Kibana not working// Elasticsearch host

yash2 · June 26, 2023, 8:01pm

Can anyone help me here, i have been trying to set up Wazuh to work with ELK stack, having Filebeat to send the logs to Kibana for visualization.

Just to begin with here`s my elasticsearch .yml file :

network.host: 192.168.2.18
http.port: 9200
node.name: elasticsearch
cluster.initial_master_nodes: elasticsearch



# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.pem
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/elastic-stack-ca.crt

# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.pem
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/elastic-stack-ca.crt

# Elasticsearch authentication
xpack.security.enabled: true

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch


I went through all the needed configuration as specified by the following guideline 
from this webpage : https://documentation.wazuh.com/current/deployment-options/elastic-stack/all-in-one-deployment/index.html

Only then I  proceeded with starting each of the services, including : 

● kibana.service - Kibana

     Loaded: loaded (/lib/systemd/system/kibana.service; enabled; preset: disabled)
     Active: active (running) since Mon 2023-06-26 15:59:42 EDT; 7s ago
       Docs: https://www.elastic.co
   Main PID: 570897 (node)
      Tasks: 11 (limit: 8227)

# service filebeat status  

● filebeat.service - Filebeat
     Loaded: loaded (/etc/systemd/system/filebeat.service; enabled; preset: disabled)
     Active: active (running) since Mon 2023-06-26 14:58:02 EDT; 1h 2min ago
       Docs: https://www.elastic.co/products/beats/filebeat

┌──(root㉿kali)-[/etc/filebeat]

└─# service wazuh-manager status 

● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled)
     Active: active (running) since Mon 2023-06-26 14:58:59 EDT; 1h 1min ago
      Tasks: 115 (limit: 8227)
     Memory: 1.5G
        CPU: 2min 7.735s
     CGroup: /system.slice/wazuh-manager.service


┌──(root㉿kali)-[/etc/filebeat]

└─# service elasticsearch  status  

● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; preset: disabled)
     Active: active (running) since Mon 2023-06-26 13:24:46 EDT; 2h 36min ago
       Docs: https://www.elastic.co

````

```

Facing some difficulties with Kibana , shown below : 
                                                                                                                                                                                                                                                                                   
┌──(root㉿kali)-[/usr/share/filebeat]                                                                                                        

└─# ./filebeat test config                                                                                                                                                                                                                                                                 

Config OK                                                             
                                                                                                                                             
┌──(root㉿kali)-[/usr/share/filebeat]                                                                                                        

└─# ./filebeat test output                                            

elasticsearch: https://192.168.2.18:9200...              
  parse url... OK                                                     
  connection...                                                       
    parse host... OK                                                  
    dns lookup... OK                                                  
    addresses: 192.168.2.18                                           
    dial up... OK                                                     
  TLS...                                                              
    security: server's certificate chain verification is enabled
    handshake... OK                                                   
    TLS version: TLSv1.3                                              
    dial up... OK                                                                                                                            
  talk to server... OK                                                
  version: 8.8.1                                                      



┌──(root㉿kali)-[/usr/share/filebeat]
└─# ./filebeat setup -e                      
2023-06-26T16:07:39.623-0400    INFO    instance/beat.go:698    Home path: [/usr/share/filebeat] Config path: [/usr/share/filebeat] Data path: [/usr/share/filebeat/data] Logs path: [/usr/share/filebeat/logs] Hostfs Path: [/]
2023-06-26T16:07:39.625-0400    INFO    instance/beat.go:706    Beat ID: 3b18eb13-4f64-4379-af06-76a9dfcb59c6
2023-06-26T16:07:39.626-0400    WARN    [cfgwarn]       template/config.go:88   DEPRECATED: Please migrate your JSON templates from legacy template format to composable index template. Will be removed in version: 8.0.0
2023-06-26T16:07:39.627-0400    INFO    [beat]  instance/beat.go:1052   Beat info       {"system_info": {"beat": {"path": {"config": "/usr/share/filebeat", "data": "/usr/share/filebeat/data", "home": "/usr/share/filebeat", "logs": "/usr/share/filebeat/logs"}, "type": "filebeat", "uuid": "3b18eb13-4f64-4379-af06-76a9dfcb59c6"}}}
2023-06-26T16:07:39.628-0400    INFO    [beat]  instance/beat.go:1061   Build info      {"system_info": {"build": {"commit": "78a342312954e587301b653093954ff7ee4d4f2b", "libbeat": "7.17.10", "time": "2023-04-23T09:00:42.000Z", "version": "7.17.10"}}}
2023-06-26T16:07:39.629-0400    INFO    [beat]  instance/beat.go:1064   Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.7"}}}
2023-06-26T16:07:39.631-0400    INFO    [beat]  instance/beat.go:1070   Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-06-25T23:32:31-04:00","containerized":false,"name":"kali","ip":["127.0.0.1","::1","192.168.2.18","fe80::a00:27ff:feb1:9d67","172.20.0.1","172.18.0.1","172.17.0.1","172.22.0.1"],"kernel_version":"6.1.0-kali9-amd64","mac":["08:00:27:b1:9d:67","02:42:2a:15:cc:b0","02:42:4e:84:34:2b","02:42:4b:ae:aa:16","02:42:b1:19:f2:c6"],"os":{"type":"linux","family":"","platform":"kali","name":"Kali GNU/Linux","version":"2023.2","major":2023,"minor":2,"patch":0,"codename":"kali-rolling"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"3095ed18a81a4f50ba21f01bf6332087"}}}
2023-06-26T16:07:39.636-0400    INFO    [beat]  instance/beat.go:1099   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/usr/share/filebeat", "exe": "/usr/share/filebeat/filebeat", "name": "filebeat", "pid": 575349, "ppid": 349327, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2023-06-26T16:07:38.910-0400"}}}
2023-06-26T16:07:39.637-0400    INFO    instance/beat.go:292    Setup Beat: filebeat; Version: 7.17.10
2023-06-26T16:07:39.638-0400    WARN    [cfgwarn]       tlscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2023-06-26T16:07:39.640-0400    INFO    [esclientleg]   eslegclient/connection.go:105   elasticsearch url: https://192.168.2.18:9200
2023-06-26T16:07:39.643-0400    INFO    [publisher]     pipeline/module.go:113  Beat name: kali
2023-06-26T16:07:39.646-0400    INFO    beater/filebeat.go:118  Enabled modules/filesets: wazuh (alerts),  ()
2023-06-26T16:07:39.648-0400    INFO    [esclientleg]   eslegclient/connection.go:105   elasticsearch url: https://192.168.2.18:9200
2023-06-26T16:07:39.680-0400    INFO    [esclientleg]   eslegclient/connection.go:285   Attempting to connect to Elasticsearch version 8.8.1
ILM policy and write alias loading not enabled.

2023-06-26T16:07:39.697-0400    INFO    template/load.go:197    Existing template will be overwritten, as overwrite is enabled.
2023-06-26T16:07:39.728-0400    INFO    template/load.go:131    Try loading template wazuh to Elasticsearch
2023-06-26T16:07:40.164-0400    INFO    template/load.go:123    Template with name "wazuh" loaded.
2023-06-26T16:07:40.164-0400    INFO    [index-management]      idxmgmt/std.go:296      Loaded index template.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
2023-06-26T16:07:40.164-0400    INFO    kibana/client.go:180    Kibana url: https://0.0.0.0:443


>>>>>>>>>>> Here's the error message i am facing, and i cannot even get through the GUI of kibana "Unable to connect" from the browser.


