wazuh / wazuh-dashboard-plugins Goto Github PK

Plugins for Wazuh Dashboard

License: GNU General Public License v2.0

JavaScript 32.97% HTML 0.26% TypeScript 63.06% SCSS 1.49% Shell 1.23% Dockerfile 0.43% Makefile 0.01% Python 0.17% Gherkin 0.39%

wazuh ossec security loganalyzer compliance monitoring intrusion-detection policy-monitoring openscap security-hardening

Welcome

This repository contains a set of plugins for Wazuh dashboard.

Wazuh is a security detection, visibility, and compliance open source project. Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.

You can learn more about it at wazuh.com

Project resources

Wazuh UI

Overview

Security events

Integrity monitoring

Vulnerability detection

Regulatory compliance

Agents overview

Agent summary

Contribute

If you want to contribute to our project please don't hesitate to send a pull request. Take a look at the branches and tags page in our Wiki, and also to our contributing guidelines.

License

This project is licensed under the GNU General Public License v2.0.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Copyright

wazuh-dashboard-plugins's People

Contributors

Stargazers

Watchers

Forkers

hex2a seccraft run2016ww georgeyan pengqiuyuan cntrigkog jsoref jamesspi aizr rtkjbillo emhlbmc thatmrsheep diggs27 fuhry sergibondarenko rndrev nithintnin themallcop wherego2000 johnathan1983 showsmall hapablanha oneoneplus leexuan xtremebeing mikeweinberg mmurph3 dizhaung lishan-ls djangid wgreen2135 rednixon databill86 pablotr9 tokarthik ahmedc10 markxgold mikekmiller adri9valle francobep investlab whantt merlingo alexbmw00 roohanisingla duanhlduanhl broccolimassacre nicolapagni jsanchez91 fieldfusion trustex mvandermeulen dyydos vvvprabhakar bigrayhicks code-read rbkmoney falcon303 lyoeril katebee harduino onnesa monkz harish-chander doytsujin inamukhan-eforte sysbot1843 ggbg cryptoshade khanchan mbenziane zgdkik sensi-1337 duplocloud victorhugolg djds rlaussat-adesso mustapha0101 secureonelabs zaredan mustafa-aamir huangyidegit bijaysenihang jmorets21sec d9-matt ahmedpythoner subedibibek-cmd threeeyedraven-99 royaflash d9-technologies prasadanvekar tieuvuongly fasere75 reinaldoca jason-weise formanskiy sitedata hungdv98 isabella232 9sea

wazuh-dashboard-plugins's Issues

Ability to add/remove agents from the app

Hello Wazuh Team,
Are there any plans having an UI to manage agents, add/remove ?
I know the REST API can do it.

Wazuhapp version problem

Hi All,

Busy deploying Wazuh on ubuntu 16.04 LTS as per documentation. When I get to the part "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip" it fails with the following:

root@Wazuh-srv:/tmp/test/kibana/wazuh# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp.zip Transferring 4459005 bytes.................... Transfer complete Retrieving metadata from plugin archive Extracting plugin archive Extraction complete Plugin installation was unsuccessful due to error "Incorrect Kibana version in plugin [wazuh]. Expected [5.6.5]; found [5.6.4]"
I see that 5.6.5 is not yet available. Any ideas?

Visualize: "field" is a required parameter

Saved "field" parameter is now invalid. Please select a new field.
Visualize: "field" is a required parameter

TypeError: "field" is a required parameter
    at FieldParamTypeProvider.FieldParamType.write (http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:67:978625)
    at http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:37:18422
    at AggParams.forEach (<anonymous>)
    at AggParams.AggTypesAggParamsProvider.AggParams.write (http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:37:18380)
    at AggConfig.VisAggConfigProvider.AggConfig.write (http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:16:81086)
    at AggConfig.VisAggConfigProvider.AggConfig.toDsl (http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:16:82021)
    at http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:67:975200
    at Array.forEach (<anonymous>)
    at AggConfigs.VisAggConfigsProvider.AggConfigs.toDsl (http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:67:974983)
    at http://192.168.8.137:5601/bundles/wazuh.bundle.js?v=16337:50:167607

The selected index-pattern is not present. No template found for the selected index-pattern.

