Wazuh Multi Tenancy

Utkarsh Bhargava

unread,

Mar 26, 2021, 6:47:06 AM3/26/21

to 'Utkarsh Bhargava' via Wazuh mailing list

Hi Community,

Does wazuh supports multi-tenancy ? I am aware that RBAC is there but I want to monitor a very distributed environment and I want to keep restrict data access for each tenant.

Also is is possible to connect one wazuh kibana app with multiple wazuh managers and apply access control for each user ?

Regards

Utkarsh

mayte...@wazuh.com

unread,

Mar 29, 2021, 4:30:47 AM3/29/21

to Wazuh mailing list

Hi!

Yes, Kibana multi-tenancy can be achieved using Opendistro. You may add the following configuration in your kibana.yml file in order to enable multitenancy:

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]

You can find more information here: Open Distro - Kibana multi-tenancy

Regarding your second question, yes, it is also possible. You need to add every wazuh manager API configuration below the hosts section in the wazuh.yml file and every manager will be connected to the same Kibana.

I hope it helps.

Best regards,

Mayte Ariza

mayte...@wazuh.com

unread,

Mar 29, 2021, 6:02:45 AM3/29/21

to Wazuh mailing list

Here you can find an example about how the wazuh.yml would look like when connecting several managers to the same Kibana:

hosts:

- manager1:

url: http(s)://<manager1_url>

port: <manager1_port>

username: <manager1_user>

password: <manager1_password>

run_as: false

- manager2:

url: http(s)://<manager2_url>

port: <manager2_port>

username: <manager2_user>

password: <manager2_password>

run_as: false

- manager3:

url: http(s)://<manager3_url>

port: <manager3_port>

username: <manager3_user>

password: <manager3_password>

run_as: false

I hope it helps.

Best regards,

Mayte Ariza

Utkarsh Bhargava

unread,

Mar 30, 2021, 1:29:15 AM3/30/21

to mayte...@wazuh.com, Wazuh mailing list

Hi Mayte,

Thank you for your email. I am aware about Opendistro multi-tenancy and thank you for answering my question regarding connecting multiple wazuh managers with single wazuh kibana app.

My question is can I automate the wazuh manager and wazuh kibana app communication as per the user.

for example I have user one who is using wazuh manager 1 so I want this user to have automatic access of wazuh manager 1 on his kibana app.

looking forward to your response.

regards

On Mar 29 2021, at 2:00 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi!

Yes, Kibana multi-tenancy can be achieved using Opendistro. You may add the following configuration in your kibana.yml file in order to enable multitenancy:

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]

You can find more information here: Open Distro - Kibana multi-tenancy

Regarding your second question, yes, it is also possible. You need to add every wazuh manager API configuration below the hosts section in the wazuh.yml file and every manager will be connected to the same Kibana.

I hope it helps.

Best regards,
Mayte Ariza

On Friday, March 26, 2021 at 11:47:06 AM UTC+1 utk...@null.co.in wrote:
Hi Community,

Does wazuh supports multi-tenancy ? I am aware that RBAC is there but I want to monitor a very distributed environment and I want to keep restrict data access for each tenant.

Also is is possible to connect one wazuh kibana app with multiple wazuh managers and apply access control for each user ?

Regards
Utkarsh

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b28c690c-b26b-43d3-b789-15fbf2a27387n%40googlegroups.com.

mayte...@wazuh.com

unread,

Mar 30, 2021, 5:12:07 AM3/30/21

to Wazuh mailing list

Hi,

Sorry I misunderstood your first question. Yes, you can manage the wazuh manager and kibana communication.

1.- First, you need to enable the run_as setting per every Wazuh API added in the /usr/share/kibana/optimize/wazuh/config/wazuh.yml file. For example:

hosts:

- manager1:

url: http(s)://<manager1_url>

port: <manager1_port>

username: <manager1_user>

password: <manager1_password>

run_as: true

- manager2:

url: http(s)://<manager2_url>

port: <manager2_port>

username: <manager2_user>

password: <manager2_password>

run_as: true

2.- Create an internal user on Kibana as usual (I would use User1 for example)

3.- Create a new role adding the desired permissions in Elastic (I would use Custom_role1)

4.- Map the role Custom_role1 to the new created user User1:

5.- Create a new role mapping from Wazuh Security tab (for example Environment1_admin) granting the desired permissions (in this case I would use administrator) and map it to the Custom_role1.

This configuration allows to grant administrator permissions for every user mapped to the Custom_role1. You should create new Elastic roles in order to grant different Wazuh permissions (readonly, agents_admin, cluster_readonly...)

Of course you can also map the Wazuh role mapping to the user itself, but the whole process should be replicated for each user:

Also, you should create the desired roles and roles mapping for every Wazuh API.

