No alerts in kibana after enabling xpack authentication

167 views
Skip to first unread message

Aneesh Sharma

unread,
Jan 23, 2021, 5:42:07 AM1/23/21
to Wazuh mailing list
Hello,

I am unable to see any alerts in Kibana after enabling authentication. I can see the alerts in /var/ossec/logs/alerts/alerts.json but nothing in kibana.

Could you please help me on this?

Regards,
Aneesh Sharma

Franco Hielpos

unread,
Jan 25, 2021, 1:09:54 PM1/25/21
to Wazuh mailing list
Hello Aneesh,

Can you please tell us which versions of Elasticsearch, Kibana and Wazuh are you using?

What you can do is to check if the indices are being created from Kibana -> Management -> Dev Tools:
GET _cat/indices/wazuh-alerts-*

You should have a wazuh-alerts- index for each day.

If you don't have any, check if Filebeat is properly running from your Manager:
systemctl status filebeat

And check if Filebeat can connect to Elasticsearch:
filebeat test output

Also, Filebeat should be reading alerts.json, you can check it with:
lsof /var/ossec/logs/alerts/alerts.json

If everything looks okay, lets have a look at Kibana logs:
cat /var/log/kibana/kibana.log

or in some cases:
grep kibana /var/log/messages

You can read more about Kibana troubleshooting here:
https://documentation.wazuh.com/4.0/user-manual/kibana-app/troubleshooting.html

I will be waiting for your feedback!
Regards,

Aneesh Sharma

unread,
Jan 26, 2021, 5:36:26 AM1/26/21
to Wazuh mailing list
Hello Franco,

Thanks for your response!

I did not find any issue on suggested things and even tried everything provided in the documentation. Below are the required outputs:


Wazuh : 3.12 Screenshot 2021-01-26 at 3.40.32 PM.png
Elasticsearch, 7.6.2
Screenshot 2021-01-26 at 3.40.59 PM.png

Kibana : 7.6.2

Screenshot 2021-01-26 at 3.39.56 PM.png

GET _cat/indices/wazuh-alerts-*

All indices are green
Screenshot 2021-01-26 at 3.43.15 PM.png


systemctl status filebeat
filebeat test output
lsof /var/ossec/logs/alerts/alerts.json

Screenshot 2021-01-26 at 3.44.36 PM.png

grep kibana /var/log/messages

Jan 26 10:17:11 enterprise-security kibana: {"type":"response","@timestamp":"2021-01-26T10:17:11Z","tags":["access:console"],"pid":30859,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_mapping&method=GET","method":"post","headers":{"host”:”xxxxxxxx:5601","connection":"keep-alive","content-length":"0","accept":"text/plain, */*; q=0.01","kbn-version":"7.6.2","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","origin":"http://xxxxxxx:5601","referer":"http://xxxxxxx:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress”:”xxxxxxxxx”,”userAgent”:”xxxxxxx”,”referer":"http://xxxxxxx:5601/app/kibana"},"res":{"statusCode":200,"responseTime":298,"contentLength":9},"message":"POST /api/console/proxy?path=_mapping&method=GET 200 298ms - 9.0B"}

[root@enterprise-security ~]#


No error/warn logs in the Elastic Stack log files:

Screenshot 2021-01-26 at 4.02.13 PM.png


Regards,

Aneesh Sharma

Franco Hielpos

unread,
Jan 26, 2021, 5:43:01 PM1/26/21
to Aneesh Sharma, Wazuh mailing list
Hello Aneesh,

Everything seems to work fine, so your problem would be mainly about permissions inside Kibana.

Can you access the wazuh-alerts-* indices from Kibana -> Discover?

Also, can you specify which modifications you did when enabling Authentication?

I see that you can access the Dev Tools, so maybe you could try to see which permissions your user has:
GET /_security/user/_has_privileges
This will check the privileges for the current user.

I will be waiting for your response.
Regards,

______________________________________________________________________
Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you.
______________________________________________________________________

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/74986140-ecbc-4968-a5c3-dc142674404fn%40googlegroups.com.


--
Franco Hielpos

Aneesh Sharma

unread,
Jan 27, 2021, 1:39:45 AM1/27/21
to Wazuh mailing list
Hello Franco,

Below are the desired results:

Can you access the wazuh-alerts-* indices from Kibana -> Discover?

Yes I can access the same. screenshot below:

Screenshot 2021-01-27 at 11.59.18 AM.png

Steps followed to enable x-pack authentication:

This is done by xpack security feature in Elastic Stack.

  1. Add the next line to /etc/elasticsearch/elasticsearch.yml

xpack.security.enabled: true

2. Restart Elasticsearch and wait for the service to be ready.

systemctl restart elasticsearch

3. Generate credentials for all the Elastic Stack pre-built roles and users.

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

4. Note down the passwords generated from above command.

5. Setting up credentials for Filebeat. Add the next two lines to /etc/filebeat/filebeat.yml

elasticsearch.username: "elastic"
elasticsearch.password: "password_generated_for_elastic"

6. Restart Filebeat.

systemctl restart filebeat

7. Setting up credentials for Kibana. Add the next lines to /etc/kibana/kibana.yml

xpack.security.enabled: true
elasticsearch.username: "elastic"
elasticsearch.password: "password_generated_for_elastic"

8. Restart Kibana.

systemctl restart kibana


9. Open the file at /etc/logstash/conf.d/01-wazuh.conf and add the  elastic user credentials on the output section as follows:

output {

elasticsearch {

hosts => ["localhost:9200"]

index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"

document_type => "wazuh"

user => "elastic"

password => "<elastic_password>"

}

}

systemctl restart logstash

----> I did not had this /etc/logstash/conf.d/01-wazuh.conf  mentioned in Step 9 so I enabled logstash and then performed Step 9.


Privileges to current user: i assigned superuser role to the current user same has "elastic" user has.

Below is the output of the command:
GET /_security/user/_has_privileges

Screenshot 2021-01-27 at 11.58.53 AM.png

I ran another command 
GET /_security/user/_privileges/ and below is the result:

Screenshot 2021-01-27 at 11.58.03 AM.png


Regards,
Aneesh Sharma

Aneesh Sharma

unread,
Jan 29, 2021, 6:14:24 AM1/29/21
to Wazuh mailing list
Hey Franco,

Any update on the same?


Regards,
Aneesh Sharma

Franco Hielpos

unread,
Feb 2, 2021, 6:43:11 PM2/2/21
to Aneesh Sharma, Wazuh mailing list
Hello Annesh,

Sorry for the late reply.

I don't see anything wrong with your configuration. Can you show us what your Wazuh App looks like when you try to access it? Does it show any errors?

Regards,
Franco

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/75587ab2-d581-40ec-a31d-db9ed8b4929cn%40googlegroups.com.


--
Franco Hielpos
Reply all
Reply to author
Forward
0 new messages