Wazuh SSL configuration to ELK Server

In this tutorial, it is assumed that you have installed Wazuh Manager and ELK on a separate server. In addition to setting up Wazuh SSL for communications, we will also configure Kibana to be accessed with SSL. You can skip that part if you are already using SSL authentication to access Kibana on your ELK server

Configuring SSL for Filebeat and Logstash

Run from logstash (ELK) Server

Copy default openssl config file

cp /etc/ssl/openssl.cnf custom_openssl.cnf

Add IP Address of ELK server to configuration file (Change x.x.x.x to IP)

sed -i '/v3_ca/a\\nsubjectAltName = IP: x.x.x.x' custom_openssl.cnf

Generate ssl cert using custom config file

openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/logstash/logstash.key -out /etc/logstash/logstash.crt -config custom_openssl.cnf

Remove custom conf file

rm custom_openssl.cnf

Configure permissions on logstash cert and key

chmod 644 /etc/logstash/logstash.crt
chmod 644 /etc/logstash/logstash.key

Uncomment 3 lines pertaining to ssl

sed -i '/ssl =>/s/^#//g' /etc/logstash/conf.d/01-wazuh.conf
sed -i '/ssl_certificate/s/^#//g' /etc/logstash/conf.d/01-wazuh.conf
sed -i '/ssl_key/s/^#//g' /etc/logstash/conf.d/01-wazuh.conf

Restart Logstash

systemctl restart logstash.service

Login and run from Wazuh Server


Copy crt key from logstash (ELK) to filebeat (wazuh manager)

scp user@elkserver:/etc/logstash/logstash.crt /etc/filebeat

Set read permissions for logstash.crt

chmod 644 /etc/filebeat/logstash.crt

Uncomment ssl to enable it in filebeat configuration file

sed -i '/ssl:/s/^#//g' /etc/filebeat/filebeat.yml
sed -i '/certificate_authorities/s/^#//g' /etc/filebeat/filebeat.yml

Restart filebeat service

systemctl restart filebeat.service

Configuring SSL for Kibana (ELK Server)

Run on ELK Server

Install NGINX

apt-get -y install nginx

Generate self-signed cert for Kibana

mkdir -p /etc/ssl/certs /etc/ssl/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pem

Setup config file for NGINX

cat > /etc/nginx/sites-available/default <<\EOF
server {
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 default_server;
    listen            [::]:443;
    ssl on;
    ssl_certificate /etc/ssl/certs/kibana-access.pem;
    ssl_certificate_key /etc/ssl/private/kibana-access.key;
    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://localhost:5601/;
    }
}
EOF

Enable authentication by password for Kibana

apt-get -y install apache2-utils

Set username and password for Kibana access. Replace <user> with your desired username

htpasswd -c /etc/nginx/conf.d/kibana.htpasswd <user>

Restart NGINX

systemctl restart nginx

Secure Wazuh API with SSL

Run on Wazuh Server

Setup username and password for access to Wazuh API. Replace <user> with desired username

cd /var/ossec/api/configuration/auth
node htpasswd -c user <user>

Generate SSL Cert by running script below. Follow prompts

/var/ossec/api/scripts/configure_api.sh

That’s it! All you need to do is go into Kibana and connect the API with the following settings:

username you created in wazuh API step

password you created in wazuh api step

https://wazuhIP

port is 55000

-1 Points


Leave a Reply

Your email address will not be published. Required fields are marked *