elastic password?

1,100 views
Skip to first unread message

DW CG

unread,
Oct 1, 2021, 1:52:32 PM10/1/21
to Wazuh mailing list
Hello again.  Thanks for your patience with a fledgling user.  Seeing all of this for the first time is a bit overwhelming. 

I'm trying to add an initial data source to my Wazuh environment, so I picked "auditd logs" because it seems like it would be an easier setup.  So I'm on the screen seen in the attached screenshot.

Got filebeat installed and running.

Next it needs me to add a section containing the elastic username and password.  I don't know if that was configured during initial setup, or how to find the password.  I had followed the "all-in-one" deployment steps here

Where might I find the elastic password that is being requested?

Oh I should mention that I found this documentation and tried unsuccessfully:
https://documentation.wazuh.com/current/user-manual/elasticsearch/elastic_tuning.html

The  script fails:
# bash wazuh-passwords-tool.sh -a
The flag --installed is not known.
Error: Open Distro is not installed on the system.


But I don't know if that will help with the elastic password situation...

I could certainly use some hand-holding to get the environment working successfully.

Thanks!
Derek



Screenshot 2021-10-01 at 13-42-16 Home - Elastic.png

Raul Del Pozo Moreno

unread,
Oct 1, 2021, 3:43:20 PM10/1/21
to Wazuh mailing list
Hello green.wickersham

From what I see you have followed the unattended step by step guide, but not completely, the second step after installing Wazuh is to install Elasticsearch.

As you can see, the error it is giving you is: Error: Open Distro is not installed on the system. This happens because you do not have the Elasticsearch service installed, which is necessary to run this script correctly

Regarding the password question, as you can see in the image you have shared with us, this password can be obtained from the /etc/filebeat/filebeat.yml file, which is downloaded preconfigured during the Filebeat installation: https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/all_in_one.html#installing-filebeat
The elastic user should be the one that indicates said file and the password that is also shown there. By default this file has user "admin" and password "admin" as values, but I would recommend that if you follow this guide, you follow it completely and not partially, a solution if you are starting with Wazuh, is to use the unattended installation, this performs the same steps as the guide you have followed but you only have to run the script once and copy the passwords that it generates at the end: https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html

Another option to this is to download our OVA https://documentation.wazuh.com/current/virtual-machine/virtual-machine.html?highlight=ova and import it into a virtualization service such as VirtualBox or VMWare, both the run of the unattended installation script such as the OVA, provide the components ready to go.

Regards, Raúl.

DW CG

unread,
Oct 1, 2021, 4:10:56 PM10/1/21
to Wazuh mailing list
Hello Raúl,

Thank you for the response to my questions.

Some corrections:

I walked through each step, one by one. And as part of that procedure, Elastic search service was installed.

2. Evidence:

# systemctl status elasticsearch
elasticsearch.service - Elasticsearch
    Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
    Active: active (running) since Fri 2021-10-01 10:12:03 EDT; 5h 35min ago
      Docs: https://www.elastic.co
  Main PID: 18523 (java)
     Tasks: 90 (limit: 4915)
       CPU: 4min 22.483s
    CGroup: /system.slice/elasticsearch.service
            └─18523 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessa>

Oct 01 10:11:52  systemd[1]: Starting Elasticsearch...
Oct 01 10:12:03  systemd[1]: Started Elasticsearch.


# zypper info elasticsearch
Loading repository data...
Reading installed packages...

Information for package elasticsearch:
--------------------------------------
Repository     : Elasticsearch repository for 7.x packages
Name           : elasticsearch
Version        : 7.15.0-1
Arch           : x86_64
Vendor         : Elasticsearch
Installed Size : 542.8 MiB
Installed      : No
Status         : not installed
Source package : elasticsearch-7.15.0-1.
Summary        : Distributed RESTful search engine built for the cloud
Description    :  
   Reference documentation can be found at
     https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html
     and the 'Elasticsearch: The Definitive Guide' book can be found at
     https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html



Should I shutdown all the components, uninstall everything, and then start over using the unattended installation?

Thanks,
Derek

Raul Del Pozo Moreno

unread,
Oct 4, 2021, 8:58:39 AM10/4/21
to Wazuh mailing list
Hello Derek!

Sorry about the nick, I did not see that you put your name at the end of the message.

This situation is weird, I see you use Zypper, do you use openSUSE or SUSE? Could you specify what OS and version you use to check if there is a problem with the installation guide?

I see some things that do not make sense to me, the elasticsearch service is present and working, and Zypper recognizes the package but:

1. Zypper indicates: Status: not installed and Installed: No (possibly the script error is because of this)
2. the version of elasticsearch is 7.15.0 when it should be 7.10.2

The package opendistroforelasticsearch is installed from our repository, which only contains up to version 1.13.2 (7.10.2), how have you installed opendistroforelasticsearch?  Can you run /usr/share/elasticsearch/bin/elasticsearch -V and show me the output please?

Regards, Raul.

DW CG

unread,
Oct 4, 2021, 9:29:35 AM10/4/21
to Wazuh mailing list
Hi again, thanks for getting back to me.  I am eager to get Wazuh working on my test machine, and I'll be happy to share my experience and feedback.

The machine is running openSUSE Tumbleweed which is kept up-to-date.

# cat /etc/os-release  
NAME="openSUSE Tumbleweed"
# VERSION="20210928"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20210928"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20210928"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"

As mentioned, I followed the step-by-step installation instructions (Zypp specific).  My goal is to understand what each component does and how the system works, so I figured I would learn more by installing it line by line.  I did a copy/paste of every individual command line.

