wazuh / wazuh-dashboard-plugins

Plugins for Wazuh Dashboard
https://wazuh.com/
GNU General Public License v2.0
437 stars 181 forks source link

Wazuh App failed in Kibana #968

Closed n4ll3ec closed 5 years ago

n4ll3ec commented 6 years ago

Hi, I installed Wazuh manager and api on an existing ELK Stack(Wazuh3.6.1 & ELK6.3.2 ). But when I try to open the Wazuh app in Kibana, the following errors occured:

outes. Error. 2001 - [security_exception] action [indices:data/read/search] is unauthorized for user [kibana]
Settings. Error. Error getting API entries\
Settings. Error. Error when loading Wazuh setup info

I tried this solution—issue382, but it didn't work for me.Can you help me out ? Any solution will be appreciated.Below here is my config that related

Kibana Configiration

elasticsearch.username: "elastic"
elasticsearch.password: "PASSWORD"

Wazuh-API

curl -u "wazuh:PASSWORD" -ssl -k "https://127.0.0.1:55000/?pretty"
{
   "error": 0,
   "data": {
      "msg": "Welcome to Wazuh HIDS API",
      "api_version": "v3.6.1",
      "hostname": "sec",
      "timestamp": "Fri Oct 12 2018 17:35:44 GMT+0800 (CST)"
   }
}

Wazuh-Manager

/var/ossec/bin/agent_control -V

Wazuh v3.6.1 - Wazuh Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as 
published by the Free Software Foundation. For more details, go to 
https://www.gnu.org/licenses/gpl.html

Elasticsearch

 curl -u 'elastic:PASSWORD' -ssl -k "https://127.0.0.1:9200/?pretty"
{
  "name" : "Z3VxNL8",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "7sdKA-bARwymOd5r5uM7Ug",
  "version" : {
    "number" : "6.3.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

wazuh-kibana-app

cat /usr/share/kibana/plugins/wazuh/package.json 
{
    "name": "wazuh",
    "version": "3.6.1",
    "revision": "0408",
    "kibana": {
        "version": "6.3.2"
    },
    "description": "Wazuh app",
    "main": "index.js",
    "keywords": [
        "kibana",
        "wazuh",
        "ossec"
    ],
    "author": "Wazuh, Inc",
    "license": "GPL-2.0",
    "repository": {
        "type": "git",
        "url": "https://github.com/wazuh/wazuh-kibana-app.git"
    },
    "bugs": {
        "url": "https://github.com/wazuh/wazuh-kibana-app/issues"
    },
    "homepage": "https://www.wazuh.com/",
    "dependencies": {
        "angular-animate": "1.6.5",
        "angular-cookies": "1.6.5",
        "angular-material": "1.1.10",
        "dom-to-image": "^2.6.0",
        "install": "^0.10.1",
        "js2xmlparser": "^3.0.0",
        "json2csv": "^4.1.2",
        "needle": "^2.0.1",
        "node-cron": "^1.1.2",
        "pdfmake": "^0.1.37",
        "querystring-browser": "1.0.4",
        "simple-tail": "^1.1.0",
        "timsort": "^0.3.0",
        "winston": "3.0.0"
    }
}

Browser Error

jesusgn90 commented 6 years ago

Hello @fl4nker ,

The problem you are facing comes from X-Pack security roles. The message [indices:data/read/search] is unauthorized for user [kibana] means the user kibana is having troubles for fetching .wazuh index, that index is a Wazuh app index.

At this point you have two solutions:

1) Use the elastic user instead of the kibana user when login the UI, and use it in your kibana.yml file too. 2) Follow our X-Pack guide to fully configure each role https://documentation.wazuh.com/current/user-manual/kibana-app/configure-xpack/index.html

I hope it helps. Best regards, Jesús

n4ll3ec commented 6 years ago

thanks for your help! @jesusgn90 As mentioned in my post, I use the elastic user in my kibana configuration file and also use it login the Kibana UI, it doesn't work. I'll try the second solution, thanks again

jesusgn90 commented 6 years ago

Hi @fl4nker ,

The second solution is the right way, in any case, is unauthorized for user [kibana] is telling you that you are using the user kibana when login the UI, give a try to use elastic user because it's the admin user so it must work.