2023-06-26T16:07:40.165-0400    ERROR   instance/beat.go:1027   Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://0.0.0.0:443/api/status fails: fail to execute the HTTP GET request: Get "https://0.0.0.0:443/api/status": dial tcp 0.0.0.0:443: connect: connection refused. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://0.0.0.0:443/api/status fails: f

```

yash2 · June 26, 2023, 8:11pm

So i ran some checks on the logs :

$ journalctl  --unit kibana

Jun 26 16:12:17 kali systemd[1]: kibana.service: Main process exited, code=exited, status=1/FAILURE
Jun 26 16:12:17 kali kibana[577488]:     at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
Jun 26 16:12:17 kali kibana[577488]:     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/take.js:13:20
Jun 26 16:12:17 kali kibana[577488]:     at OperatorSubscriber.<anonymous> (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
Jun 26 16:12:17 kali kibana[577488]:     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
Jun 26 16:12:17 kali kibana[577488]:     at Object.errorContext (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
Jun 26 16:12:17 kali kibana[577488]:     at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
Jun 26 16:12:17 kali kibana[577488]:     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/throwIfEmpty.js:11:16
Jun 26 16:12:17 kali kibana[577488]:     at SafeSubscriber.<anonymous> (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
Jun 26 16:12:17 kali kibana[577488]:     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
Jun 26 16:12:17 kali kibana[577488]:     at Object.errorContext (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
Jun 26 16:12:17 kali kibana[577488]:     at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
Jun 26 16:12:17 kali kibana[577488]:     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:86:19
Jun 26 16:12:17 kali kibana[577488]:     at new Promise (<anonymous>)
Jun 26 16:12:17 kali kibana[577488]:  FATAL  Error: [config validation of [xpack.security].enabled]: definition for this key is missing
Jun 26 16:12:17 kali systemd[1]: kibana.service: Failed with result 'exit-code'.
Jun 26 16:12:17 kali systemd[1]: kibana.service: Consumed 33.130s CPU time.
Jun 26 16:12:20 kali systemd[1]: kibana.service: Scheduled restart job, restart counter is at 101.
Jun 26 16:12:20 kali systemd[1]: Stopped kibana.service - Kibana.
Jun 26 16:12:20 kali systemd[1]: kibana.service: Consumed 33.130s CPU time.
Jun 26 16:12:20 kali systemd[1]: Started kibana.service - Kibana.

yash2 · June 26, 2023, 8:22pm

If this might help, i have attached my configuration file for both filebeat and kibana down below, where filebeat.yml is configured to communicate with kibana, at https://0.0.0.0:443


Filebeat configuration file  : 



  GNU nano 7.2                                                                                                                                                                                                   filebeat.yml                                                                                                                                                                                                            
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts: ["192.168.2.18:9200"]
output.elasticsearch.password: F232k5N51g4BJunZ_bYt


# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://0.0.0.0:443"



filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: /etc/filebeat/wazuh-template.json
setup.template.json.name: wazuh
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.pem
output.elasticsearch.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
output.elasticsearch.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/elastic-stack-ca.crt
output.elasticsearch.ssl.verification_mode: strict
output.elasticsearch.username: elastic

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq


Here`s my Kibana.yml configuration file, purposely `listening on every interfaces`, 
just to remove any interface sort of issues out of the equation :


  GNU nano 7.2                                                                                                                             kibana.yml                                                                                                                                      
server.host: 0.0.0.0
server.port: 443
elasticsearch.hosts: ["https://192.168.2.18:9200"]
elasticsearch.password: F232k5N51g4BJunZ_bYt


# Elasticsearch from/to Kibana

elasticsearch.ssl.certificateAuthorities: /etc/elasticsearch/certs/ca/elastic-stack-ca.crt
elasticsearch.ssl.certificate:  /etc/elasticsearch/certs/elasticsearch.pem
elasticsearch.ssl.key: /etc/elasticsearch/certs/elasticsearch.key

# Browser from/to Kibana
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.pem
server.ssl.key: /etc/kibana/certs/kibana.key

# Elasticsearch authentication
xpack.security.enabled: true