Hello,

after update to 6.0 my ELK stack with wazuh plugin installed I cant go to Wazuh plugin tab in Kibana.

The error is:

 Performing checks...(4/4)
Ups, something went wrong...
  The selected index-pattern is not present.
  No template found for the selected index-pattern.
  {"data":{"statusCode":500,"error":9,"message":"Could not get data from elasticsearch"},"status":500,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","headers":{"Accept":"application/json, text/plain, */*","kbn-version":"6.1.2"},"timeout":4000,"url":"/api/wazuh-elastic/setup"},"statusText":"Internal Server Error","html":"Unexpected error. Please, report this error.","message":"Unexpected error. Please, report this error."}

I reuploaded the templates, reinstalled plugin and still got this issue.

I recently removed the .wazuh index and it worked like couple of seconds untill i tried to connect to my Wazuh enviroment and error returned.

Not getting anything on Audit tab

support kinaba 5.3.0?

Wazuh ElasticStack Upgrade Errors

I have recently upgraded wazuh from 2.X to 3.X and now I'm getting following errors in /var/log/elasticsearch/elasticsearch.log

[2017-12-26T13:24:51,876][DEBUG][o.e.a.b.TransportShardBulkAction] [wazuh-alerts-2017.12.26][0] failed to execute bulk item (index) BulkShardRequest [[wazuh-alerts-2017.12.26][0]] containing [18] requests
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [data]
at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:302) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:485) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:500) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:394) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:384) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.DocumentParser.internalParseDocument(DocumentParser.java:93) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.DocumentParser.parseDocument(DocumentParser.java:67) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:261) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.shard.IndexShard.prepareIndex(IndexShard.java:708) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.shard.IndexShard.applyIndexOperation(IndexShard.java:686) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.shard.IndexShard.applyIndexOperationOnPrimary(IndexShard.java:667) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.bulk.TransportShardBulkAction.executeIndexRequestOnPrimary(TransportShardBulkAction.java:548) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.bulk.TransportShardBulkAction.executeIndexRequest(TransportShardBulkAction.java:140) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.bulk.TransportShardBulkAction.executeBulkItemRequest(TransportShardBulkAction.java:236) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.bulk.TransportShardBulkAction.performOnPrimary(TransportShardBulkAction.java:123) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:110) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:72) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryShardReference.perform(TransportReplicationAction.java:1033) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryShardReference.perform(TransportReplicationAction.java:1011) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.ReplicationOperation.execute(ReplicationOperation.java:104) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.onResponse(TransportReplicationAction.java:358) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.onResponse(TransportReplicationAction.java:298) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$1.onResponse(TransportReplicationAction.java:974) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$1.onResponse(TransportReplicationAction.java:971) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.shard.IndexShardOperationPermits.acquire(IndexShardOperationPermits.java:238) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.shard.IndexShard.acquirePrimaryOperationPermit(IndexShard.java:2211) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction.acquirePrimaryShardReference(TransportReplicationAction.java:983) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction.access$500(TransportReplicationAction.java:97) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.doRun(TransportReplicationAction.java:319) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:294) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:281) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:66) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:652) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:637) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.1.0.jar:6.1.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:1.8.0_144]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_144]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_144]
Caused by: java.lang.IllegalStateException: Can't get text on a START_OBJECT at 1:579
at org.elasticsearch.common.xcontent.json.JsonXContentParser.text(JsonXContentParser.java:85) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.common.xcontent.support.AbstractXContentParser.textOrNull(AbstractXContentParser.java:237) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.KeywordFieldMapper.parseCreateField(KeywordFieldMapper.java:315) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:297) ~[elasticsearch-6.1.0.jar:6.1.0]
... 38 more

Any clue what could be causing this ??

how to configure logstash5 and elasticsearch5

dear all
[root@es-node1 ~]# /usr/share/kibana/bin/kibana-plugin list
[email protected]

when Plugin installation complete i found index wazuh-monitoring-* and wazuh-alerts-*
so i want know how to configure logstash5 and elasticsearch5

Kibana front-end unusually slow

After setting up a pretty basic kibana app, I've noticed that the UI is especially slow for the Wazuh App. This issue doesn't happen in Kibana when via the Discover tab (or others).

