WazuhAPP wont install in Kibana

[arkhelieldan]

Hi, regarding https://github.com/wazuh/wazuh-cloudformation/issues/71, I performed a new deployment via Cloudformation, and this time Kibana was successfully installed, the only problem is that WazuhAPP was installed (according to the logs), but in Kibana the APP is apparently not recognized, as the shortcut is not displayed.

[arkhelieldan]

When i install manually using this lines, kibana enter in loop in restart process:

cd /usr/share/kibana/
sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.9.2.zip

kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
   Active: active (running) since qua 2020-10-07 18:37:31 UTC; 19s ago
 Main PID: 2388 (node)
   CGroup: /system.slice/kibana.service
           └─2388 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli

kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
   Active: active (running) since qua 2020-10-07 18:37:55 UTC; 18s ago
 Main PID: 2404 (node)
   CGroup: /system.slice/kibana.service
           └─2404 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli

out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["warning","plugins","alerts","plugins","alerting"],"pid":2404,"message":"APIs are disabled due to the Encrypted Saved Objects plugin using an ephemeral encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml."}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","plugins","monitoring","monitoring"],"pid":2404,"message":"config sourced from: production cluster"}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","plugins","reporting","config"],"pid":2404,"message":"Chromium sandbox provides an additional layer of protection, and is supported for Linux Raspbian 2 OS. Automatically enabling Chromium sandbox."}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","savedobjects-service"],"pid":2404,"message":"Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations..."}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","savedobjects-service"],"pid":2404,"message":"Starting saved objects migrations"}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","plugins-system"],"pid":2404,"message":"Starting [92] plugins: [taskManager,licensing,observability,globalSearch,globalSearchProviders,code,usageCollection,ossTelemetry,telemetryCollectionManager,telemetry,telemetryCollectionXpack,kibanaUsageCollection,newsfeed,mapsLegacy,kibanaLegacy,translations,timelion,share,legacyExport,esUiShared,charts,bfetch,expressions,data,home,cloud,console,consoleExtensions,apmOss,searchprofiler,painlessLab,grokdebugger,management,upgradeAssistant,licenseManagement,watcher,indexPatternManagement,advancedSettings,fileUpload,dataEnhanced,savedObjects,visualizations,visualize,visTypeVislib,visTypeVega,visTypeTimeseries,visTypeTimelion,features,security,snapshotRestore,reporting,enterpriseSearch,encryptedSavedObjects,ingestManager,indexManagement,rollup,remoteClusters,crossClusterReplication,indexLifecycleManagement,beats_management,transform,ingestPipelines,maps,graph,canvas,visTypeTagcloud,visTypeTable,visTypeMetric,visTypeMarkdown,tileMap,regionMap,inputControlVis,discover,discoverEnhanced,dashboard,lens,dashboardMode,savedObjectsManagement,spaces,lists,eventLog,actions,case,alerts,alertingBuiltins,ml,securitySolution,infra,monitoring,logstash,apm,uptime]"}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","plugins","taskManager","taskManager"],"pid":2404,"message":"TaskManager is identified by the Kibana UUID: 96d6349d-ec39-46bf-abcf-6880ba9a8684"}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","plugins","watcher"],"pid":2404,"message":"Your basic license does not support watcher. Please upgrade your license."}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","plugins","crossClusterReplication"],"pid":2404,"message":"Your basic license does not support crossClusterReplication. Please upgrade your license."}
out 07 18:38:13 HOSTNAME_SERVER kibana[2404]: {"type":"log","@timestamp":"2020-10-07T18:38:13Z","tags":["info","plugins","monitoring","monitoring","kibana-monitoring"],"pid":2404,"message":"Starting monitoring stats collection"}
out 07 18:38:20 HOSTNAME_SERVER systemd[1]: Started Kibana.
out 07 18:38:20 HOSTNAME_SERVER systemd[1]: Starting Kibana...
out 07 18:38:27 HOSTNAME_SERVER kibana[2419]: {"type":"log","@timestamp":"2020-10-07T18:38:27Z","tags":["warning","plugins-discovery"],"pid":2419,"message":"Expect plugin \"id\" in camelCase, but found: beats_management"}
out 07 18:38:27 HOSTNAME_SERVER kibana[2419]: {"type":"log","@timestamp":"2020-10-07T18:38:27Z","tags":["warning","plugins-discovery"],"pid":2419,"message":"Expect plugin \"id\" in camelCase, but found: triggers_actions_ui"}

[manuasir]

Hello @arkhelieldan ,

Maybe this is due to a memory peak between Elasticsearch and Kibana. What instance type are you using? I'd recommend t2.large as a minimum.

[arkhelieldan]

Hi @manuasir how are you? I also thought it might be a memory problem, but I used T2.large but I was not successful.

[manuasir]

How much time did you wait until it failed? It seems that the hot point is the optimization process that Kibana executes. Sometimes this process can last even 10 or 15 minutes. Did you ensure the process gets stuck at that point?

[arkhelieldan]

I will try again to deploy the Wazuh infrastructure and return with the results.

[arkhelieldan]

Hello, again I tried to do the Deployment with the machines, I waited about 1 hour, post deployment, and the infrastructure went up with kibana normally, the problem is that wazuhapp is not installed.

ApiBranch 3.13 -
AvailabilityZone us-west-2b, us-west-2c, us-west-2d -
Branch 3.13 -
ElasticInstanceType t2.large -
ElasticWazuhVersion 7.9.2_3.13.2 -
EnableDNSRecord disabled -
InstallType packages -
KibanaInstanceType t2.large
WazuhInstanceType | t2.large

I also tried to install wazuhapp manually, but the service loops after restart, then dies.

[arkhelieldan]

Hi Guys, I solve this issue running the Upgrade Process described in doccuments of wazuh-app https://github.com/wazuh/wazuh-kibana-app.

mkdir -p /usr/share/kibana/optimize/wazuh/config
cp /usr/share/kibana/plugins/wazuh/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml
cd /usr/share/kibana/
sudo -u kibana bin/kibana-plugin remove wazuh
rm -rf /usr/share/kibana/optimize/bundles
chown -R kibana:kibana /usr/share/kibana/optimize
chown -R kibana:kibana /usr/share/kibana/plugins
cd /usr/share/kibana/
sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.9.1.zip
sudo chown kibana:kibana /usr/share/kibana/optimize/wazuh/config/wazuh.yml
sudo chmod 600 /usr/share/kibana/optimize/wazuh/config/wazuh.yml
systemctl restart kibana

[arkhelieldan]

Some notes:

Wazuh API in WazuhMaster instance is not installed correctly, It was necessary to manually reinstall since the service was not found.

Target Groups, and Security Group of WazuhManager and the listener 1514 for ReportingTG is configured with TCP, normally is defined with UDP

The User for kibana UI is defined sometimes with elastic or wazuh.