elasticsearch.username: elastic
uiSettings.overrides.defaultRoute: "/app/wazuh"
elasticsearch.ssl.verificationMode: certificate
telemetry.banner: false

Hemanth_Gowda · June 27, 2023, 2:31pm

Can you post your kibana.yml.

I see below error throwing from Kibana based on above logs.

Jun 26 16:12:17 kali kibana[577488]: FATAL Error: [config validation of [xpack.security].enabled]: definition for this key is missing

There is something wrong with your kibana yml and moreover kibana yml doesn't need xpack.security.enabled configuration

yash2 · June 27, 2023, 3:01pm

Sir i posted all my .yml file up above, can you see it ?

Furthermore, I have also remove the "xpack.security .enabled : true" , option as per your advice, and run the following command to restart kibana.service

$ systemctl daemon-reload
$ systemctl enable kibana 
$ systemctl start kibana


Then  i ran the following once more  : 

$ ./filebeat setup -e 


2023-06-27T10:56:25.698-0400    INFO    instance/beat.go:292    Setup Beat: filebeat; Version: 7.17.10                                                                                              
2023-06-27T10:56:25.760-0400    WARN    [cfgwarn]       tlscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are
 present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0                                                                                       
2023-06-27T10:56:25.762-0400    INFO    [esclientleg]   eslegclient/connection.go:105   elasticsearch url: https://192.168.2.18:9200                                                                
2023-06-27T10:56:25.892-0400    INFO    [publisher]     pipeline/module.go:113  Beat name: kali                                                                                                     
2023-06-27T10:56:27.594-0400    INFO    beater/filebeat.go:118  Enabled modules/filesets: wazuh (alerts),  ()                                                                                       
2023-06-27T10:56:27.687-0400    INFO    [esclientleg]   eslegclient/connection.go:105   elasticsearch url: https://192.168.2.18:9200                                                                
2023-06-27T10:56:27.829-0400    INFO    [esclientleg]   eslegclient/connection.go:285   Attempting to connect to Elasticsearch version 8.8.1                                                        
ILM policy and write alias loading not enabled.                                                                                                                                                     
                                                                                                                                   
2023-06-27T10:56:27.833-0400    INFO    template/load.go:197    Existing template will be overwritten, as overwrite is enabled.
2023-06-27T10:56:27.836-0400    INFO    template/load.go:131    Try loading template wazuh to Elasticsearch                         
2023-06-27T10:56:30.285-0400    INFO    template/load.go:123    Template with name "wazuh" loaded.                                 
2023-06-27T10:56:30.285-0400    INFO    [index-management]      idxmgmt/std.go:296      Loaded index template.                      
Index setup finished.                                                                         
Loading dashboards (Kibana must be running and reachable)                                         
2023-06-27T10:56:30.285-0400    INFO    kibana/client.go:180    Kibana url: https://0.0.0.0:443
2023-06-27T10:56:30.286-0400    ERROR   instance/beat.go:1027   Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://0.0.0.0:443/api/status fails: fail 
to execute the HTTP GET request: Get "https://0.0.0.0:443/api/status": dial tcp 0.0.0.0:443: connect: connection refused. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://0.0.0.0:443/api/status fails: fail to execute the HTTP GET request: Get "https://0.0.0.0:443/api/st
atus": dial tcp 0.0.0.0:443: connect: connection refused. Response: .

Hemanth_Gowda · June 27, 2023, 4:32pm

Please post your kibana logs

yash2 · June 28, 2023, 7:18pm

I am not sure what to tell else, i have provided you with $ journalctl --unit kibana, and under /var/ log /kibana, i have no logs present, please give some time analyzing what ive already sent through, it seems that youre asking me for redundant information, whilst i took the time to put up everything together.

stephenb · June 28, 2023, 8:14pm

Hi @yash2

xpack.security.enabled: true

This setting does not belong in your kibana.yml that setting is only valid in elasticsearch.yml
Take it out of the kibana.yml

leandrojmp · June 28, 2023, 11:03pm

yash2:

setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://0.0.0.0:443"

This is wrong, you cannot use 0.0.0.0 as a target host or destination, you need to use your Kibana IP address.

system · July 26, 2023, 11:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.