I added a screenshot below, showing that it hangs on loading a favicon for about 20 seconds. I thought it might be a network issue, but I haven't been able to track down the root cause.

wazuh-alerts-* Pattern is not found in Kibana 5.6.2

When I use the Wazuh-Tab in Kibana the Plugin doesnt find my wazuh-alerts-* pattern.

I noticed that it says "wazu-alerts-" instead of "wazuh-alerts-" but it says "logstash-" Could it be, that the wildcard gets interpretet wrong?

This is my Index-Pattern:

I am sending via filebeats to logstash. My Elasticsearch and Kibana is currently on Version 5.6.2
This is my elasticsearch output ( logstash configuration ):


    elasticsearch {
      hosts => ["some_server","some_server","some_server"]
      template_name => "wazuh"
      template => "/etc/logstash/templates/wazuh-elastic5-template.json"
      document_type => "wazuh"
      template_overwrite => true
      index => "wazuh-alerts-%{+YYYY.MM.dd}"
}

Thanks in advance

stuck at "Waiting Elasticsearch to be up" / "Waiting index \".kibana\" to be created and prepared...."

I installed the latest plugin but dashboards, saved searches, etc are not created.

Installation:

/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.2.2.zip

Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.2.2.zip
Transferring 16627532 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete

syslog:

kibana[1753]: {"type":"log","@timestamp":"2017-03-16T15:29:44Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":1753,"message":"Waiting Elasticsearch to be up..."}
kibana[1753]: {"type":"log","@timestamp":"2017-03-16T15:29:46Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":1753,"message":"Waiting index \".kibana\" to be created and prepared...."}

Connection to elasticsearch is working (".kibana" index exists and is green), and there seem to be no permission problems with any indices in the elasticsearch log.

It's not compliant with kibana 5.5

I installed ur plugin in kibana 5.5 and kibana doesn't working. I found some update for custome plugin in here
elastic/kibana#12707 (comment)

New index pattern

Hello Guys!

Could you consider creating another index besides wazuh-alerts automatically?
I would like wazuhapp already to create an index for the file /var/ossec/logs/archives/archives.json.

Another doubt. If I use the wazuhapp plugin I still need to use "template =>" /etc/logstash/wazuh-elastic5-template.json "in the logstash configuration, since the wazuh app automatically creates the index?

I used it in my logstash configuration and the following occurred:
Wazuhapp created the wazuh-alerts index with all the fields with the "searchable" and "aggregatable" options checked, until then all OK. After a while I updated the index on the management page and in most of the fields the options "searchable" and "aggregatable" disappeared.

It would not be necessary to display the data for this index on the wazuhapp dashboards.
What I want is for the wazuh-archives index to have the same wazuh-alerts setting, that all fields have "searchable" and "aggregatable" checked.

Any chance for wazuh-app 2.1.1 for ES 5.5.0 ?

Or if it's not possible, point me to instruction on how to build it myself.

Make index name configurable

The Kibana plugin should support configurable index names to integrate Wazuh with hosted Elasticsearch stacks like Logsene. It looks the index prefix is hard coded in JS source code:
https://github.com/wazuh/wazuh-kibana-app/blob/bf237f0363ed76a51eac08a3a5582578ef0c2aa1/server/startup/initialize.js#L21-L22
I assume Dashboard definitions would need to be generated with the configured index name.

Buffer deprecated

file: 'server/api/wazuh-elastic.js'
severity: 'Error'
message: ''new Buffer()' was deprecated since v6. Use 'Buffer.alloc()' or 'Buffer.from()' (use 'https://www.npmjs.com/package/safe-buffer' for '<4.5.0') instead. (node/no-deprecated-api)' at: '26,88'
source: 'eslint'

Agent status graph show incorrect number of never connected

This is on Overview > General

I have a total of 8 agents, but still get 1 as never connect on the graph.

Enable new panels for Vulns and AWS

Hi,
I have enabled Vuls and AWS (3.1) and I don't find documentation to enable their panels in Kibana. Would you mind to point me to the right direction please?
Thanks in advance!

Kibana basePath + Nginx

Wazuh App is not able to use "settings.basePath" from kibana.yml, causing some requests to fail.

