Testing Open Distro

[jesusgn90]

The recently released Open Distro alternative to Elasticsearch and Kibana comes with some useful features and we may want to be fully integrated.

• Review all the Open Distro Elasticsearch behaviors, template, authentication, Logstash...
• Full testing the Wazuh app using Open Distro
• Documentation (new Installation guide using Open Distro New documentation structure review wazuh-documentation#2205)

Regards

[vnil1994]

Any ETA on this? We are very interested in utilizing both Wazuh and Opendistro together.

[worldchanger]

Has there been any updates on this? Watching this also interested in utilizing both Wazuh and Opendistro together.

[rlk5546]

+1

[snaow]

Hi @rlk5546,

We don't have any public documentation for OpenDistro + Wazuh (working on it) but we already have different environments and users using it.
I believe you can install the Wazuh App following the official documentation same way to will do if you were using Elasticsearch (Elastic Stack).

We will try to create and publish a specific guide for OpenDistro + Wazuh.

[rlk5546]

Thank you @snaow, but installing is not the issue. The app installs fine as Kibana plugin.

I just wanted to give this an up vote as I continue to work on getting it to actually run. I have OpenDistro running in a production environment, so I am not using the demo certificates and my built-in users are not using the default passwords. This is the error I have received so far:

This is first-run after installing the wazuh-kibana-app plugin. I could use more information on how to change what appears to be default password for the kibanaserver user in wazuh-kibana-app, or change the user that wazuh-kibana-app uses, if you have it.

Again, just another +1, hoping you can get this documented soon

Thank you,

rlk

[Zakaria-Maj]

Hello Everyone,

I'm testing the wazuh using Open Distro from my side and here's what i found about the wazuh app:

First as @rlk5546 mentioned, i also got the permission issue for the user kibanaserver and i fixed it by giving that user the admin rights.

After that, i have configured the wazuh API credentials then tested the connection successfully and this is the error i got:

I searched somewhere and found that it can be fixed by deleting the .kibana/user indices but the error will occur again since the indices will be recreated automatically. (It's not a final solution still needs to be checked).

Another issue is i noticed that the wazuh app "Discover" not responding: (i'm blocked in this part)

[rlk5546]

The kibanaserver user needs permissions to create the Wazuh index and template.

I solved this by creating a secondary role, ks-wazuh, with all permissions on *wazuh-* including indices:data/read* and indices:data/write*.

Then created a Role Mapping for ks-wazuh assigning kibanaserver as a user.

This allowed index creation but I had to manually import the template. First run took a couple minutes to complete. Once this was done, Wazuh runs great so far.

rlk

[Zakaria-Maj]

@rlk5546 Thank's for sharing that.

Please could you explain how did you imported the template manually?

Also what's you're wazuh installation? (wazuhversion, filebeatversion, opendistroversion, kibanaversion).

Thank's in advance

BR
ZM

[rlk5546]

Sorry for the delay.

ODFE v1.1
kibana (oss) 7.1.1
Elasticsearch (oss) v. 7.1.1oss
filebeat v7.1.1 and 6.8.3
wazuhapp v.3.9.3

I found the template here: https://raw.githubusercontent.com/wazuh/wazuh/v3.9.1/extensions/elasticsearch/7.x/wazuh-template.json

I imported using cerebro: https://github.com/lmenezes/cerebro
I find cerebro much easier for management. A little tricky to get it to work with ODFE though since cerebro doesn't support SSL connections out of the box.

Otherwise you can import the template using Dev tools: https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

The difficult part was finding the template. Importing it was the easy part. Once imported Wazuh started and is running fine so far. Just remember that the first run took a couple minutes to complete.

rlk

[Zakaria-Maj]

@rlk5546

I will give it a try. Thank's

BR
ZM

[riderknight17]

@rlk5546 Can you please share the process of #1319 (comment) and also of #1319 (comment) as I am new to open distro.
Thanks

[juankaromo]

Related #1890, #2197

[juankaromo]

Quick update:
The next release of Wazuh 3.13.0 will give full support for the current version of Open Distro 1.8 and for the use of tenants.

Stay tuned for the release of the new version!

Regards,

[clouca]

same issue using wazuh 3.13 seems not to be fixed

[pablotr9]

Hi @clouca, the App was successfully tested with Wazuh 3.13.0 and OpenDistro version 1.8.0, this new version also includes support for multitenancy (which wasn't supported in previous versions)
Could you please open a new issue explaining the error? this way we can give you further assistance.
Thanks!

[clouca]

Hello @pablotr9 I always get the same error. Please take a look in the following screenshot

To install wazuh-kibana-app i used the following
sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.0_7.7.0.zip

[pablotr9]

Hi @clouca,

Does the current logged in user have enough permissions to manage wazuh-* indices?

Let's also check if the index patterns can be found, please run this request:

curl http://KIBANA_SERVER_IP:5601/api/saved_objects/_find?type=index-pattern&search_fields=title&search=wazuh*

(replace KIBANA_SERVER_IP with the IP of the server where Kibana is installed)

Regards,
Pablo Torres

[clouca]

Hello @pablotr9 thanks for fast response.
I get the following
[1] 18997
[2] 18998

[pablotr9]

Sorry it seems that request was not correct, could you please try again with this one:

curl 'http://KIBANA_SERVER_IP:5601/api/saved_objects/_find?type=index-pattern&search_fields=title&search=wazuh*'

(don't forget again to replace KIBANA_SERVER_IP with the IP)

[clouca]

nothing is returned. Just for your information I logged in in kibana as admin

[pablotr9]

Ok thanks, do you get the same error when accessing the Wazuh App in an Incognito Window?
Let's try to get some more info, please open the Browser DevTools (in Chrome/Firefox you can open it pressing F12), then go to the network tab and refresh the Wazuh App window.

As shown in that screenshot, you can see requests in the left side of the DevTools, if any of them failed it will be highlighted in red, if you see any failed request please click on it and share with me the subtab RESPONSE.

[clouca]

index-pattern : {"statusCode":404,"error":"Not Found","message":"Not Found"}
_fields_for_wildcard?pattern=wazuh-alerts-3.x-*&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score
{"statusCode":404,"error":"Not Found","message":"No indices match pattern "wazuh-alerts-3.x-"","attributes":{"statusCode":404,"error":"Not Found","message":"No indices match pattern "wazuh-alerts-3.x-"","code":"no_matching_indices"}}

[pablotr9]

Hi @clouca , as that error indicates No indices match pattern "wazuh-alerts-3.x-
Make sure that you have wazuh-alerts-* indices, otherwise the index pattern cannot be created. You can see your indices with this command (you can run it in Kibana DevTools)

GET _cat/indices

In the machine where Filebeat is installed, check its connection with Elasticsearch using this command:

filebeat test output

Also check its configuration file located at /etc/filebeat/filebeat.yml.

Share the output of these 3 commands with me so I can give you further assistance.

Regards,
Pablo Torres

[clouca]

the following command shows the results below
GET _cat/indices

yellow open security-auditlog-2020.07.08    2b1DDq7WQpGrXEPeqD-M8g 1 1    24 0 84.6kb 84.6kb
green  open wazuh-monitoring-3.x-2020.07.08 h80eeM9fRiyMHBn17WUGjg 2 0     0 0   416b   416b
green  open .kibana_92668751_admin_1        dQaepvlJQPurBHR8yzxuNg 1 0     1 0  3.8kb  3.8kb
yellow open security-auditlog-2020.07.07    7N0B3B5zQ0e__t9DxBITCg 1 1    67 0  129kb  129kb
green  open kibana_sample_data_logs         DoyZPQhQSMe8lwkML-x0pw 1 0 14074 0   10mb   10mb
green  open .kibana_92668751_admin_2        71eVyUV1TlmzSWLhmZruLg 1 0    34 0 70.1kb 70.1kb
green  open .kibana_2                       EZnHX32fQFOGCKWznYyP9w 1 0     3 0   25kb   25kb
green  open .kibana_1                       hULDIkucT-ydrPfdzpVZXg 1 0     2 0 32.6kb 32.6kb
green  open .opendistro_security            bQIHQL2jR1mZBirNt3YWbg 1 0     7 0   37kb   37kb
green  open .tasks                          4J6clMCVR7CTNrHVZuAkTQ 1 0     1 0  6.4kb  6.4kb

filebeat is not currently installed in my setup, I have installed logstash . Does this related to my issue ?
Installing filebeat is mandatory ?

Currently I do not send any data from wazuh agents. Just setting up the manager side.

[pablotr9]

HI @clouca, yes, the Wazuh App needs to have at least 1 wazuh-alerts-3x-* index. That's the default behavior but you can disable the index patterns/template/known fields checks in the wazuh.yml, take a look at this link https://documentation.wazuh.com/current/user-manual/kibana-app/reference/config-file.html#checks.
I personally do not recommend changing these settings, the best and easier solution here is to configure Filebeat so once the first wazuh-alerts* index is created the App will work correctly. (Ideally, the Wazuh App should be the last component to be installed as it depends on others (wazuh api, filebeat..)

Both Logstash and Filebeat can be used, but we recommend using Filebeat, you can find the Filebeat installation guide here (it has to be installed in the machine where Wazuh manager or worker are installed) https://documentation.wazuh.com/3.13/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#installing-filebeat.

Please, if you have any other question, open a new issue so we can give more visibility so it's easier to find the solution for other users with the same problem/question.
You can also join our Slack community channel: https://wazuh.com/community/join-us-on-slack/

Best Regards,
Pablo Torres

[clouca]

Hello @pablotr9 thanks for your support. I really appreciate. I will come back to you soon after setting up everything with the correct order

[clouca]

Hello @pablotr9 . I have managed to setup wazuh and working normally. As you have mentioned earlier, everything has to be installed before the wazuh installation, even the wazuh agents in the terminal to generate some alerts. One tip for opendistro elasticsearch. Instead the package that the wazuh tutorial suggest, the packet that has to be installed is filebeat_oss version otherwise error between filebeat and elasticsearch will occur. Thanks again

[das-subha123]

Hello @pablotr9. I want to integrate opendistro for elasticsearch and kibana with wazuh using docker. I used this(https://github.com/wazuh/wazuh-docker/blob/v3.9.3_7.1.1-opendistro/docker-compose.yml) but it could not connect to the elastic search. Could you please help me with the docker-composer.yml file for this integration? I really need help. Please help. Thank you in advance.

[pablotr9]

Hi @das-subha123 , unfortunately there is no docker that includes support to Opendistro, I have just opened a new issue in our wazuh-docker repository to include it. wazuh/wazuh-docker#370

[das-subha123]

Hi @pablotr9. Thank you for the information and thank you so much for opening up this new issue. I will be looking forward to this implementation, Thank you.

[KlavsKlavsen]

@rlk5546

A little tricky to get it to work with ODFE though since cerebro doesn't support SSL connections out of the box.

Could you share how you got this working? I can't seem to find any docs on this anywhere :(

[rlk5546]

Could you share how you got this working? I can't seem to find any docs on this anywhere :(

The only solution I found was to disable SSL verification: lmenezes/cerebro#127

I run cerebro in a docker container so I execute a shell in the container and modify the application.conf file, appending this line to the end: play.ws.ssl.loose.acceptAnyCertificate = true

restart the container.

You can always use the ES Rest API to create the template.

rlk