Setting Up Wazuh Server – Part 3 (Wazuh Dashboard)

Posted on by Sumit

Now our Wazuh Indexer and Manager are installed and running on the server. Now it’s time to install the UI for it to be completely used. We shall be installing Wazuh Dashboard which is built on Kibana. Before we install Wazuh dashboard, there are few prerequisites that needs to be installed and the repositories to be added to the server. Follow steps 4 and 5 under section “Indexer Installation” in the Setting Up Wazuh Server – Part 1 (Wazuh Indexer) and then follow the below steps for Dashboard installation.

# apt install debhelper tar curl libcap2-bin    # debhelper version 9 or later

Wazuh Dashboard installation is pretty simple compared to Indexer and Manager installation. The Dashboard installation can be done in 3 simple steps, installation, configuration and certificate installation. Sequential steps for these are mentioned below.

Step 1:

Installing the Wazuh Dashboard

# apt -y install wazuh-dashboard

Step 2:

The configuration for the dashboard is stored in /etc/wazuh-dashboard/opensearch_dashboards.yml file. We need to change few parameters as per our setup. Below are the settings that we need to be sure of and configure accordingly.

  1. server.host: This parameter specifies on which interface should the dashboard be listening to. By default this is configured as 0.0.0.0. You can choose your server’s IP address or a DNS hostname. For my setting, I will leave this configuration as it is.
  2. server.port: You can also define a port to be used for the dashboard. By default this runs on standard HTTPS port 443.
  3. opensearch.hosts: This is the URL of Wazuh Indexer. This is very important to keep in mind that this is a URL and not a IP address based configuration, though we can use URL in hostname or IP address formats. If you have a DNS name registered for your Indexer, then you can use the URL with domain name, else you can use the URL with IP addresses. For my setup, I shall be using this with https://192.168.0.116:9200 as my URL. For multiple nodes, you can use values in an array separated by commas like ["https://domain1.com:9200", "https://192.168.0.10:9200", "https://192.168.0.11:9300"].
server.host: 0.0.0.0
server.port 443
opensearch.hosts: https://192.168.0.116:9200
opensearch.ssl.verificationMode: certificate

Step 3:

Now to install the certificates, the steps are pretty similar to what we have done for Indexer and Manager. We will have NODE_NAME set to our hostname of the dashboard that we had configured in the Indexer configuration when generating the certificates and run the below commands to install the certificates

# NODE_NAME=wazuh-dashboard-01
# mkdir /etc/wazuh-dashboard/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Step 4:

Now let’s enable and start the Wazuh Dashboard service.

Enabling and Starting the service

# systemctl daemon-reload
# systemctl enable wazuh-dashboard
# systemctl start wazuh-dashboard

Edit the configuration file stored in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml and replace url value with the IP address or hostname of your server (master node).

hosts:
	- default:
	    url: https://<WAZUH_SERVER_IP_ADDRESS>
		port: 55000
	    username: wazuh-wui
	    password: wazuh-wui
	    run_as: false

Verify the dashboard is up and running by browsing https://<WAZUH_DASHBOARD_IP_ADDRESS> with current default user credentials admin:admin

Now our installation is complete, but we have a very huge gap in the security of our server i.e. we are using default credentials admin:admin which is pretty easy to guess. To enhance the security of the server and change all the default passwords, we will run wazuh-passwords-tool.sh stored in /usr/share/wazuh-indexer/plugins/opensearch-security/tools/. The way we run this tool is different for all-in-one (i.e. all components on single node) and for distributed or deployments.

For All-in-one deployments

Run the below command.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh

For Distributed Deployments

Run the below command on Indexer node.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all

Run the below commands on the Manager nodes. Ensure to replace <ADMIN_PASSWORD> with the password generate by the above command on the Indexer node for admin user.

# curl -sO https://packages.wazuh.com/4.10/wazuh-passwords-tool.sh
# bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh
# echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force
# systemctl restart filebeat

Run the below command on the Wazuh Dashboard node and replace the with the password generated in the first command ran on indexer node for kibanaserver user.

# echo <KIBANA_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password

Update the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file with the new password for the wazuh-wui user generated on the Indexer server where <WAZUH_WUI_PASSWORD> is mentioned in the below configuration.

hosts:
	- default:
		url: https://127.0.0.1
		port: 55000
		username: wazuh-wui
		password: "<WAZUH_WUI_PASSWORD>"
		run_as: false

Restart the Wazuh dashboard service.

# systemctl restart wazuh-dashboard

And this concludes our series on setting up the Wazuh Server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.