All the request should add basePath to the URL if the setting is set.
For example, when getting the apiEntries:

https://github.com/wazuh/wazuh-kibana-app/blob/master/public/controllers/settings.js#L76

wazuh-monitoring-3.x-2017.12.26 How to create and insert data？

Only the transmission of the /opt/ossec/logs/alerts/alerts.log log was seen and data was inserted into elasticsearch index => "wazuh-alerts-3.x -% {+ YYYY.MM.dd}", but at / extensions /logstash/01-wazuh-remote.conf did not see wazuh-monitoring-3.x-2017.12.26 such data processing

support kinaba 5.3.1????

support kinaba 5.3.1?

Elasticsearch/Kibana 5.6.0-1 released today.

The wazuh plugin needs to be updated for the new release.

dashboard file intergrity :No results found

Hi all,

I have a issues with dashboard.
Please , help me fix it

error when use ngMaterial

I wanna use ngMaterial in kibana visual plugin, but get erorr:

Uncaught TypeError: angular.module(...).info is not a function (http://127.0.0.1:6001/app/kibana:4139)

could you give me some help about use ngMaterial, cause I see wazuh-kibana-app use it too

Can't Disable PCI-DSS in Kibana App

When I toggle the PCI-DSS setting off, it does not actually apply.

How do I disable the PCI-DSS stuff if we don't use it?

Plans for Kibana 6?

Hi All,

Just wondering what the plans are for kibana and elastic version 6?

Thanks!
James

Agents - Preview: Unexpected error. Please, report this error.

Kibana 5.3.1, Wazuhapp 2.0 5.3.1

Error shows up when I navigate to the Agents tab. There is an error in the dev console as well.

Wrong index name

Hi,
If you delete indexes wazuh-monitoring-* and restart wazuh-api.
It have creating a new index but with an old date. For example:
Today - 2017.08.24, but wazuh created index with name wazuh-monitoring-2017.07.31.
Example from logs:

{
  "_index": "wazuh-monitoring-2017.07.31",
  "_type": "agent",
  "_id": "AV4UHQpTw_N0NWwPJFyV",
  "_version": 1,
  "_score": null,
  "_source": {
    "status": "Disconnected",
    "ip": "172.16.27.90",
    "id": "136",
    "name": "us-web-stage-01",
    "@timestamp": "2017-08-24T12:00:01.102Z",
    "host": "us-log-system-01"
  },
  "fields": {
    "@timestamp": [
      1503576001102
    ]
  },
  "sort": [
    1503576001102
  ]
}

I have index rotation by curator and this index wazuh-monitoring-2017.07.31 deleted every day at now((((

Plugin installation failure - 403

Hi when I try to install the Wazuh Kibana app from the provided URL the response is 403

Blank page

Hi,

I have a blank page and have this error :
error : 9 message : "Could not get data from elasticsearch" statusCode : 500

When I search on wazuh-elastic.js : it try to search on ".wazuh-version" But it doesn't exist on my elastic...

here what I have :
.wazuh DIwZS-QXSLqFn5m0lKo6hA
wazuh-monitoring-3.x-2018.01.15 RiSztf5YSyaGH1iqPXY2jg
wazuh-alerts-3.x-2018.01.16 9FIhTQaqTNiQMJgd41q_3A
wazuh-monitoring-3.x-2018.01.16 nbdbmdPrSdWOvC02231XaA9.9kb

If someone can help me...

Thanks a lot,
Franck

wazuh kibana app is giving me "Saved "field" parameter is now invalid" error

Just installed brand new Wazuh server and when I open the Overview and use the General tab I get this:

I searched the github issues and found that StasGoshtein mentioned the same error in #25
The response was to import the sample alerts and refresh the field list but that's not working for me. When I do a:
curl https://github.com/wazuh/wazuh-kibana-app/tree/2.1/server/startup/integration_files/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-"date +%Y.%m.%d"/wazuh/sample" -H 'Content-Type: application/json' -d @-
I get an error saying:
{"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"failed to parse"}],"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"not_x_content_exception","reason":"Compressor detection can only be called on some xcontent bytes or compressed xcontent bytes"}},"status":400}

Was running elastic stack 5.6.3 but have now downgraded to 5.6.2 which is working on my dev box, so it appears that the issue is not with the elastic versions but rather with changes made to the wazuh kibana app recently. Perhaps related to the branching change? Anyhow, that's beside the point. A system that was built 14 days ago is working.

Using wazuh-manager 2.1.1

kibana 6.1 plugin

hi ,

kibana-6.1.0-1.x86_64 installed on centos 7 machine. when i try to install wazuh plugin it says "Incorrect Kibana version in plugin [wazuh]. Expected [6.1.0]; found [6.0.1]" .

could you check ?

/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Transferring 4577607 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation was unsuccessful due to error "Incorrect Kibana version in plugin [wazuh]. Expected [6.1.0]; found [6.0.1]"

OS dropdown options on Agents Overview page are not working

Kibana error - saved 'field' attribute is now invalid

Issue: when loading a fresh elk stack install into a Ubuntu 16.04 vagrant, the Kibana app will not show the Overview tab. (see screenshot). This is a single server architecture without filebeat. Also the Manager/Agent tabs of Kibana seem to work just fine, with everything showing green.

Full url: http://192.168.34.2/app/wazuh#/overview?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-1d,mode:quick,to:now))&view=panels&tab=pci&_a=(columns:!(_source),index:'wazuh-alerts-*',query:'_exists_:rule.pci_dss%20AND%20manager.name:%20default-ubuntu-1604',sort:!('@timestamp',desc),uiState:(vis:(legendOpen:!f,params:(sort:(columnIndex:!n,direction:!n)))))

Other information:

elasticsearch: 5.6.0
logstash: 1:5.6.0-1
kibana: 5.6.0
java: oracle 1.8.0_131
wazuhapp: wazuhapp-2.1.0_5.6.0.zip
wazuh-manager: 2.1.0-1xenial
wazuh-api: 2.1.0-1xenial

It might also help that I am running kibana through a reverse nginx proxy. Here is the nginx config:

upstream kibana {
    server 127.0.0.1:5601;
}

server {
    listen       *:80;
    server_name  192.168.34.2;

    location / {
        proxy_pass  http://kibana;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_connect_timeout   180;
        proxy_send_timeout      180;
        proxy_read_timeout      180;
    }
}

My kibana.yml file:

# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"

# The Kibana server's name.  This is used for display purposes.
server.name: "192.168.34.2"

# Enables you specify a file where Kibana stores log output.
logging.dest: '/var/log/kibana.log'

Logstash/ES Config template:

# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input (only for multiple server hosts)
# input {
#     beats {
#         port => 5000
#         codec => "json_lines"
#          ssl => true
#          ssl_certificate => "/etc/logstash/logstash.crt"
#          ssl_key => "/etc/logstash/logstash.key"
#     }
#  }
## Local Wazuh Manager - JSON file input
input {
   file {
       type => "wazuh-alerts"
       path => "/var/ossec/logs/alerts/alerts.json"
       codec => "json"
   }
}
filter {
    #geoip {
    #    source => "srcip"
    #    target => "GeoLocation"
    #    fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
    #}
    date {
        match => ["timestamp", "ISO8601"]
        target => "@timestamp"
    }
    mutate {
        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
    }
}
output {
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "wazuh-alerts-%{+YYYY.MM.dd}"
        document_type => "wazuh"
        template => "/etc/logstash/wazuh-elastic5-template.json"
#       template => "/etc/logstash/wazuh-elastic2-template.json"
        template_name => "wazuh"
        template_overwrite => true
    }
}

Elasticsearch.log:

