In this tutorial, it is assumed that you have installed Wazuh Manager and ELK on a separate server. In addition to setting up Wazuh SSL for communications, we will also configure Kibana to be accessed with SSL. You can skip that part if you are already using SSL authentication to access Kibana on your ELK server
Configuring SSL for Filebeat and Logstash
Run from logstash (ELK) Server
Copy default openssl config file
cp /etc/ssl/openssl.cnf custom_openssl.cnf
Add IP Address of ELK server to configuration file (Change x.x.x.x to IP)
sed -i '/v3_ca/a\\nsubjectAltName = IP: x.x.x.x' custom_openssl.cnf
Generate ssl cert using custom config file
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/logstash/logstash.key -out /etc/logstash/logstash.crt -config custom_openssl.cnf
Remove custom conf file
rm custom_openssl.cnf
Configure permissions on logstash cert and key
chmod 644 /etc/logstash/logstash.crt chmod 644 /etc/logstash/logstash.key
Uncomment 3 lines pertaining to ssl
sed -i '/ssl =>/s/^#//g' /etc/logstash/conf.d/01-wazuh.conf sed -i '/ssl_certificate/s/^#//g' /etc/logstash/conf.d/01-wazuh.conf sed -i '/ssl_key/s/^#//g' /etc/logstash/conf.d/01-wazuh.conf
Restart Logstash
systemctl restart logstash.service
Login and run from Wazuh Server
Copy crt key from logstash (ELK) to filebeat (wazuh manager)
scp user@elkserver:/etc/logstash/logstash.crt /etc/filebeat
Set read permissions for logstash.crt
chmod 644 /etc/filebeat/logstash.crt
Uncomment ssl to enable it in filebeat configuration file
sed -i '/ssl:/s/^#//g' /etc/filebeat/filebeat.yml sed -i '/certificate_authorities/s/^#//g' /etc/filebeat/filebeat.yml
Restart filebeat service
systemctl restart filebeat.service
Configuring SSL for Kibana (ELK Server)
Run on ELK Server
Install NGINX
apt-get -y install nginx
Generate self-signed cert for Kibana
mkdir -p /etc/ssl/certs /etc/ssl/private openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pem
Setup config file for NGINX
cat > /etc/nginx/sites-available/default <<\EOF
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server;
listen [::]:443;
ssl on;
ssl_certificate /etc/ssl/certs/kibana-access.pem;
ssl_certificate_key /etc/ssl/private/kibana-access.key;
access_log /var/log/nginx/nginx.access.log;
error_log /var/log/nginx/nginx.error.log;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://localhost:5601/;
}
}
EOF
Enable authentication by password for Kibana
apt-get -y install apache2-utils
Set username and password for Kibana access. Replace <user> with your desired username
htpasswd -c /etc/nginx/conf.d/kibana.htpasswd <user>
Restart NGINX
systemctl restart nginx
Secure Wazuh API with SSL
Run on Wazuh Server
Setup username and password for access to Wazuh API. Replace <user> with desired username
cd /var/ossec/api/configuration/auth node htpasswd -c user <user>
Generate SSL Cert by running script below. Follow prompts
/var/ossec/api/scripts/configure_api.sh
That’s it! All you need to do is go into Kibana and connect the API with the following settings:
username you created in wazuh API step
password you created in wazuh api step
https://wazuhIP
port is 55000
Wazuh Custom Rule Configuration for Specific Hosts
