh Kibana app expects. What I presently have in mind is to add a little custom configuration to Security Onion's Logstash that takes all JSON logs arriving from Wazuh agents and reroutes then to only go through a simple Wazuh Logstash pipeline (example: https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/logstash/01-wazuh-local.conf). This would basically result in Wazuh agent logs being expressed through Wazuh Kibana app dashboards, and everything else like Suricata, Snort, and Bro logs being expressed through the Security Onion dashboard set. I have not tried this yet as my Wazuh installations involving connected agents are all on completely separate platforms from Security Onion.
>
>
>
>
> Kevin Branch
> Wazuh Trainer
>
>
> On Thu, Feb 21, 2019 at 6:10 AM Lucian Ioan Nitescu <nites...@gmail.com> wrote:
> Is there a way to enable/integrate the Wazuh interface (as seen in the attached file) with current docker image of so-kibana?
>
>
>
> Following the wazuh documentation (https://github.com/wazuh/wazuh-kibana-app) I tried to perform the following actions:
>
>
>
> ```
>
> 6c08bd96a6b8 securityonionsolutions/so-kibana "/bin/sh -c /usr/loc…" 20 hours ago Up 20 hours 127.0.0.1:5601->5601/tcp so-kibana
>
> ```
>
>
>
> ```
>
> docker exec -it 6c08bd96a6b8 bash
>
> ```
>
>
>
> ```
>
> bash-4.2$ NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip
>
> Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip
>
> Transferring 17762644 bytes....................
>
> Transfer complete
>
> Retrieving metadata from plugin archive
>
> Extracting plugin archive
>
> Extraction complete
>
> Optimizing and caching browser bundles...
>
> ```
>
>
>
> But the process just hangs for hours with no luck of ever installing. Am I doing something wrong?
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
> The Wazuh Kibana app can only be pointed at an index pattern which is subject to the Wazuh template (by default wazuh-alerts-3.x-*) so that field mappings and types are all compatible with the app. The Security Onion dashboards use *:logstash-* and are aligned with the Security Onion template and Security Onion Logstash parsing and transformations which are quite different from what the Wazuh Kibana app expects. What I presently have in mind is to add a little custom configuration to Security Onion's Logstash that takes all JSON logs arriving from Wazuh agents and reroutes then to only go through a simple Wazuh Logstash pipeline (example: https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/logstash/01-wazuh-local.conf). This would basically result in Wazuh agent logs being expressed through Wazuh Kibana app dashboards, and everything else like Suricata, Snort, and Bro logs being expressed through the Security Onion dashboard set. I have not tried this yet as my Wazuh installations involving connected agents are all on completely separate platforms from Security Onion.
>
>
>
>
> Kevin Branch
> Wazuh Trainer
>
>
> On Thu, Feb 21, 2019 at 6:10 AM Lucian Ioan Nitescu <nites...@gmail.com> wrote:
> Is there a way to enable/integrate the Wazuh interface (as seen in the attached file) with current docker image of so-kibana?
>
>
>
> Following the wazuh documentation (https://github.com/wazuh/wazuh-kibana-app) I tried to perform the following actions:
>
>
>
> ```
>
> 6c08bd96a6b8 securityonionsolutions/so-kibana "/bin/sh -c /usr/loc…" 20 hours ago Up 20 hours 127.0.0.1:5601->5601/tcp so-kibana
>
> ```
>
>
>
> ```
>
> docker exec -it 6c08bd96a6b8 bash
>
> ```
>
>
>
> ```
>
> bash-4.2$ NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip
>
> Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip
>
> Transferring 17762644 bytes....................
>
> Transfer complete
>
> Retrieving metadata from plugin archive
>
> Extracting plugin archive
>
> Extraction complete
>
> Optimizing and caching browser bundles...
>
> ```
>
>
>
> But the process just hangs for hours with no luck of ever installing. Am I doing something wrong?
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
If anyone successfully does this, I'm interested in the solution! I was thinking of standing up a separate Wazuh instance, but if i can do it in SO, it's better!
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Tom
Reply all
Reply to author
Forward
0 new messages