[2017-09-14T20:30:17,561][INFO ][o.e.n.Node               ] [] initializing ...
[2017-09-14T20:30:18,458][INFO ][o.e.e.NodeEnvironment    ] [CpJRxBm] using [1] data paths, mounts [[/ (/dev/mapper/vagrant--vg-root)]], net usable_space [32.7gb], net total_space [37.7gb], spins? [possibly], types [ext4]
[2017-09-14T20:30:18,480][INFO ][o.e.e.NodeEnvironment    ] [CpJRxBm] heap size [1.9gb], compressed ordinary object pointers [true]
[2017-09-14T20:30:18,482][INFO ][o.e.n.Node               ] node name [CpJRxBm] derived from node ID [CpJRxBm1RLmA0xzfhEg8kA]; set [node.name] to override
[2017-09-14T20:30:18,482][INFO ][o.e.n.Node               ] version[5.6.0], pid[20972], build[781a835/2017-09-07T03:09:58.087Z], OS[Linux/4.4.0-75-generic/amd64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_131/25.131-b11]
[2017-09-14T20:30:18,487][INFO ][o.e.n.Node               ] JVM arguments [-Xms2g, -Xmx2g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/share/elasticsearch]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [aggs-matrix-stats]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [ingest-common]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [lang-expression]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [lang-groovy]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [lang-mustache]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [lang-painless]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [parent-join]
[2017-09-14T20:30:26,105][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [percolator]
[2017-09-14T20:30:26,106][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [reindex]
[2017-09-14T20:30:26,107][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [transport-netty3]
[2017-09-14T20:30:26,107][INFO ][o.e.p.PluginsService     ] [CpJRxBm] loaded module [transport-netty4]
[2017-09-14T20:30:26,108][INFO ][o.e.p.PluginsService     ] [CpJRxBm] no plugins loaded
[2017-09-14T20:30:38,559][INFO ][o.e.d.DiscoveryModule    ] [CpJRxBm] using discovery type [zen]
[2017-09-14T20:30:42,400][INFO ][o.e.n.Node               ] initialized
[2017-09-14T20:30:42,400][INFO ][o.e.n.Node               ] [CpJRxBm] starting ...
[2017-09-14T20:30:43,723][INFO ][o.e.t.TransportService   ] [CpJRxBm] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2017-09-14T20:30:47,128][INFO ][o.e.c.s.ClusterService   ] [CpJRxBm] new_master {CpJRxBm}{CpJRxBm1RLmA0xzfhEg8kA}{wzb0E6anQESOP5HPnoTRrw}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-09-14T20:30:47,311][INFO ][o.e.h.n.Netty4HttpServerTransport] [CpJRxBm] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2017-09-14T20:30:47,315][INFO ][o.e.n.Node               ] [CpJRxBm] started
[2017-09-14T20:30:47,468][INFO ][o.e.g.GatewayService     ] [CpJRxBm] recovered [0] indices into cluster_state
[2017-09-14T20:30:55,516][INFO ][o.e.c.m.MetaDataCreateIndexService] [CpJRxBm] [.kibana] creating index, cause [api], templates [], shards [1]/[1], mappings [_default_, index-pattern, server, visualization, search, timelion-sheet, config, dashboard, url]
[2017-09-14T20:30:57,356][INFO ][o.e.c.m.MetaDataCreateIndexService] [CpJRxBm] [wazuh-monitoring-2017.09.14] creating index, cause [api], templates [wazuh], shards [5]/[1], mappings [agent, wazuh]
[2017-09-14T20:30:57,475][INFO ][o.e.m.j.JvmGcMonitorService] [CpJRxBm] [gc][15] overhead, spent [265ms] collecting in the last [1s]
[2017-09-14T20:30:58,510][INFO ][o.e.c.m.MetaDataCreateIndexService] [CpJRxBm] [wazuh-alerts-2017.09.14] creating index, cause [auto(bulk api)], templates [wazuh], shards [1]/[0], mappings [agent, wazuh]
[2017-09-14T20:30:58,818][INFO ][o.e.c.m.MetaDataCreateIndexService] [CpJRxBm] [.wazuh] creating index, cause [auto(bulk api)], templates [], shards [5]/[1], mappings []
[2017-09-14T20:31:01,634][INFO ][o.e.c.m.MetaDataMappingService] [CpJRxBm] [wazuh-alerts-2017.09.14/jx6cTv75ReSgv43aBgFYMw] update_mapping [wazuh]
[2017-09-14T20:31:01,869][INFO ][o.e.c.m.MetaDataMappingService] [CpJRxBm] [.wazuh/_u8pHubhS6OFWy4Wh10QYw] create_mapping [wazuh-setup]
[2017-09-14T20:31:02,190][INFO ][o.e.c.m.MetaDataMappingService] [CpJRxBm] [.kibana/6ckdqrHbSt6u23MFWAf4rQ] update_mapping [config]
[2017-09-14T20:32:19,753][INFO ][o.e.c.m.MetaDataMappingService] [CpJRxBm] [.wazuh/_u8pHubhS6OFWy4Wh10QYw] create_mapping [wazuh-configuration]
[2017-09-14T20:32:20,259][INFO ][o.e.c.m.MetaDataMappingService] [CpJRxBm] [wazuh-monitoring-2017.09.14/2oYe42tLTkakS77uWDMLDw] update_mapping [agent]

