How to install Kibana Plugins into Wazuh Kabana?

[Allen Shau]

Hi,

(This is my very first question here. Not sure if I am doing right.)

Recently I'd like to add kibana Network plugin into the wazuh docker (Windows 10).

What I did is:

- > docker exec -it wazuh-docker_kibana_1 bash 

- $ cd /usr/share/kibana/

- $ curl -OL https://github.com/dlumbrer/kbn_network/releases/download/7.10.0-1/kbn_network-7.10.0.zip

(modify it to 7.10.2 to match my wazuh)

- $ bin/kibana-plugin install file:///usr/share/kibana/plugins/kbn_network-7.10.2.zip  

So far looks okay and the message says the installation is complete.

However, now I should restart kibana to make it effective.

Nevertheless, no matter what 3 methods below I did,

- sudo systemctl restart kibana

*or*

- sudo systemctl stop kibana.service  +  sudo systemctl start kibana.service

*or*

- docker container restart wazuh-docker_kibana_1

all settings are gone from container of wazuh-docker_kibana_1.

I think I am not re-create the container from image. Why it had gone?

How can I re-start the kibana without missing what I just did?

Or I am totally wrong for the kibana plugin installation?

Please help.

Thanks.

Regards,

Allen

[Allen Shau]

Update some more information:

I got 2 Wahuz dockers installed: one is in Windows Desktop, another one is in Linux (Ubuntu 18.04.5 LTS) .

After I tried several times with same steps, the one in Windows, by using 'docker container restart wazuh-docker_kibana_1' to restart kibana works (installation settings is there still.).

However, the one in Linux, the same steps to install and got 'installation complete' message.
the setting is still gone.

So in Linux (Ubuntu 18.04.5 LTS), any other methods to re-start wazuh kibana?

Why using 'docker container restart' will cause settings in wazuh kibana gone?

Any hints?

Thanks.

Allen

Allen Shau 在 2022年2月21日 星期一上午10:45:01 [UTC+8] 的信中寫道：

[Facundo Mayon]

Good Morning Allen. Thanks for using Wazuh ! 

Could you please share with me the docker-compose file that you are using to create the containers?

Another question is if you have also installed the Wazuh manager, filebeat services and elastic search on others containers.

Thanks I will be waiting for your response. Have a good day

[Allen Shau]

Hi  facundo,

Actually what I running is SIEMonster CE, a downloadable VM with containers installed, including Wazuh.

The fact that is I cannot get supports from SIEMonster, so I come here, the most active group I found.

So far I cannot find the docker-compose.

Is it possible to get some hints from containers themself?!

PS. I tried to use another method  '(sudo) service kibana restart'. All settings are gone as usual.

Allen

facund...@wazuh.com 在 2022年2月21日 星期一下午6:36:40 [UTC+8] 的信中寫道：

[Allen Shau]

Hi  facundo,

I just found some info from github siemonster:
siemonster wazuh-docker docker-compose.yml:    https://github.com/siemonster/wazuh-docker/blob/master/docker-compose.yml

siemonster wazuh-docker kibana config files:   https://github.com/siemonster/wazuh-docker/tree/master/kibana

siemonster wazuh-docker kibana.yml:                https://github.com/siemonster/wazuh-docker/blob/master/kibana/config/kibana.yml

siemonster wazuh-docker kibana Dockfile:        https://github.com/siemonster/wazuh-docker/blob/master/kibana/Dockerfile

I am studying now. However I'll appreciate if you can help me out of this situation.

Allen

Allen Shau 在 2022年2月22日 星期二下午12:13:27 [UTC+8] 的信中寫道：

[Maximiliano Ibarra]

Hi Allen.
I'm Maximiliano, I will continue with your topic.
I have been researching more about SIEMonster integration with wazuh. 
I suggest you, try with the siemonster/wazuh-monster official docker container and tell me how it was.
I found some utils videos on the SIEMonster youtube channel. They have a wazuh webinar.

I hope I've helped you. We keep in touch.

Best regards

[Allen Shau]

Hi Maximiliano,

Thanks for your info. However, the webinar are high-level courses. :(

I just found the root cause why every time the container restart erases all my works in  kibana of SIEMonsterCE.

The kabana.service uses docker rm -f kibana and docker run kibana as its design concepts.

Now I need to find out how to create a new upper layer for the image  or modify the kibana.service.

Testing still.

One question if you got answer: 

Because I was able to install the extra plugin into wazuh docker kibana by using DockerDeskto for Windows 10,

and I found the kibana.service of systemd in Linux,

do you know what's the equivalent config in Windows DockerDesktop? 

I could not find it in WSL2 or Windows OS... :(

Allen

maximilia...@wazuh.com 在 2022年2月25日 星期五下午8:16:16 [UTC+8] 的信中寫道：

[Maximiliano Ibarra]

Hi Allen.
Thanks for your reply.
Sorry but I'm not sure if I did understand your doubt (problem).
You need to find an equivalent for systemd in windows right?
I found an article on reddit: https://www.quora.com/Operating-Systems-What-would-you-say-is-an-equivalent-of-Linuxs-systemd-on-a-Windows-OS#:~:text=The%20wininit%20and%20SCM%20wwould,and%20load%20services%20during%20startup.
Please, If you need help add some screenshots for understands more about the context. 
Best regards

[Allen Shau]

Hi Maximiliano,

Sorry for not being more precise.

My situation and my question are:

1. Since SIEMonster CE (the production environment I am using) uses Ubuntu as its base OS to integrate Wazuh containers.

     In this environment, Ubuntu uses systemd and kibana.service to hanlde the auto-start/restart procedures.

     And the SIEMonster CE kibana uses delete current kibana container (docker rm) and re-create a brand new kibana container (docker run).

     So my any works, to install a kibana plugin I need, in the kibana container were gone after the re-start process (to take effect). 

     This is the origin of my question.

2. Because I had another pure Wazuh docker (a testing env.) installed in a Windows 10 + DockerDesktop,

     I tried to install a kibana plugin into this Wazuh and successfully installed it no matter how many I restart the kibana container.

     So I'd like to make sure what the pure Wazuh restart procedure is while the SIEMonster CE uses deleting and re-creating a container.

3. The problem is the pure Wazuh I got is windows 10+DockerDesk based. There is no systemd control in that.

     I tried to find out if existing a kibana.service (or equivalent one) in Windows 10, such as in Wiindows WSL2 or the Windows native service itself.

     So far I found nothing and I got no time to re-install a pure Wazuh based on Ubuntu + docker just for seeing the kibana.service file. :(

     So I am asking if you know what it would be, or you got one, or you know where to get one.

 Above is my testing story for installing a kibana plugin in SIEMonster CE so far.

Update something here of my current progress in my SIEMonster CE, just in case someone needs some information.

1. I used 'Restart=no' instead of 'Restart=always' in kibana.service (Linux systemd);

2. By just using docker restart, I now can use the new kibana plugin in SIEMonster CE Wazuh Visualization;

3. If any OS re-boot, SIEMonster CE still deletes and re-creates my kibana container. This means my plugin gone again.

4. I am still working on this point: to keep my work after the OS reboot.

Regards,

Allen

maximilia...@wazuh.com 在 2022年3月5日 星期六上午1:30:33 [UTC+8] 的信中寫道：