1. Expel Support Center
  2. Connect your technology
  3. SIEM integrations

Wazuh​ OpenDistro for Elasticsearch setup for Workbench

Scott Dewbre
  • Updated

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

This article helps you connect your Wazuh​ OpenDistro for Elasticsearch instance to the Expel Workbench. You create a user account for Workbench, give the account the necessary level of access, activate archiving, and then connect the technology in Workbench.

To integrate the technology with Workbench, we need to create secure credentials to the API. Depending on the permissions allowed in Step 1, Expel may be able to generate API credentials. If you're unsure, reach out to your Expel customer success engineer, or email devicehealth@expel.io.

Step 1: Create a new user role

  1. Go to the Stack Management section of your Elasticsearch.

    mceclip0.png

  2. Select Roles and then click Create role.

    Note

    Depending on the Elastic version number and/or the Wazuh installation process, Roles can also be found under Kibana > Roles.

    mceclip1.png

  3. Give the new role these options:

    • Cluster Permissions: cluster_all. If you can’t find cluster_all, all works as well.

    • Index Permissions: add the index subheading an asterisk(*), with index permissions — search, get, read.

    • Tenant permissions: global_tenant with Read only.

      mceclip2.png
      mceclip3.png

  4. Click Save.

Step 2: Create a user account with the new role

This step varies depending upon your Elastic setup. If you can see the Users tab, follow these steps:

  1. Go to the Users tab and click Create User.

  2. Create a new internal user.

  3. Select the newly created internal user. The Edit User page appears.

    mceclip1.png

  4. Select the newly created read-only role for this user.

If you can't see the Users tab, follow these steps:

  1. Go to the Roles tab and select Create Internal User under Mapped users.

  2. Create a new internal user.

  3. Go back to the Roles tab and select Map Users.

    mceclip2.png

  4. Select the newly created user.

Step 3: Map the role to the Wazuh module in Elasticsearch

  1. Go to Wazuh > Security > Roles mapping.

  2. Create a new Role mapping with the following options:

    • Roles: select the newly created read-only role from the list.

    • Internal Users: select the newly created user from the list.

  3. In a new browser tab, open the Elasticsearch API address.

    Tip

    This is usually the server with the ES API port (9200 is default), such as: https://es-server-address.com:9200/.

  4. After an HTTP Basic Authentication window appears, type the credentials for the newly created user.

    mceclip3.png

  5. If you receive a JSON object from the ES API, the mapping works. Here is an example:

    mceclip4.png

  6. If you don't receive a JSON object, contact your customer success engineer, or email devicehealth@expel.io for help.

Step 4: Enable Wazuh archives logging

To enable Workbench to log events from wazuh-archives-*, take these steps:

  1. Open the file /var/ossec/etc/ossec.conf in your Wazuh manager endpoint and toggle the logall_json field to yes as shown below.

    mceclip5.png

  2. Open the file /etc/filebeat/wazuh-template.json in your Wazuh manager endpoint and append the string “wazuh-archives-4.x-*” to the index_patterns list as shown below.

    mceclip6.png

  3. Open the file /etc/filebeat/filebeat.yml in your Wazuh manager endpoint and enable the archives module as shown below.

    mceclip7.png

  4. Restart the filebeat service and the Wazuh manager endpoint.

    • Systemd:

      • systemctl restart filebeat

      • systemctl restart wazuh-manager

    • SysV init:

      • service filebeat restart

      • service wazuh-manager restart

  5. Go to Kibana > Discover and change the index to wazuh-archives-*.

  6. Open your Kibana console and check the wazuh-archives-* index.

    • If you can see event logs in this index, go to Step 6.

    • If you can't see this index, go to Step 5.

Step 5: Create Kibana index pattern

  1. Go to Kibana > Index Patterns and select Create Index Pattern.

  2. Enter wazuh-archives-* as the pattern name, and click Next step.

    Note

    Kibana should list a few sources already.

    mceclip3.png

  3. Select @timestamp as the Time Field, then click Create index pattern.

    mceclip4.png

  4. Go to Kibana > Discover and change the index to wazuh-archives-*.

  5. Open your Kibana console and check the wazuh-archives-* index.

    • If you can see event logs in this index, go to Step 6.

    • If you can't see this index, contact your customer success engineer, or email devicehealth@expel.io for help.

Step 6: Connect your technology to Expel Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, log into https://workbench.expel.io.

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top of the page, click Add Security Device.

    image-1

  4. Search for and select your technology Wazuh.

    mceclip0.png

  5. Complete all fields using the information you created in Step 2.

    mceclip2.png

    • Name: friendly name for the integration.

    • Location: where the Wazuh tech stack is placed within your organization.

    • Username: Username created in Step 2.

    • Password: Password created in Step 2.

    • Server address: type the Wazuh cloud server address with port number.

    • Is this a Wazuh cloud Instance?: N/A (Ignore).

  6. Click Save.

To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles