Kibana Wazuh Agent isn't showing anything in integrity

DustinB3403

So I had this working, and then I wanted to make a few changes to the agent config file. Those didn't work the way I wanted, specifically it was taking way to long to scan the drives that I wanted to monitor realtime for changes (add, edit delete of files).

So I undid those changes, now in the Integrity monitor for this one Windows server, nothing shows up. I've reinstalled the agent, created a new agent id and registered with that.

I'm kind of at a loss as to why this wouldn't show something at all, even "File added" for the first round of syscheck scans.

Dashrender

any kind of firewall blocking?

DustinB3403

@Dashrender said in Kibana Wazuh Agent isn't showing anything in integrity:

any kind of firewall blocking?

No nothing else changed besides my fiddling with the config file (and reinstalling the agent/creating a new agent id).

DustinB3403

Other things, like the system hardware metrics are reported, just Integrity information isn't being printed out.

Specifically if I went into this function, it list not results to show.

DustinB3403

It's got to be something with the login page functionality. . .

IRJ

1. FIM logs are transmitted over 1514 UDP just like other logs. So if you are getting other logs this is not a network or wazuh agent issue

2. Forget Kibana for now... Are these events showing up in /var/osssec/logs/ossec.log ?

DustinB3403

@IRJ I saw things in there, yes.

'/var/osssec/logs/ossec.log'

DustinB3403

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

9200 is elasticsearch not Kibana, What happens when you restart elasticsearch? does it throw any errors?

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

9200 is elasticsearch not Kibana, What happens when you restart elasticsearch? does it throw any errors?

Give me a moment.

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.

Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.

If ELK and wazuh are separated then you absolutely need it. You still need SSL for accessing kibana of course.

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Well we just want to prevent any Tom Dick or Harry from getting on the network and then accessing Wazuh and seeing all of the super-secret-sauce.

I am not saying its a bad thing at all. It's what you should be doing. I am just telling you that you cannot expect to run unauthenticated query from CLI and expect it to return results.

Are you running wazuh and ELK on the same server? If so then using SSL on elastic isnt necessary, but i guess its not a bad thing either.

Same VM

If ELK and wazuh are separated then you absolutely need it.

Same VM

You still need SSL for accessing kibana of course.

All on the LAN, nothing publicly hosted, the desire is to just lock it away from anyone who shouldn't be on it (even though the bulk of those would be our employees)

DustinB3403

And SSL on an Internal only webpage is a PITA.

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.

Also if you are truly using SSL then you wont be able to send an unauthenticated query

Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["warning","searchguard"],"pid":942,"message":"\"Do not fail on forbidden\" is not enabled. Please refer to the documentation: https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-elasticsearch-enable-do-not-fail-on-forbidden"}
Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["status","plugin:[email protected]","info"],"pid":942,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500        ERROR        pipeline/output.go:100        Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF
Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500        INFO        pipeline/output.go:93        Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 6 reconnect attempt(s)
Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500        ERROR        pipeline/output.go:100        Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF
Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500        INFO        pipeline/output.go:93        Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 7 reconnect attempt(s)

DustinB3403

Which that is tied in specifically with the Safe Guard plugin

IRJ

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

Which that is tied in specifically with the Safe Guard plugin

If its on the same host, then just do a nginx reverse proxy.

IRJ

Also do iptables rules to block all incoming 9200 and 5601 traffic as you will not need it

DustinB3403

@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:

@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:

Which that is tied in specifically with the Safe Guard plugin

If its on the same host, then just do a nginx reverse proxy.

(I've never set one up)