Wazuh API for Kibana

[Matt Schenkman]

Hi,

We've configured Wazuh and can successfully access the API via web browser or CURL command. However, the Kibana app fails to connect to the API with an error of:

3005 - Request failed with status code 404

Our yml on Kibana is super simple and references the IP of the wazuh server, which is separate from ELK. The API yaml on Wazuh is pretty simple as well, listening on 0.0.0.0 and disabling SSL.

Any help would be appreciated as I feel like it's simple and staring me in the face.

Here's the odd thing: If I check the dev tools and test connection, the check-api references the IP of the ELK server, not the Wazuh-manager.

Thanks in advance!

[elw...@wazuh.com]

Hello Matt,

Having the ckeck-api references to the IP of ELK instead of Wazuh manager may points to that the IP is not specified in the correct file YAML. Can you please check /usr/share/kibana/optimize/wazuh/config/wazuh.yml that it has the correct IP, Note that by default (Step 8 https://documentation.wazuh.com/4.0/installation-guide/open-distro/distributed-deployment/step-by-step-installation/kibana/index.html#kibana) the communication and is encrypted and following credentials must be used :

hosts:
  - default:
     url: https://localhost
     port: 55000
     username: wazuh
     password: wazuh


If that did not fix it. Please share the version of Wazuh and Kibana used also the YAML file (with the path) you are referring to, Screenshots and more information will be helpful.

Hope this helps,
Regards,
Wali

[Matt Schenkman]

Thanks Wali.

Here's the output of the yml file:

hosts:
  - elastic:
     url: http://10.10.10.225

     port: 55000
     username: wazuh
     password: wazuh

.225 is remote to the kibana server, which is at .245

SSL is disabled in the config.js for wazuh API.

we're on Elastic and Kibana 7.9.2 and Wazuh 4.0.2 which might explain the issue. I'm trying to get the pre-reqs setup.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/nU8d6NqzGPY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/52f06745-c11b-4f61-b376-404813414d1fn%40googlegroups.com.

--

Matt Schenkman IT Operations Manager FCP Euro   m. 347.416.NERD e. matt.sc...@fcpeuro.com w. fcpeuro.com Every Part You Buy Is GUARANTEED FOR LIFE

[Matt Schenkman]

We updated Kibana and Elasticsearch to 7.9.3, and finally found another .js file that we had to update to reference the correct external IP. Now we have this:

I tried creating the indices per this article: https://documentation.wazuh.com/4.0/user-manual/kibana-app/troubleshooting.html#no-template-found-for-the-selected-index-pattern with no luck

I appreciate that this is open source, but the documentation seems significantly off.

Thanks,

~Matt

[Juan Carlos]

Hello Matt,

With the latest revision of the Wazuh Kibana App a fix was released because under certain conditions the Index Pattern title was being overwritten.

The easiest way to work around this issue is to delete the index pattern and then open again the Wazuh Kibana Plugin. To do this select the menu on the top left corner, then Stack Management → Index Patterns → Select the offending index pattern and then the delete button:

 

When opening the Wazuh app it will briefly indicate the pattern is missing and that it will then recreate it.

Let us know if the issue persists or if you have any other questions that we could help with.

Best Regards,

Juan Carlos Tello

[Matt Schenkman]

All I have in stack management are the 2 indices it created for wazuh that it can't find (monitoring and stats)

Still gives me a handful of errors (same as the original screenshot)

The selected index-pattern is not present.

No template found for the selected index-pattern.

Health Check. Error: Could not locate that index-pattern (id: 02684010-2e75-11eb-b623-fdf4cfd851bb), [click here to re-create it](management/kibana/indexPatterns)

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/db7970a5-80ee-43c6-b15c-f97c029f7a3fn%40googlegroups.com.

[Juan Carlos]

Hi Matt,

It would be under Index Patterns instead of Index Management.

My previous screenshot was from Open Distro so I apologize if things look different in your environment.

