Kibana Wazuh Agent isn't showing anything in integrity
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.
Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.
If ELK and wazuh are separated then you absolutely need it. You still need SSL for accessing kibana of course.
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.
I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.
Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.
Same VM
If ELK and wazuh are separated then you absolutely need it.
Same VM
You still need SSL for accessing kibana of course.
All on the LAN, nothing publicly hosted, the desire is to just lock it away from anyone who shouldn't be on it (even though the bulk of those would be our employees)
-
And SSL on an Internal only webpage is a PITA.
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["warning","searchguard"],"pid":942,"message":"\"Do not fail on forbidden\" is not enabled. Please refer to the documentation: https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-elasticsearch-enable-do-not-fail-on-forbidden"} Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["status","plugin:[email protected]","info"],"pid":942,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"} Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500 INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 6 reconnect attempt(s) Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500 INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 7 reconnect attempt(s) -
Which that is tied in specifically with the Safe Guard plugin
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
-
Also do iptables rules to block all incoming 9200 and 5601 traffic as you will not need it
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
Install NGINX
apt-get -y install nginxGenerate self-signed cert for Kibana
mkdir -p /etc/ssl/certs /etc/ssl/private openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pemSetup config file for NGINX
cat > /etc/nginx/sites-available/default <<\EOF server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 default_server; listen [::]:443; ssl on; ssl_certificate /etc/ssl/certs/kibana-access.pem; ssl_certificate_key /etc/ssl/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } } EOFEnable authentication by password for Kibana
apt-get -y install apache2-utilsSet username and password for Kibana access. Replace <user> with your desired username
htpasswd -c /etc/nginx/conf.d/kibana.htpasswd <user>Restart NGINX
systemctl restart nginx -
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
access kibana on 443 and it should prompt you for a pw
-
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
Not that. . .
-
Nginx just isn't doing it. Being the first time I've set this up doesn't really help either.
-
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server { listen 80; listen [::]:80; listen 5601; listen [::]:5601; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } } -
Without the 5601 ports and if I add under
serverssl on;the connection just never responds and times out. -
Looks like a permissions issue for the kibana user.
Dec 18 09:08:25 wazuh.localdomain kibana[11090]: {"type":"log","@timestamp":"2019-12-18T14:08:25Z","tags":["fatal","root"],"pid":11090,"message":"{ Error: EACCES: permission denied, open '/etc/pki/tls/private/kibana-access.key'\n at Object.openSync (fs.js:439:3)\n at readFileSync (fs.js:344:35)\n at getServerOptions (/usr/share/kibana/src/core/server/http/http_tools.js:81:33)\n at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:68:60)\n at HttpService.runNotReadyServer (/usr/share/kibana/src/core/server/http/http_service.js:137:26)\n at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:60:18)\n errno: -13,\n syscall: 'open',\n code: 'EACCES',\n path: '/etc/pki/tls/private/kibana-access.key' }"} Dec 18 09:08:25 wazuh.localdomain kibana[11090]: FATAL Error: EACCES: permission denied, open '/etc/pki/tls/private/kibana-access.key'Looking into that.
-
Finally got the website to respond via ssl at
https://192.168.1.100:5601/kibanabut I didn't get greeted with a nginx login page. . . -
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server {
listen 80;
listen [::]:80;
listen 5601;
listen [::]:5601;
return 301 https://$host$request_uri;
}server {
listen 443 ssl;
listen [::]:443;
ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
access_log /var/log/nginx/nginx.access.log;
error_log /var/log/nginx/nginx.error.log;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://localhost:5601/;
}
}Why are you listening on 5601?
proxy_pass http://localhost:5601/;will redirect 5601 to443 -
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server { listen 80; listen [::]:80; listen 5601; listen [::]:5601; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } }Why are you listening on 5601?
proxy_pass http://localhost:5601/;will redirect 5601 to443That is no longer in the file, I was testing with it. The below is current.
server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl on; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/;