Kibana startup log:

{"type":"log","@timestamp":"2017-09-14T20:30:19Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-09-14T20:30:19Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-09-14T20:30:19Z","tags":["error","elasticsearch","admin"],"pid":21150,"message":"Request error, retrying\nHEAD http://localhost:9200/ => connect ECONNREFUSED 127.0.0.1:9200"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["error","elasticsearch","data"],"pid":21150,"message":"Request error, retrying\nHEAD http://localhost:9200/.kibana/config/5.6.0 => connect ECONNREFUSED 127.0.0.1:9200"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["status","plugin:[email protected]","error"],"pid":21150,"state":"red","message":"Status changed from yellow to red - Request Timeout after 3000ms","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:23Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-09-14T20:30:24Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-09-14T20:30:24Z","tags":["listening","info"],"pid":21150,"message":"Server running at http://0.0.0.0:5601"}
{"type":"log","@timestamp":"2017-09-14T20:30:24Z","tags":["status","ui settings","error"],"pid":21150,"state":"red","message":"Status changed from uninitialized to red - Elasticsearch plugin is red","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["status","plugin:[email protected]","error"],"pid":21150,"state":"red","message":"Status changed from red to red - Unable to connect to Elasticsearch at http://localhost:9200.","prevState":"red","prevMsg":"Request Timeout after 3000ms"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:26Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:28Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:28Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:29Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:29Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:29Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:29Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:29Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:29Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:31Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:31Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:32Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:32Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:32Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:32Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:32Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:32Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:33Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:33Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:35Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:35Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:35Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:35Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:35Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:35Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:36Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:36Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:38Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:41Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:43Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:43Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:45Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:45Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:45Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:45Z","tags":["warning","elasticsearch","data"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:45Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting Elasticsearch to be up..."}
{"type":"log","@timestamp":"2017-09-14T20:30:45Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Waiting index \".kibana\" to be created and prepared...."}
{"type":"log","@timestamp":"2017-09-14T20:30:46Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"Unable to revive connection: http://localhost:9200/"}
{"type":"log","@timestamp":"2017-09-14T20:30:46Z","tags":["warning","elasticsearch","admin"],"pid":21150,"message":"No living connections"}
{"type":"log","@timestamp":"2017-09-14T20:30:54Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"yellow","message":"Status changed from red to yellow - No existing Kibana index found","prevState":"red","prevMsg":"Unable to connect to Elasticsearch at http://localhost:9200."}
{"type":"log","@timestamp":"2017-09-14T20:30:54Z","tags":["status","ui settings","info"],"pid":21150,"state":"yellow","message":"Status changed from red to yellow - Elasticsearch plugin is yellow","prevState":"red","prevMsg":"Elasticsearch plugin is red"}
{"type":"log","@timestamp":"2017-09-14T20:30:56Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Wazuh-setup document does not exist. Initializating configuration..."}
{"type":"log","@timestamp":"2017-09-14T20:30:56Z","tags":["\u001b[34mwazuh\u001b[39m","Wazuh agents monitoring","info"],"pid":21150,"message":"Creating today index..."}
{"type":"log","@timestamp":"2017-09-14T20:30:56Z","tags":["\u001b[34mwazuh\u001b[39m","Wazuh agents monitoring","info"],"pid":21150,"message":"Configuring Kibana for working with \"wazuh-monitoring-*\" index pattern..."}
{"type":"log","@timestamp":"2017-09-14T20:30:57Z","tags":["\u001b[34mwazuh\u001b[39m","Wazuh agents monitoring","info"],"pid":21150,"message":"Template installed and loaded: wazuh-monitoring-*"}
{"type":"log","@timestamp":"2017-09-14T20:30:57Z","tags":["\u001b[34mwazuh\u001b[39m","Wazuh agents monitoring","info"],"pid":21150,"message":"Inserting sample alert..."}
{"type":"log","@timestamp":"2017-09-14T20:30:57Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Template installed and loaded: wazuh-alerts-*"}
{"type":"log","@timestamp":"2017-09-14T20:30:57Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Inserting sample alert..."}
{"type":"log","@timestamp":"2017-09-14T20:30:57Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Creating index pattern: wazuh-alerts-*"}
{"type":"log","@timestamp":"2017-09-14T20:30:57Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Importing objects (Searches, visualizations and dashboards) into Elasticsearch..."}
{"type":"log","@timestamp":"2017-09-14T20:30:59Z","tags":["\u001b[34mwazuh\u001b[39m","Wazuh agents monitoring","info"],"pid":21150,"message":"Successfully initialized!"}
{"type":"log","@timestamp":"2017-09-14T20:30:59Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Created index pattern: wazuh-alerts-*"}
{"type":"log","@timestamp":"2017-09-14T20:31:01Z","tags":["status","plugin:[email protected]","info"],"pid":21150,"state":"green","message":"Status changed from yellow to green - Kibana index ready","prevState":"yellow","prevMsg":"No existing Kibana index found"}
{"type":"log","@timestamp":"2017-09-14T20:31:01Z","tags":["status","ui settings","info"],"pid":21150,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Elasticsearch plugin is yellow"}
{"type":"log","@timestamp":"2017-09-14T20:31:01Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Templates, mappings, index patterns, visualizations, searches and dashboards were successfully installed. App ready to be used."}
{"type":"log","@timestamp":"2017-09-14T20:31:01Z","tags":["\u001b[34mwazuh\u001b[39m","Wazuh agents monitoring","info"],"pid":21150,"message":"Sample alert inserted"}
{"type":"log","@timestamp":"2017-09-14T20:31:01Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Sample alert inserted"}
{"type":"log","@timestamp":"2017-09-14T20:31:01Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Wazuh set up info inserted"}
{"type":"log","@timestamp":"2017-09-14T20:31:01Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Setting Kibana default values: Index pattern, time picker and metaFields..."}
{"type":"log","@timestamp":"2017-09-14T20:31:02Z","tags":["\u001b[34mwazuh\u001b[39m","initialize","info"],"pid":21150,"message":"Kibana default values set"}