I hope it helps.

Best regards,

Mayte Ariza

Utkarsh Bhargava

unread,

Apr 26, 2021, 7:41:14 AM4/26/21

to mayte...@wazuh.com, Wazuh mailing list

Hi

Tried this but each wazuh user is able to see other API entries and access them as well.

I tried multiple settings but seems like it's not working.

can you please share the configuration for the same ?

regard

On Mar 29 2021, at 2:00 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi!

Yes, Kibana multi-tenancy can be achieved using Opendistro. You may add the following configuration in your kibana.yml file in order to enable multitenancy:

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]

You can find more information here: Open Distro - Kibana multi-tenancy

Regarding your second question, yes, it is also possible. You need to add every wazuh manager API configuration below the hosts section in the wazuh.yml file and every manager will be connected to the same Kibana.

I hope it helps.

Best regards,
Mayte Ariza

On Friday, March 26, 2021 at 11:47:06 AM UTC+1 utk...@null.co.in wrote:
Hi Community,

Does wazuh supports multi-tenancy ? I am aware that RBAC is there but I want to monitor a very distributed environment and I want to keep restrict data access for each tenant.

Also is is possible to connect one wazuh kibana app with multiple wazuh managers and apply access control for each user ?

Regards
Utkarsh

Utkarsh Bhargava

unread,

Apr 28, 2021, 2:56:46 PM4/28/21

to mayte...@wazuh.com, Wazuh mailing list

Hi community,

can any one tell me how to fix this issue :

The role mapping has no effect because the Wazuh API's configured user has not the run_as setting enabled in the configuration or is not allowed to use it.

regards

On Mar 29 2021, at 2:00 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi!

Yes, Kibana multi-tenancy can be achieved using Opendistro. You may add the following configuration in your kibana.yml file in order to enable multitenancy:

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]

You can find more information here: Open Distro - Kibana multi-tenancy

Regarding your second question, yes, it is also possible. You need to add every wazuh manager API configuration below the hosts section in the wazuh.yml file and every manager will be connected to the same Kibana.

I hope it helps.

Best regards,
Mayte Ariza

On Friday, March 26, 2021 at 11:47:06 AM UTC+1 utk...@null.co.in wrote:
Hi Community,

Does wazuh supports multi-tenancy ? I am aware that RBAC is there but I want to monitor a very distributed environment and I want to keep restrict data access for each tenant.

Also is is possible to connect one wazuh kibana app with multiple wazuh managers and apply access control for each user ?

Regards
Utkarsh

mayte...@wazuh.com

unread,

Apr 29, 2021, 4:33:46 AM4/29/21

to Wazuh mailing list

Hi,

Did you follow the first step in the guide?

In order to use RBAC, the run_as setting must be enabled and also the user inside the host block (username setting) must have the allow_run_as setting enabled (such as wazuh-wui) so roles can be assigned to the user based on the information of an authorization context. Otherwise, all the users that access Kibana will work as admin users (being able to access and modify anything regardless of the roles they have)

You can find more information about Role-Based Access Control in our documentation.

I hope it helps.

Best regards,

Mayte Ariza

Utkarsh Bhargava

unread,

Apr 29, 2021, 6:14:42 AM4/29/21

to mayte...@wazuh.com, Wazuh mailing list

I followed the guide and created two users and had 2 API entries in wazuh kibana app.

The problem is both the users can see each others API and can even select them and see the data.

I am trying to fix this issue but nothing is working for me.

I am looking for community help.

regards

On Apr 29 2021, at 2:03 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi,

Did you follow the first step in the guide?

In order to use RBAC, the run_as setting must be enabled and also the user inside the host block (username setting) must have the allow_run_as setting enabled (such as wazuh-wui) so roles can be assigned to the user based on the information of an authorization context. Otherwise, all the users that access Kibana will work as admin users (being able to access and modify anything regardless of the roles they have)

You can find more information about Role-Based Access Control in our documentation.
I hope it helps.

Best regards,
Mayte Ariza

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2e19ea12-f593-4781-9353-3ff1c2a7394fn%40googlegroups.com.

mayte...@wazuh.com

unread,

Apr 29, 2021, 12:01:07 PM4/29/21

to Wazuh mailing list

Hi,

When using the Wazuh role-based access control , there will be users that can only see and do certain actions on specified resources. For instance, an user without permissions to read rules will not be able to see or modify them:

Users will be able to see others Wazuh APIs and select them, however the actions they are allowed to do within them are fully configurable.

