Anomaly detection setup in kubernetes deployment
63 views
Skip to first unread message
Aishwarya Vinod
Jul 10, 2024, 4:59:42 AM7/10/24
to Wazuh | Mailing List
Hi Team,
I have setup wazuh on kubernetes environment with GKE . Setup is completed and all pods are working as expected. I need to apply some custom configurations in existing master statefulset manifest file. I have gone through anomaly detection setup for wazuh in doc : https://wazuh.com/blog/enhancing-it-security-with-anomaly-detection/. Has anyone tried this setup in existing kubernetes environments? If so please give me some suggestions as I am facing container issues while trying to setup anomaly detection in kubernetes
Tomas Benitez Vescio
Jul 10, 2024, 1:43:15 PM7/10/24
to Wazuh | Mailing List
Hi,
Could share exactly what steps have you taken so far and what are the issues you are facing?
Aishwarya Vinod
Jul 11, 2024, 3:17:15 AM7/11/24
to Wazuh | Mailing List
Hi Tomas, Thanks for the response.
I am currently trying to customize master-sts.yaml (https://github.com/wazuh/wazuh-kubernetes/blob/master/wazuh/wazuh_managers/wazuh-master-sts.yaml) to install the OpenSearch Anomaly Detection plugin. My dashboard has version 4.8 . As per the steps mentioned in https://wazuh.com/blog/enhancing-it-security-with-anomaly-detection/, we need to Download the compatible version of OpenSearch Dashboards for the version of Wazuh . My wazuh version is 4.8 . As per release notes (https://documentation.wazuh.com/current/release-notes/release-4-8-0.html#:~:text=%232563%20Bumped%20Wazuh%20dashboard%20to%20OpenSearch%20Dashboards%202.10.0.) I see I need to use opensearch 2.10.0 . Can you suggest me what all changes are there wrt the existing commands . Because I am able to install anomaly dashboard, however I am unable to see anomaly dashboard section in the wazuh dashboard post installation. I added lifecycle poststart along with my container to execute below steps ( Changed version to 2.10) :
1. Download the OpenSearch Dashboard 2.6.0 package:
curl https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.6.0/opensearch-dashboards-2.6.0-linux-x64.tar.gz -o opensearch-dashboards.tar.gz
2. Extract the OpenSearch Dashboard 2.6.0 package:
tar -xvzf opensearch-dashboards.tar.gz
3. Copy the anomalyDetectionDashboards plugin files to the /usr/share/wazuh-dashboard/plugins directory:
cp -r opensearch-dashboards-2.6.0/plugins/anomalyDetectionDashboards/ /usr/share/wazuh-dashboard/plugins/
Optional: Remove the downloaded OpenSearch Dashboards files after copying them to the Wazuh dashboard plugins directory:
rm -rf opensearch-dashboards-2.6.0/ opensearch-dashboards.tar.gz
4. Change the ownership and permissions of the files:
chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/plugins/anomalyDetectionDashboards/
chmod -R 750 /usr/share/wazuh-dashboard/plugins/anomalyDetectionDashboards/
5. Restart the Wazuh dashboard for the changes to take effect:
systemctl restart wazuh-dashboard
Is this the correct approach? I am unablet to finf anomaly detection option in dashboard sections on web UI
I am currently trying to customize master-sts.yaml (https://github.com/wazuh/wazuh-kubernetes/blob/master/wazuh/wazuh_managers/wazuh-master-sts.yaml) to install the OpenSearch Anomaly Detection plugin. My dashboard has version 4.8 . As per the steps mentioned in https://wazuh.com/blog/enhancing-it-security-with-anomaly-detection/, we need to Download the compatible version of OpenSearch Dashboards for the version of Wazuh . My wazuh version is 4.8 . As per release notes (https://documentation.wazuh.com/current/release-notes/release-4-8-0.html#:~:text=%232563%20Bumped%20Wazuh%20dashboard%20to%20OpenSearch%20Dashboards%202.10.0.) I see I need to use opensearch 2.10.0 . Can you suggest me what all changes are there wrt the existing commands . Because I am able to install anomaly dashboard, however I am unable to see anomaly dashboard section in the wazuh dashboard post installation. I added lifecycle poststart along with my container to execute below steps ( Changed version to 2.10) :
1. Download the OpenSearch Dashboard 2.6.0 package:
curl https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.6.0/opensearch-dashboards-2.6.0-linux-x64.tar.gz -o opensearch-dashboards.tar.gz
2. Extract the OpenSearch Dashboard 2.6.0 package:
tar -xvzf opensearch-dashboards.tar.gz
3. Copy the anomalyDetectionDashboards plugin files to the /usr/share/wazuh-dashboard/plugins directory:
cp -r opensearch-dashboards-2.6.0/plugins/anomalyDetectionDashboards/ /usr/share/wazuh-dashboard/plugins/
Optional: Remove the downloaded OpenSearch Dashboards files after copying them to the Wazuh dashboard plugins directory:
rm -rf opensearch-dashboards-2.6.0/ opensearch-dashboards.tar.gz
4. Change the ownership and permissions of the files:
chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/plugins/anomalyDetectionDashboards/
chmod -R 750 /usr/share/wazuh-dashboard/plugins/anomalyDetectionDashboards/
5. Restart the Wazuh dashboard for the changes to take effect:
systemctl restart wazuh-dashboard
Is this the correct approach? I am unablet to finf anomaly detection option in dashboard sections on web UI
Tomas Benitez Vescio
Jul 11, 2024, 8:29:11 AM7/11/24
to Wazuh | Mailing List
Whats the output you see when running the following command? does "anomalyDetectionDashboards" appear there?
- sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin list
Also, do you see any error logs when executing the following?
- journalctl -u wazuh-dashboard
- cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
Reply all
Reply to author
Forward
0 new messages