Here is the output of the command you requested:

# /usr/share/elasticsearch/bin/elasticsearch -V
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Version: 7.10.2, Build: oss/rpm/747e1cc71def077253878a59143c1f785afa92b9/2021-01-13T00:42:12.435326Z, JVM: 11.0.12

Here's a bit more info:

# rpm -qa | grep -i elastic
elasticsearch-oss-7.10.2-1.x86_64
opendistroforelasticsearch-1.13.2-1.x86_64
opendistroforelasticsearch-kibana-1.13.2-1.x86_64

I am still struggling to figure out all the usernames and passwords; not to mention the URLs of the various components.  Coming to the Wazuh product for this first time, I am having difficulty finding and managing all this information. 

With regards to setting up filebeat to gather auditd data, the instructions say I need to edit /etc/filebeat/filebeat.yml and add a new section:

output.elasticsearch:
hosts: ["<es_url>"]
username: "elastic"
password: "<password>"
setup.kibana:
host: "<kibana_url>"

Assuming I have a brand new stock installation of Wazuh, how should that section appear?  I don't know where to find the Elasticsearch URL or the Kibana URL.  Do you believe the username and password should be admin/admin?

Thanks,
Derek

Raul Del Pozo Moreno

unread,
Oct 4, 2021, 1:57:04 PM10/4/21
to Wazuh mailing list
Hello Derek!

I have tested the guide that you indicate in OpenSUSE Tumbleweed in a vagrant box and I have not had problems with the installation of Elasticsearch, It had installed the version 7.10.2 and not 7.15.0, it may have been some command confusion.

Here I show you some screenshots about it:

OpenDistro install (7.10.2):

1.png
2.png

Elasticsearch version:

3.png

Zypper detect installed package:

5.png

In this case, the guide you are using is used to install the four main components on the same machine, that is:

- Wazuh manager
- Elasticsearch
- Filebeat
- Kibana

What does each of them do?

- Wazuh manager: Monitors the machine where it is installed through an embedded agent (which has the ID 000) and manages the agents. It also analyzes the information sent by the agents to create alerts based on the data that the agents send it.
- Filebeat: is used to send the manager alerts in an encrypted way to the Elasticsearch node in real time, that is, the information is transmitted directly from the wazuh analysis engine
- Elasticsearch: stores the alerts sent from the manager and stores them in indexes.
- Kibana: consults these indices and they are displayed in the interface with the help of the Wazuh APP

This would be a very basic explanation of how it works, this is explained in more detail in these links:


Keep in mind that this type of installation (AIO) does not allow the system to be scaled in a simple way, it is designed for a specific and light use of the product. On the other hand we have the distributed system which allows to scale the system very easily, since almost all the components would be in a dedicated machine.

Regarding the users, it is necessary to differentiate the user of the machine and the OpenDistro users, these users are internal users of OpenDistro that are used for the proper functioning of the components, you can consult all the existing internal users in this file:  

 - /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Each of these users has a specific role and by default, their passwords will be the same as those of the username:

- admin: Full access to the cluster and all indices
- kibanaserver: Internal Kibana server user, for configuring elasticsearch.username and elasticsearch.password in kibana.yml. Has all permissions on the .kibana index.
- kibanaro: Regular Kibana user, has READ access to all indices and all permissions on the .kibana index.
- logstash: Logstash and Beats user, has CRUD and CREATE_INDEX permissions on all logstash index.
- readall: Has read access to all indices
- snapshotrestore: Has permissions to perform snapshot and restore operations

You can also find the users:

- wazuh: (similiar to admin, in the future admin will disappear in favor of this user)
- wazuh_admin: It is recommended for users who need administrative privileges.
- wazuh_user: It is created for users who need read-only access to the Wazuh Kibana plugin.

If you are a new user to Wazuh, this may not be the best option to start, since these integrations are external and are embedded in Elastic. In fact I have been doing tests and I have had to add configuration that I have had to rummage from the Elastic forums.

I think the best thing to start with us is that you follow this Learning Wazuh guide: https://documentation.wazuh.com/current/learning-wazuh/index.html, in which various Labs are explained to see how the software works, and if you like to read, you can also take a look at the User Manual: https://documentation.wazuh.com/current/user-manual/overview.html

Regarding the passwords, by default its username=password, this can be changed as you have said before through the script, but as I have seen, it seems that there is a problem with said script in openSUSE, since it does not detect that Open Distro is installed although now zypper tell me that it is. For this, I have created this issue: https://github.com/wazuh/wazuh-packages/issues/916

Regards, Raúl 

DW CG

unread,
Oct 6, 2021, 8:43:04 AM10/6/21
to Wazuh mailing list
Thanks, Raúl, for the detailed explanation.  I appreciate your time.

I ended up un-installing all components.  I am going to carve out some time for attempting the unattended installation.

My initial goal is to monitor/view/alert on auditd events, so I will definitely need to get filebeat pushing the logs into Elasticsearch.  For that to work, it seems I'll need to get a handle on the various account credentials.  That was the most confusing part for me, finding and managing the various accounts and passwords.  So I'll take a breather and then try again.

Derek

Raul Del Pozo Moreno

unread,
Oct 6, 2021, 12:58:34 PM10/6/21
to Wazuh mailing list
Hello Derek

If that is what you want, you do not need to do that configuration, as I said, that integration part can become more complicated since it is external to us. 

Anyway, if you want to start with auditd, you can continue this guide in which it indicates how to install auditd and configure Wazuh to be able to receive alerts in Kibana based on the actions carried out:
Regards Raúl. 
Reply all
Reply to author
Forward
0 new messages