Regarding the access to the data displayed on Discover, Security events, Integrity monitoring and so on, since it involves information related to the cluster, indices, documents and field permissions, it should be managed using Opendistro RBAC: opendistro access-control

Best regards,

Mayte Ariza

Utkarsh Bhargava

unread,

May 1, 2021, 12:39:04 AM5/1/21

to mayte...@wazuh.com, Wazuh mailing list

I want to hide these API entries.

These API entries has became pain in the ass for me.

Is there any way I can control these API's visibility.

regards

On Apr 29 2021, at 9:31 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi,

When using the Wazuh role-based access control , there will be users that can only see and do certain actions on specified resources. For instance, an user without permissions to read rules will not be able to see or modify them:

Users will be able to see others Wazuh APIs and select them, however the actions they are allowed to do within them are fully configurable.

Regarding the access to the data displayed on Discover, Security events, Integrity monitoring and so on, since it involves information related to the cluster, indices, documents and field permissions, it should be managed using Opendistro RBAC: opendistro access-control

Best regards,
Mayte Ariza

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a705119d-b449-4eee-9faf-6e960212e8bcn%40googlegroups.com.

mayte...@wazuh.com

unread,

May 5, 2021, 4:18:12 AM5/5/21

to Wazuh mailing list

Hi!

The API entries cannot be hidden with the current RBAC configuration.

I made a feature request. You can follow-up the issue at the following link: Hide API entries using RBAC

Best regards,

Mayte Ariza

Utkarsh Bhargava

unread,

May 17, 2021, 12:41:54 AM5/17/21

to mayte...@wazuh.com, Wazuh mailing list

Thank you so much.

I wanna made one more feature request here. It would be great if we can have that old feature of selecting index patters or if we can have configuration where we can configure different index patterns for different APIs.

regards

On May 5 2021, at 1:48 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi!

The API entries cannot be hidden with the current RBAC configuration.

I made a feature request. You can follow-up the issue at the following link: Hide API entries using RBAC

Best regards,
Mayte Ariza

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2228c378-cdf3-4a22-b2a3-1da49a5e958dn%40googlegroups.com.

mayte...@wazuh.com

unread,

May 17, 2021, 8:41:22 AM5/17/21

to Wazuh mailing list

Hi!

If you have only one index pattern (or a single Wazuh API) the index pattern selector (or the API selector) does not appear. For instance:

However, when having more than one index pattern or a Wazuh API, the respective selector is displayed:

- Wazuh API selector:

- Index pattern selector:

I hope it helps.

Best regards,

Mayte Ariza

Utkarsh Bhargava

unread,

May 19, 2021, 12:51:18 AM5/19/21

to mayte...@wazuh.com, Wazuh mailing list

Thank you for the updates.

I have multiple index patterns but they are not visible in wazuh app.

All index patterns have different names probably because of that it's not visible.

regards

On May 17 2021, at 6:11 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi!

If you have only one index pattern (or a single Wazuh API) the index pattern selector (or the API selector) does not appear. For instance:

I hope it helps.

Best regards,
Mayte Ariza

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2de0a1fb-2b03-4ce6-8b54-871725810460n%40googlegroups.com.

mayte...@wazuh.com

unread,

May 19, 2021, 8:37:22 AM5/19/21

to Wazuh mailing list

Hi!

Are those index patterns related to the Wazuh indexes?

An index pattern must contain the following fields to be used by the Wazuh app:

timestamp
rule.groups
manager.name
agent.id

Could you share with us the index pattern you are using to replicate the issue?

Best regards,

Mayte Ariza

Utkarsh Bhargava

unread,

May 21, 2021, 5:49:47 AM5/21/21

to mayte...@wazuh.com, Wazuh mailing list

As I have multiple Wazuh Managers/APIs so I have given different names to each wazuh index pattern.

I did this so I that I can easily identify which data belongs to which Wazuh Manager also to have better and easy access control on each index pattern.

regards

On May 19 2021, at 6:07 pm, mayte...@wazuh.com <mayte...@wazuh.com> wrote:

Hi!

Are those index patterns related to the Wazuh indexes?
An index pattern must contain the following fields to be used by the Wazuh app:
timestamp
rule.groups
manager.name
agent.id

Could you share with us the index pattern you are using to replicate the issue?

Best regards,
Mayte Ariza

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1b3a8efc-2bec-4b11-8ef8-e03a68ee28e7n%40googlegroups.com.

mayte...@wazuh.com

unread,

May 25, 2021, 4:29:51 AM5/25/21

to Wazuh mailing list

Hi!

Nice. In that case, since the index patterns are related to the Wazuh indexes they should appear in the index pattern selector.

If this does not happen, please share with us some specific details (such as how did you create the index patterns, which names are you using...) so we can replicate the issue and debug the problem. Attach screenshots when possible to provide additional information.