Skip to main content
 

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

This article helps you connect your Wazuh​ OpenDistro for Elasticsearch instance to the Expel Workbench. You create a user account for Workbench, give the account the necessary level of access, activate archiving, and then connect the technology in Workbench.

Step 1: Create a new user role

  1. Go to the Stack Management section of your Elasticsearch.

    mceclip0.png
  2. Select Roles and then click Create role.

    Note

    Depending on the Elastic version number and/or the Wazuh installation process, Roles can also be found under Kibana > Roles.

    mceclip1.png
  3. Give the new role these options:

    • Cluster Permissions: cluster_all. If you can’t find cluster_all, all works as well.

    • Index Permissions: add the index subheading an asterisk(*), with index permissions — search, get, read.

    • Tenant permissions: global_tenant with Read only.

      mceclip2.png
      mceclip3.png

Step 2: Create a user account with the new role

This step varies depending upon your Elastic setup. If you can see the Users tab, follow these steps:

  1. Go to the Users tab and click Create User.

  2. Create a new internal user.

  3. Select the newly created internal user. The Edit User page appears.

    mceclip1.png
  4. Select the newly created read-only role for this user.

If you can't see the Users tab, follow these steps:

  1. Go to the Roles tab and select Create Internal User under Mapped users.

  2. Create a new internal user.

  3. Go back to the Roles tab and select Map Users.

    mceclip2.png
  4. Select the newly created user.

Step 3: Map the role to the Wazuh module in Elasticsearch

  1. Go to Wazuh > Security > Roles mapping.

  2. Create a new Role mapping with the following options:

    • Roles: select the newly created read-only role from the list.

    • Internal Users: select the newly created user from the list.

  3. In a new browser tab, open the Elasticsearch API address.

    Tip

    This is usually the server with the ES API port (9200 is default), such as: https://es-server-address.com:9200/.

  4. After an HTTP Basic Authentication window appears, type the credentials for the newly created user.

    mceclip3.png
  5. If you receive a JSON object from the ES API, the mapping works. Here is an example:

    mceclip4.png
  6. If you don't receive a JSON object, contact your customer success engineer, or email devicehealth@expel.io for help.

Step 4: Enable Wazuh archives logging

To enable Workbench to log events from wazuh-archives-*, take these steps:

  1. Open the file /var/ossec/etc/ossec.conf in your Wazuh manager endpoint and toggle the logall_json field to yes as shown below.

    mceclip5.png
  2. Open the file /etc/filebeat/wazuh-template.json in your Wazuh manager endpoint and append the string “wazuh-archives-4.x-*” to the index_patterns list as shown below.

    mceclip6.png
  3. Open the file /etc/filebeat/filebeat.yml in your Wazuh manager endpoint and enable the archives module as shown below.

    mceclip7.png
  4. Restart the filebeat service and the Wazuh manager endpoint.

    • Systemd:

      • systemctl restart filebeat

      • systemctl restart wazuh-manager

    • SysV init:

      • service filebeat restart

      • service wazuh-manager restart

  5. Go to Kibana > Discover and change the index to wazuh-archives-*.

  6. Open your Kibana console and check the wazuh-archives-* index.

    • If you can see event logs in this index, go to Step 6.

    • If you can't see this index, go to Step 5.

Step 5: Create Kibana index pattern

  1. Go to Kibana > Index Patterns and select Create Index Pattern.

  2. Enter wazuh-archives-* as the pattern name, and click Next step.

    Note

    Kibana should list a few sources already.

    mceclip3.png
  3. Select @timestamp as the Time Field, then click Create index pattern.

    mceclip4.png
  4. Go to Kibana > Discover and change the index to wazuh-archives-*.

  5. Open your Kibana console and check the wazuh-archives-* index.

    • If you can see event logs in this index, go to Step 6.

    • If you can't see this index, contact your customer success engineer, or email devicehealth@expel.io for help.

Step 6: Connect your technology to Expel Workbench

  1. In a new browser tab, log into https://workbench.expel.io.

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top of the page, click Add Security Device.

    image-1
  4. Search for and select your technology Wazuh.

    mceclip0.png
  5. Complete all fields using the information you created in Step 2.

    mceclip2.png
    • Name: friendly name for the integration.

    • Location: where the Wazuh tech stack is placed within your organization.

    • Username: Username created in Step 2.

    • Password: Password created in Step 2.

    • Server address: type the Wazuh cloud server address with port number.

    • Is this a Wazuh cloud Instance?: N/A (Ignore).