Let us know @fl4nker !

Best regards, Jesús

n4ll3ec commented 6 years ago

thanks again! @jesusgn90

But I'm so sorry to say, that solution2 also failed. I'm so confused !! I go through all steps that you mentioned in solution2 (wazuh-configure-xpack), but it just failed, no matter I use the elastic user or the new created wazuh_system user.

Let me give you some screenshot here:

kibana_ui
jesusgn90 commented 6 years ago

Hello again @fl4nker ,

That's pretty weird because we've tested it again a week ago. In any case, it seems like you are still using kibana as the UI user ([indices:data/read/search] is unauthorized for user [kibana]).

Let's use the elastic user for both UI and server. Please take a look into your /etc/kibana/kibana.yml and ensure you are using elastic as the server user:

elasticsearch.username: "elastic"
elasticsearch.password: "elastic_pass"

If you modified the file, please restart Kibana:

# systemctl restart kibana

Now please open a new incognito window in your browser (it works better with Chrome) and login the Kibana UI using the user elastic (same as the kibana.yml user).

This must works because the elastic user is superadmin in Elasticsearch.

Once you are done using the elastic user we can continue creating more users and roles, for now, my goal is to make it work using only the elastic user.

Best regards, Jesús

n4ll3ec commented 6 years ago

@jesusgn90 I'm definitely using the elastic user in my Kibana configuration and Kibana UI. And everytime I modified the kibana configuration, I restarted the Kibana. Please reference my screenshot Kibana Config Kibana UI

It's so weird, and I'm sooo confused. Never mind, I'd like to give it up,and try another installtion from scratch.

jesusgn90 commented 6 years ago

Hi @fl4nker ,

The Kibana config looks good to me, but the Kibana UI, it would be nice if you paste a screenshot from the left menu bar (at the left bottom corner), for example:

image

That's the user who logged in the Kibana UI.

Regards, Jesús

n4ll3ec commented 6 years ago

@jesusgn90 sorry, paste wrong picture!

Kibana config Kibana UI

jesusgn90 commented 6 years ago

There is still something wrong, the user elastic is the admin user. Please, can we try to open a new incognito window on your browser and login as elastic one more time? (https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history, https://www.lifewire.com/incognito-mode-google-chrome-4103635)

Regards

n4ll3ec commented 6 years ago

still not working.it's soooo weird,I'll try another way thanks for your help @jesusgn90

screenshot_20181018_165910328 screenshot_20181018_170923597
jesusgn90 commented 6 years ago

That's pretty weird @fl4nker , let's see Management > Users and Management > Roles, please.

image

Regards

n4ll3ec commented 6 years ago

@jesusgn90 I installed Wazuh on another ELK Stack from scratch, ELK6.4.1 without X-Pack security enabled, it works fine. Here, I'll help the community debug the previous issue.

screenshot_20181019_103128896 screenshot_20181019_10322316
mathieu83470 commented 5 years ago

Hello,

I have the same issue but i can't disable Xpack , anyone know to resolve it? In kibana.yml => I use "elastic" user In kibana UI => Logged with same "elastic" user

Error message : {"message":"2001 - [security_exception] action [indices:data/read/search] is unauthorized for user [kibana]","code":2001,"statusCode":500}

Thanks for your help

jesusgn90 commented 5 years ago

Hi @mathieu83470 ,

That's weird because the log is saying for user [kibana], are you sure Kibana is using elastic user both sides (UI and server)?

Can you show us the kibana.yml content? (replace your password with "****")

Which version is your app? (Wazuh version + Kibana version)

Regards