In your case you may find it here:

However it is also true that if the wazuh-alerts-YYYY-mm-dd has not been created filebeat has not the shipped the data to Elasticsearch.

For this, I recommend verifying the Filebeat configuration by running:

filebeat test output

on the Wazuh Manager computer. If it doesn't indicate any issue, make sure the service is running (systemctl start filebeat)

Let us know if this works.

Best Regards,

Juan Carlos Tello

[Matt Schenkman]

  I fixed a filebeat error and am now getting successful test outputs. We send directly to elastic and skip logstash, unless you tell me that's what's breaking this.

elasticsearch: http://10.10.10.245:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.10.10.245
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.9.3

Service is up and running.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a16381d8-0573-42eb-b3ee-e3992acc6d09n%40googlegroups.com.

[Matt Schenkman]

I mean to say that the service is running, I fixed an error that was preventing filebeat from sending, and am still getting the same database errors I shared above.

[Juan Carlos]

Hi Matt,

I'm glad the Filebeat error has been found and fixed.

Did you delete the index pattern?

If by database errors you mean:

Health Check. Error: Could not locate that index-pattern (id: 02684010-2e75-11eb-b623-fdf4cfd851bb), [click here to re-create it](management/kibana/indexPatterns)

Then deleting the index pattern and opening the Wazuh app within Kibana should remedy this.

Best Regards,

Juan Carlos Tello

[Matt Schenkman]

I deleted the index patterns and restarted everything. It did not fix the issue.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/01096f15-7c6b-4b74-8109-fb60e7c97dd1n%40googlegroups.com.

[elw...@wazuh.com]

Hello Matt,

Would you please perform the following :

• Make sure Filebeat is reading the `alerts.json` with `lsof /var/ossec/logs/alerts/alerts.json` should outputs :
  
  COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
  filebeat  2795   root    8r   REG    8,1    56915 70016512 /var/ossec/logs/alerts/alerts.json
  ossec-int 3837 ossecm    4r   REG    8,1    56915 70016512 /var/ossec/logs/alerts/alerts.json
  ossec-ana 4182  ossec   11w   REG    8,1    56915 70016512 /var/ossec/logs/alerts/alerts.json
  
  
  
• Load the template and Wazuh module : filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
  
  
  
• Restart Filebeat : systemctl restart filebeat
  

If the above did not fix it. Please share following :

• curl -u elastic https://localhost:9200/_cat/indices
• curl -u elastic https://localhost:9200/_cluster/health
• curl -u elastic https://localhost:9200/_cat/templates

Hope this helps.

Regards,
Wali

[elw...@wazuh.com]

Hello Matt,

Glad you figured out the issue.

Indeed you can use the public API of virustotal but be aware of the limitations : https://documentation.wazuh.com/4.0/user-manual/capabilities/virustotal-scan/about.html#terms-of-service

Could you please elaborate on this question: Will everything without an alert history show as empty like the vulnerability module? 

Please make sure to use reply all so that everyone can benefit from the discussion.

Regards,
Wali

[Matt Schenkman]

No problem. So we're starting to enable different modules like docker listener. I fixed an issue where the index pattern didn't include the whole string of wazuh-alerts-4.x-* and once I updated that the vulnerability module showed days.

We're now having an issue where the docket listener is configured on the docker server but sunny start and points back to the listener file. No other helpful errors.

Thanks for your help so far!

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fbc0ecbf-b81a-4cd1-b3f5-4bde336ee3b9n%40googlegroups.com.

[Matt Schenkman]

So, we're almost there. The only thing I'm not getting data returning for is Security Audit module. Can you shed some light? There's no config specifically for it in the docs that I saw.

[elw...@wazuh.com]

Hello Matt,

Glad you are making progress with everything.

Regarding the Audit module, it requires having auditd installed in the agents and monitor the audit.log file. A thorough guide on how to achieve the same here https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/.

