Wazuh/Kibana webpage - setup login page

[Brandon Payne]

New to Wazuh here and need a little help. I have setup the Wazuh server using the pre-built OVA option. All is well with initial setup and can get to the Kibana webpage dashboard. 

My first thought is, there is no username or password to get in? That being said I browsed the documentation and forums and found a few questions similar. My first question is how do I secure the website so that my team can each have their own login or even at least one login? Do you support login integration with AD or LDAPS?

After browsing the forums - I did find the X-Pack documentation (https://documentation.wazuh.com/3.10/installation-guide/installing-elastic-stack/protect-installation/xpack.html). Is this the answer to my question? Not sure if I am in the right direction. I went ahead and followed the setup instructions which seemed fairly straight forward, but the main Kibana webpage no longer works. I have a simple setup with just this one Wazuh VM. When I run filebeat test output I everything shows OK until the "dial up" part "10.0.0.3 connection refused." At a bit of a stand-still at the moment as I do not want to proceed with this product until I can have a login page.

Thanks in advance.

[José Manuel López del Río]

Hello Brandon,

with the Xpack feature, you are going to be able to secure the connections for the whole elastic stack and create a user to log in into the Kibana interface, among some other possibilities.

Regarding the communication issue, make sure you are using a valid IP to communicate to elasticsearch from filebeat and kibana. With the  OVA installation, elasticsearch will listen by default in localhost, so make sure the following XPACK section:

output.elasticsearch.hosts: ['localhost:9200']

is set to localhost instead of 10.0.0.3, which is the documentation's example one.

Once you have created this correctly, you have the possibility to create your own roles with different permissions and add new users with the custom roles created from the Kibana interface. You can do that going to Management and then to Roles or Users in the Security section.

Let me know how that goes, I will be glad to continue helping if needed.

Regards

[Brandon Payne]

Ok I think I am getting close....

elasticsearch: https://localhost:9200...

  parse url... OK

  connection...

    parse host... OK

    dns lookup... OK

    addresses: ::1, 127.0.0.1

    dial up... OK

  TLS...

    security: server's certificate chain verification is enabled

    handshake... ERROR x509: certificate is not valid for any names, but wanted to match localhost

I am still a bit confused on 1. (instances.yml) file. 

Do all of these below need to be set as localhost? Or does the wazuh-manager and kibana IP need to be set to my OVA virtual machine IP address?

instances:

    - name: "wazuh-manager"

      ip:

        - "localhost"

    - name: "elasticsearch"

      ip:

        - "localhost"

    - name: "kibana"

      ip:

        - "localhost"

Thanks!!

[José Manuel López del Río]

Hello Brandon,

I have tried to replicate your issue with XPACK, but following our documentation: https://documentation.wazuh.com/3.11/installation-guide/installing-elastic-stack/protect-installation/xpack.html?highlight=xpack, I can not generate the certificates using "localhost" for the instances, when running the command: 

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --pem --in instances.yml --out certs.zip --keep-ca-key

I get the following error: 

Configuration for instance wazuh-manager has invalid details

 * [localhost] is not a valid IP address

Configuration for instance elasticsearch has invalid details

 * [localhost] is not a valid IP address

Configuration for instance kibana has invalid details

 * [localhost] is not a valid IP address

ERROR: File /usr/share/elasticsearch/instances.yml contains invalid configuration details (see messages above)

which means that you can not use localhost as a valid IP address. In this case, you could use 127.0.0.1 instead of localhost for the instances.yml.

Make sure you use 127.0.0.1  instead of localhost in the filebeat.yml and kibana.yml to connect to elasticsearch since it is needed to put the same IP given to the certificates. 

In the kibana.yml you are going to need to comment on the following lines since they conflict with the XPACK configuration:

#server.ssl.enabled: true

#server.ssl.key: /etc/kibana/kibana.key

#server.ssl.certificate: /etc/kibana/kibana.cert

Restart all the services once everything is configured. You can also check the communication between filebeat and elasticsearch and check that the certificates are valid using: filebeat test output  command.

Remember to use port 443 when trying to access Kibana. In the OVA Kibana is set in the kibana.yml to listen to that port.

Let me know if you encounter any other issues.

Regards,

Jose Manuel Lopez

[Brandon Payne]

Jose, thank you! I was just writing a reply. I have been messing around with this all morning and I did the same thing as you suggested. I changed localhost to 127.0.0.1 and regenerated the certificates and now I am able to get to the web interface. I also see the Security tab and everything looks good!

-Thanks again for your help!

[José Manuel López del Río]

Hello Brandon,

glad to hear you got it working! Do not hesitate to ask again if you encounter any more problems.

Best Regards,

Jose Manuel Lopez