Weekly Autogeneration of Wazuh PDF Reports

[J Stein]

Hi everyone,

I'm trying to automatically generate a version of the PDF reports that can be generated on the top right of the "Security Events" page under Wazuh->Modules->Security Events. From what I can see and the last few hours of research, these reports only seem to be able to be generated manually.

For reference, some of the things I've tried:

The relevant documentation (here) says that the generated reports should be at /usr/share/kibana/wazuh/downloads/reports, but at least on my installation they're actually at /usr/share/kibana/data/wazuh/downloads/reports/wazuh. Worst case, I can write a script to grab the most recent file from here and attach it to an automated email. However, I can't figure out how to generate the reports on a weekly basis.

The docs page that seems like it would be the most relevant unfortunately doesn't seem to have info on what I'm trying to do, unless I'm missing something.

I've tried using wazuh-reportd, but it only outputs text reports and requires input from stdin. I've tried using the Kibana reporting features, but 1) the Wazuh "Security Events" dashboard isn't visible in the kibana reporting menu, 2) the output seems to be in CSV format, and 3) it's not the pretty Wazuh security pdf report. 

The closest I've come has been trying to use curl to manually request the button url, but there has to be a better solution that doesn't involve jumping down that really ugly rabbit hole.

So, any ideas? Is there a way to do this, either in the Wazuh UI, in configs, or using cron?

Thanks!

Jason

[Juan Carlos]

Hello Jason,

You may create reports through Kibana's reporting feature that is based on custom dashboards.

I've recreated the Security events dashboard from the Wazuh app as a custom dashboard and attached it this message, you may import it by going into ☰ → Stack Management → Saved objects → Import.

You may then create the report definition either in Kibana reporting or directly from the Dashboard.

It's in the roadmap to make this feature more user friendly but as you mention running it as a curl command is an ugly rabbit hole as this button uses the browser's rendering capabilities so a simple curl is not going to work.

You may also use a script to automate this process without relying on the Kibana reporting feature as done here by my Wazuh colleague Dario: https://github.com/dariommr/scripts/tree/master/elastic-reports

I hope you find this useful and don't hesitate to let us know if you have any more questions,

Juan C. Tello