Hope this helps.
Regards,
Wali

[Matt Schenkman]

Ok, so I was understanding the doc about who-dat and systemd. Right on. So it looks like we're pretty good at this point. Anything else to note or recommend? Thanks for the help.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3dc85b26-ad5a-421c-9ed6-7d253d32adban%40googlegroups.com.

[elw...@wazuh.com]

Hello Matt,

Great then :D.

Following resources can be helpful  :

• https://wazuh.com/blog/ : We frequently publish uses cases related to Wazuh
  
  
• https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide
  
  
• https://documentation.wazuh.com/4.0/learning-wazuh/
  
  
• https://wazuh.com/professional-services/#Training : Wazuh Training
  

You can also join the slack channel if you prefer:  https://wazuh.com/community/join-us-on-slack/

Regards,
Wali

[Matt Schenkman]

Ok, riddle me this:

DockerListener wasn't working at all. We get a cryptic error in the ossec.log:  wazuh-modulesd:docker-listener: ERROR: Cannot launch Docker integration. Please check the file '/var/ossec/wodles/docker/DockerListener'

We've not modified anything inside DockerListener.

As a test, I saw that there was an additional file called DockerListener.py installed on the wazuh-manager when we installed the listener over there attempting to get it working as the documentation was a little unclear. We copied that .py file to the agent in question and, upon manual execution of the python script, logs are received in ELK for DockerListener events.

There's almost no doc on the Listener, so any help you could provide would be appreciated. I emulated what I saw on Github, which was a .py Listener alone, but it didn't help either.

Thanks,

~Matt

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9f04ac8d-7f27-4de6-8ba7-84ce61bd69cbn%40googlegroups.com.

[Matt Schenkman]

OK, so I fixed it. I am attaching the steps taken. Right or wrong, this allows the DockerListener.py to run on a given machine via the Wazuh agent. I saw that the DockerListener installed on the wazuh-manager by accident had a functional DockerListener as well as a .py. I had to edit it a little for lack of the /framework folders

Install Agent

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

apt update

apt install wazuh-agent

Install Python for Docker

apt install python-pip

pip install docker

Edit Config

cd /var/ossec/etc/ossec.conf

add ManagerIP

add Docker Listener wodle:

<wodle name="docker-listener">

    <disabled>no</disabled>

</wodle>

Fix Broken default DockerListener

mv DockerListener DockerListener.py

copy dockerlistener config from below

nano DockerListener

paste in:

#!/bin/sh

# Copyright (C) 2015-2020, Wazuh Inc.

# Created by Wazuh, Inc. <in...@wazuh.com>.

# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2

WPYTHON_BIN="/usr/bin/python"

SCRIPT_PATH_NAME="$0"

DIR_NAME="$(cd $(dirname ${SCRIPT_PATH_NAME}); pwd -P)"

SCRIPT_NAME="$(basename ${SCRIPT_PATH_NAME})"

case ${DIR_NAME} in

    */active-response/bin | */wodles*)

        if [ -z "${WAZUH_PATH}" ]; then

            WAZUH_PATH="$(cd ${DIR_NAME}/../..; pwd)"

        fi

        PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py"

    ;;

    */bin)

        if [ -z "${WAZUH_PATH}" ]; then

            WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)"

        fi

        PYTHON_SCRIPT="${WAZUH_PATH}/framework/scripts/${SCRIPT_NAME}.py"

    ;;

     */integrations)

        if [ -z "${WAZUH_PATH}" ]; then

            WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)"

        fi

        PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py"

    ;;

esac

${WPYTHON_BIN} ${PYTHON_SCRIPT} "$@"

chown root:ossec DockerListener

chmod +x DockerListener

Systemctl enable wazuh-agent

systemctl start wazuh-agent

I had to remove a $ wazuh variable in the last line which got it running.

[elw...@wazuh.com]

Hello Matt,

Glad to see that everything is fixed now.

Hope you will enjoy it.

Regards,
Wali