Can anyone help me here, i have been trying to set up Wazuh to work with ELK stack, having Filebeat to send the logs to Kibana for visualization.
Just to begin with here`s my elasticsearch .yml file :
network.host: 192.168.2.18
http.port: 9200
node.name: elasticsearch
cluster.initial_master_nodes: elasticsearch
# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.pem
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/elastic-stack-ca.crt
# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.pem
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/elastic-stack-ca.crt
# Elasticsearch authentication
xpack.security.enabled: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
I went through all the needed configuration as specified by the following guideline
from this webpage : https://documentation.wazuh.com/current/deployment-options/elastic-stack/all-in-one-deployment/index.html
Only then I proceeded with starting each of the services, including :
● kibana.service - Kibana
Loaded: loaded (/lib/systemd/system/kibana.service; enabled; preset: disabled)
Active: active (running) since Mon 2023-06-26 15:59:42 EDT; 7s ago
Docs: https://www.elastic.co
Main PID: 570897 (node)
Tasks: 11 (limit: 8227)
# service filebeat status
● filebeat.service - Filebeat
Loaded: loaded (/etc/systemd/system/filebeat.service; enabled; preset: disabled)
Active: active (running) since Mon 2023-06-26 14:58:02 EDT; 1h 2min ago
Docs: https://www.elastic.co/products/beats/filebeat
┌──(root㉿kali)-[/etc/filebeat]
└─# service wazuh-manager status
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled)
Active: active (running) since Mon 2023-06-26 14:58:59 EDT; 1h 1min ago
Tasks: 115 (limit: 8227)
Memory: 1.5G
CPU: 2min 7.735s
CGroup: /system.slice/wazuh-manager.service
┌──(root㉿kali)-[/etc/filebeat]
└─# service elasticsearch status
● elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; preset: disabled)
Active: active (running) since Mon 2023-06-26 13:24:46 EDT; 2h 36min ago
Docs: https://www.elastic.co
````
```
Facing some difficulties with Kibana , shown below :
┌──(root㉿kali)-[/usr/share/filebeat]
└─# ./filebeat test config
Config OK
┌──(root㉿kali)-[/usr/share/filebeat]
└─# ./filebeat test output
elasticsearch: https://192.168.2.18:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.2.18
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 8.8.1
┌──(root㉿kali)-[/usr/share/filebeat]
└─# ./filebeat setup -e
2023-06-26T16:07:39.623-0400 INFO instance/beat.go:698 Home path: [/usr/share/filebeat] Config path: [/usr/share/filebeat] Data path: [/usr/share/filebeat/data] Logs path: [/usr/share/filebeat/logs] Hostfs Path: [/]
2023-06-26T16:07:39.625-0400 INFO instance/beat.go:706 Beat ID: 3b18eb13-4f64-4379-af06-76a9dfcb59c6
2023-06-26T16:07:39.626-0400 WARN [cfgwarn] template/config.go:88 DEPRECATED: Please migrate your JSON templates from legacy template format to composable index template. Will be removed in version: 8.0.0
2023-06-26T16:07:39.627-0400 INFO [beat] instance/beat.go:1052 Beat info {"system_info": {"beat": {"path": {"config": "/usr/share/filebeat", "data": "/usr/share/filebeat/data", "home": "/usr/share/filebeat", "logs": "/usr/share/filebeat/logs"}, "type": "filebeat", "uuid": "3b18eb13-4f64-4379-af06-76a9dfcb59c6"}}}
2023-06-26T16:07:39.628-0400 INFO [beat] instance/beat.go:1061 Build info {"system_info": {"build": {"commit": "78a342312954e587301b653093954ff7ee4d4f2b", "libbeat": "7.17.10", "time": "2023-04-23T09:00:42.000Z", "version": "7.17.10"}}}
2023-06-26T16:07:39.629-0400 INFO [beat] instance/beat.go:1064 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.7"}}}
2023-06-26T16:07:39.631-0400 INFO [beat] instance/beat.go:1070 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-06-25T23:32:31-04:00","containerized":false,"name":"kali","ip":["127.0.0.1","::1","192.168.2.18","fe80::a00:27ff:feb1:9d67","172.20.0.1","172.18.0.1","172.17.0.1","172.22.0.1"],"kernel_version":"6.1.0-kali9-amd64","mac":["08:00:27:b1:9d:67","02:42:2a:15:cc:b0","02:42:4e:84:34:2b","02:42:4b:ae:aa:16","02:42:b1:19:f2:c6"],"os":{"type":"linux","family":"","platform":"kali","name":"Kali GNU/Linux","version":"2023.2","major":2023,"minor":2,"patch":0,"codename":"kali-rolling"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"3095ed18a81a4f50ba21f01bf6332087"}}}
2023-06-26T16:07:39.636-0400 INFO [beat] instance/beat.go:1099 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/usr/share/filebeat", "exe": "/usr/share/filebeat/filebeat", "name": "filebeat", "pid": 575349, "ppid": 349327, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2023-06-26T16:07:38.910-0400"}}}
2023-06-26T16:07:39.637-0400 INFO instance/beat.go:292 Setup Beat: filebeat; Version: 7.17.10
2023-06-26T16:07:39.638-0400 WARN [cfgwarn] tlscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2023-06-26T16:07:39.640-0400 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://192.168.2.18:9200
2023-06-26T16:07:39.643-0400 INFO [publisher] pipeline/module.go:113 Beat name: kali
2023-06-26T16:07:39.646-0400 INFO beater/filebeat.go:118 Enabled modules/filesets: wazuh (alerts), ()
2023-06-26T16:07:39.648-0400 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://192.168.2.18:9200
2023-06-26T16:07:39.680-0400 INFO [esclientleg] eslegclient/connection.go:285 Attempting to connect to Elasticsearch version 8.8.1
ILM policy and write alias loading not enabled.
2023-06-26T16:07:39.697-0400 INFO template/load.go:197 Existing template will be overwritten, as overwrite is enabled.
2023-06-26T16:07:39.728-0400 INFO template/load.go:131 Try loading template wazuh to Elasticsearch
2023-06-26T16:07:40.164-0400 INFO template/load.go:123 Template with name "wazuh" loaded.
2023-06-26T16:07:40.164-0400 INFO [index-management] idxmgmt/std.go:296 Loaded index template.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
2023-06-26T16:07:40.164-0400 INFO kibana/client.go:180 Kibana url: https://0.0.0.0:443
>>>>>>>>>>> Here's the error message i am facing, and i cannot even get through the GUI of kibana "Unable to connect" from the browser.
2023-06-26T16:07:40.165-0400 ERROR instance/beat.go:1027 Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://0.0.0.0:443/api/status fails: fail to execute the HTTP GET request: Get "https://0.0.0.0:443/api/status": dial tcp 0.0.0.0:443: connect: connection refused. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://0.0.0.0:443/api/status fails: f
```