-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Testing Open Distro #1319
Comments
Any ETA on this? We are very interested in utilizing both Wazuh and Opendistro together. |
Has there been any updates on this? Watching this also interested in utilizing both Wazuh and Opendistro together. |
+1 |
Hi @rlk5546, We don't have any public documentation for OpenDistro + Wazuh (working on it) but we already have different environments and users using it. We will try to create and publish a specific guide for OpenDistro + Wazuh. |
Thank you @snaow, but installing is not the issue. The app installs fine as Kibana plugin. I just wanted to give this an up vote as I continue to work on getting it to actually run. I have OpenDistro running in a production environment, so I am not using the demo certificates and my built-in users are not using the default passwords. This is the error I have received so far: This is first-run after installing the wazuh-kibana-app plugin. I could use more information on how to change what appears to be default password for the kibanaserver user in wazuh-kibana-app, or change the user that wazuh-kibana-app uses, if you have it. Again, just another +1, hoping you can get this documented soon Thank you, rlk |
Hello Everyone, I'm testing the wazuh using Open Distro from my side and here's what i found about the wazuh app: First as @rlk5546 mentioned, i also got the permission issue for the user kibanaserver and i fixed it by giving that user the admin rights. After that, i have configured the wazuh API credentials then tested the connection successfully and this is the error i got: I searched somewhere and found that it can be fixed by deleting the .kibana/user indices but the error will occur again since the indices will be recreated automatically. (It's not a final solution still needs to be checked). Another issue is i noticed that the wazuh app "Discover" not responding: (i'm blocked in this part) |
The kibanaserver user needs permissions to create the Wazuh index and template. I solved this by creating a secondary role, ks-wazuh, with all permissions on *wazuh-* including indices:data/read* and indices:data/write*. Then created a Role Mapping for ks-wazuh assigning kibanaserver as a user. This allowed index creation but I had to manually import the template. First run took a couple minutes to complete. Once this was done, Wazuh runs great so far. rlk |
@rlk5546 Thank's for sharing that. Please could you explain how did you imported the template manually? Also what's you're wazuh installation? (wazuhversion, filebeatversion, opendistroversion, kibanaversion). Thank's in advance BR |
Sorry for the delay. ODFE v1.1 I found the template here: https://raw.githubusercontent.com/wazuh/wazuh/v3.9.1/extensions/elasticsearch/7.x/wazuh-template.json I imported using cerebro: https://github.com/lmenezes/cerebro Otherwise you can import the template using Dev tools: https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html The difficult part was finding the template. Importing it was the easy part. Once imported Wazuh started and is running fine so far. Just remember that the first run took a couple minutes to complete. rlk |
I will give it a try. Thank's BR |
@rlk5546 Can you please share the process of #1319 (comment) and also of #1319 (comment) as I am new to open distro. |
Quick update: Stay tuned for the release of the new version! Regards, |
same issue using wazuh 3.13 seems not to be fixed |
Hi @clouca, the App was successfully tested with Wazuh 3.13.0 and OpenDistro version 1.8.0, this new version also includes support for multitenancy (which wasn't supported in previous versions) |
Hello @pablotr9 I always get the same error. Please take a look in the following screenshot |
Hi @clouca, Does the current logged in user have enough permissions to manage wazuh-* indices? Let's also check if the index patterns can be found, please run this request:
(replace KIBANA_SERVER_IP with the IP of the server where Kibana is installed) Regards, |
Hello @pablotr9 thanks for fast response. |
Sorry it seems that request was not correct, could you please try again with this one:
(don't forget again to replace KIBANA_SERVER_IP with the IP) |
nothing is returned. Just for your information I logged in in kibana as admin |
index-pattern : {"statusCode":404,"error":"Not Found","message":"Not Found"} |
Hi @clouca , as that error indicates
In the machine where Filebeat is installed, check its connection with Elasticsearch using this command:
Also check its configuration file located at Share the output of these 3 commands with me so I can give you further assistance. Regards, |
the following command shows the results below
filebeat is not currently installed in my setup, I have installed logstash . Does this related to my issue ? Currently I do not send any data from wazuh agents. Just setting up the manager side. |
HI @clouca, yes, the Wazuh App needs to have at least 1 wazuh-alerts-3x-* index. That's the default behavior but you can disable the index patterns/template/known fields checks in the Both Logstash and Filebeat can be used, but we recommend using Filebeat, you can find the Filebeat installation guide here (it has to be installed in the machine where Wazuh manager or worker are installed) https://documentation.wazuh.com/3.13/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#installing-filebeat. Please, if you have any other question, open a new issue so we can give more visibility so it's easier to find the solution for other users with the same problem/question. Best Regards, |
Hello @pablotr9 thanks for your support. I really appreciate. I will come back to you soon after setting up everything with the correct order |
Hello @pablotr9 . I have managed to setup wazuh and working normally. As you have mentioned earlier, everything has to be installed before the wazuh installation, even the wazuh agents in the terminal to generate some alerts. One tip for opendistro elasticsearch. Instead the package that the wazuh tutorial suggest, the packet that has to be installed is filebeat_oss version otherwise error between filebeat and elasticsearch will occur. Thanks again |
Hello @pablotr9. I want to integrate opendistro for elasticsearch and kibana with wazuh using docker. I used this(https://github.com/wazuh/wazuh-docker/blob/v3.9.3_7.1.1-opendistro/docker-compose.yml) but it could not connect to the elastic search. Could you please help me with the docker-composer.yml file for this integration? I really need help. Please help. Thank you in advance. |
Hi @das-subha123 , unfortunately there is no docker that includes support to Opendistro, I have just opened a new issue in our wazuh-docker repository to include it. wazuh/wazuh-docker#370 |
Hi @pablotr9. Thank you for the information and thank you so much for opening up this new issue. I will be looking forward to this implementation, Thank you. |
Could you share how you got this working? I can't seem to find any docs on this anywhere :( |
The only solution I found was to disable SSL verification: lmenezes/cerebro#127 I run cerebro in a docker container so I execute a shell in the container and modify the application.conf file, appending this line to the end: restart the container. You can always use the ES Rest API to create the template. rlk |
The recently released Open Distro alternative to Elasticsearch and Kibana comes with some useful features and we may want to be fully integrated.
Documentation(new Installation guide using Open Distro New documentation structure review wazuh-documentation#2205)Regards
The text was updated successfully, but these errors were encountered: