Wazuh App failed in Kibana

[n4ll3ec]

Hi, I installed Wazuh manager and api on an existing ELK Stack(Wazuh3.6.1 & ELK6.3.2 ). But when I try to open the Wazuh app in Kibana, the following errors occured:

outes. Error. 2001 - [security_exception] action [indices:data/read/search] is unauthorized for user [kibana]
Settings. Error. Error getting API entries\
Settings. Error. Error when loading Wazuh setup info

I tried this solution—issue382, but it didn't work for me.Can you help me out ? Any solution will be appreciated.Below here is my config that related

Kibana Configiration

elasticsearch.username: "elastic"
elasticsearch.password: "PASSWORD"

Wazuh-API

curl -u "wazuh:PASSWORD" -ssl -k "https://127.0.0.1:55000/?pretty"
{
   "error": 0,
   "data": {
      "msg": "Welcome to Wazuh HIDS API",
      "api_version": "v3.6.1",
      "hostname": "sec",
      "timestamp": "Fri Oct 12 2018 17:35:44 GMT+0800 (CST)"
   }
}

Wazuh-Manager

/var/ossec/bin/agent_control -V

Wazuh v3.6.1 - Wazuh Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as 
published by the Free Software Foundation. For more details, go to 
https://www.gnu.org/licenses/gpl.html

Elasticsearch

 curl -u 'elastic:PASSWORD' -ssl -k "https://127.0.0.1:9200/?pretty"
{
  "name" : "Z3VxNL8",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "7sdKA-bARwymOd5r5uM7Ug",
  "version" : {
    "number" : "6.3.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

wazuh-kibana-app

cat /usr/share/kibana/plugins/wazuh/package.json 
{
    "name": "wazuh",
    "version": "3.6.1",
    "revision": "0408",
    "kibana": {
        "version": "6.3.2"
    },
    "description": "Wazuh app",
    "main": "index.js",
    "keywords": [
        "kibana",
        "wazuh",
        "ossec"
    ],
    "author": "Wazuh, Inc",
    "license": "GPL-2.0",
    "repository": {
        "type": "git",
        "url": "https://github.com/wazuh/wazuh-kibana-app.git"
    },
    "bugs": {
        "url": "https://github.com/wazuh/wazuh-kibana-app/issues"
    },
    "homepage": "https://www.wazuh.com/",
    "dependencies": {
        "angular-animate": "1.6.5",
        "angular-cookies": "1.6.5",
        "angular-material": "1.1.10",
        "dom-to-image": "^2.6.0",
        "install": "^0.10.1",
        "js2xmlparser": "^3.0.0",
        "json2csv": "^4.1.2",
        "needle": "^2.0.1",
        "node-cron": "^1.1.2",
        "pdfmake": "^0.1.37",
        "querystring-browser": "1.0.4",
        "simple-tail": "^1.1.0",
        "timsort": "^0.3.0",
        "winston": "3.0.0"
    }
}

Browser Error

• https://10.28.100.110:5601/api/wazuh-api/apiEntries

  message | 2001 - [security_exception] action [indices:data/read/search] is unauthorized for user [kibana]
  -- | --
  code | 2001
  statusCode | 500

• https://10.28.100.110:5601/api/wazuh-elastic/setup

  message | 4005  - Could not get data from elasticsearch due to [security_exception]  action [indices:data/read/search] is unauthorized for user [kibana]
  -- | --
  code | 4005
  statusCode | 500

[jesusgn90]

Hello @fl4nker ,

The problem you are facing comes from X-Pack security roles. The message [indices:data/read/search] is unauthorized for user [kibana] means the user kibana is having troubles for fetching .wazuh index, that index is a Wazuh app index.

At this point you have two solutions:

1) Use the elastic user instead of the kibana user when login the UI, and use it in your kibana.yml file too. 2) Follow our X-Pack guide to fully configure each role https://documentation.wazuh.com/current/user-manual/kibana-app/configure-xpack/index.html

I hope it helps. Best regards, Jesús

[n4ll3ec]

thanks for your help! @jesusgn90 As mentioned in my post, I use the elastic user in my kibana configuration file and also use it login the Kibana UI, it doesn't work. I'll try the second solution, thanks again

[jesusgn90]

Hi @fl4nker ,

The second solution is the right way, in any case, is unauthorized for user [kibana] is telling you that you are using the user kibana when login the UI, give a try to use elastic user because it's the admin user so it must work.

Let us know @fl4nker !

Best regards, Jesús

[n4ll3ec]

thanks again! @jesusgn90

But I'm so sorry to say, that solution2 also failed. I'm so confused !! I go through all steps that you mentioned in solution2 (wazuh-configure-xpack), but it just failed, no matter I use the elastic user or the new created wazuh_system user.

Let me give you some screenshot here:

• solution 1

• solution 2

[jesusgn90]

Hello again @fl4nker ,

That's pretty weird because we've tested it again a week ago. In any case, it seems like you are still using kibana as the UI user ([indices:data/read/search] is unauthorized for user [kibana]).

Let's use the elastic user for both UI and server. Please take a look into your /etc/kibana/kibana.yml and ensure you are using elastic as the server user:

elasticsearch.username: "elastic"
elasticsearch.password: "elastic_pass"

If you modified the file, please restart Kibana:

# systemctl restart kibana

Now please open a new incognito window in your browser (it works better with Chrome) and login the Kibana UI using the user elastic (same as the kibana.yml user).

This must works because the elastic user is superadmin in Elasticsearch.

Once you are done using the elastic user we can continue creating more users and roles, for now, my goal is to make it work using only the elastic user.

Best regards, Jesús

[n4ll3ec]

@jesusgn90 I'm definitely using the elastic user in my Kibana configuration and Kibana UI. And everytime I modified the kibana configuration, I restarted the Kibana. Please reference my screenshot Kibana Config Kibana UI

It's so weird, and I'm sooo confused. Never mind, I'd like to give it up,and try another installtion from scratch.

[jesusgn90]

Hi @fl4nker ,

The Kibana config looks good to me, but the Kibana UI, it would be nice if you paste a screenshot from the left menu bar (at the left bottom corner), for example:

That's the user who logged in the Kibana UI.

Regards, Jesús

[n4ll3ec]

@jesusgn90 sorry, paste wrong picture!

Kibana config Kibana UI

[jesusgn90]

There is still something wrong, the user elastic is the admin user. Please, can we try to open a new incognito window on your browser and login as elastic one more time? (https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history, https://www.lifewire.com/incognito-mode-google-chrome-4103635)

Regards

[n4ll3ec]

still not working.it's soooo weird,I'll try another way thanks for your help @jesusgn90

[jesusgn90]

That's pretty weird @fl4nker , let's see Management > Users and Management > Roles, please.

Regards

[n4ll3ec]

@jesusgn90 I installed Wazuh on another ELK Stack from scratch, ELK6.4.1 without X-Pack security enabled, it works fine. Here, I'll help the community debug the previous issue.

[mathieu83470]

Hello,

I have the same issue but i can't disable Xpack , anyone know to resolve it? In kibana.yml => I use "elastic" user In kibana UI => Logged with same "elastic" user

Error message : {"message":"2001 - [security_exception] action [indices:data/read/search] is unauthorized for user [kibana]","code":2001,"statusCode":500}

Thanks for your help

[jesusgn90]

Hi @mathieu83470 ,

That's weird because the log is saying for user [kibana], are you sure Kibana is using elastic user both sides (UI and server)?

Can you show us the kibana.yml content? (replace your password with "****")

Which version is your app? (Wazuh version + Kibana version)

Regards