Logstash logs:

[2017-09-14T20:31:05,457][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2017-09-14T20:31:05,468][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2017-09-14T20:31:05,497][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/var/lib/logstash/queue"}
[2017-09-14T20:31:05,498][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/var/lib/logstash/dead_letter_queue"}
[2017-09-14T20:31:05,585][INFO ][logstash.agent           ] No persistent UUID file found. Generating new UUID {:uuid=>"9f1e2118-caf6-49e9-9d8e-d5b85751db0b", :path=>"/var/lib/logstash/uuid"}
[2017-09-14T20:31:07,642][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2017-09-14T20:31:07,643][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[2017-09-14T20:31:07,798][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2017-09-14T20:31:07,800][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>"/etc/logstash/wazuh-elastic5-template.json"}
[2017-09-14T20:31:07,929][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"order"=>0, "template"=>"wazuh*", "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1, "number_of_replicas"=>0}, "mappings"=>{"wazuh"=>{"dynamic_templates"=>[{"string_as_keyword"=>{"match_mapping_type"=>"string", "mapping"=>{"type"=>"keyword", "doc_values"=>"true"}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "format"=>"dateOptionalTime"}, "@version"=>{"type"=>"text"}, "agent"=>{"properties"=>{"ip"=>{"type"=>"keyword", "doc_values"=>"true"}, "id"=>{"type"=>"keyword", "doc_values"=>"true"}, "name"=>{"type"=>"keyword", "doc_values"=>"true"}}}, "manager"=>{"properties"=>{"name"=>{"type"=>"keyword", "doc_values"=>"true"}}}, "dstuser"=>{"type"=>"keyword", "doc_values"=>"true"}, "AlertsFile"=>{"type"=>"keyword", "doc_values"=>"true"}, "full_log"=>{"type"=>"text"}, "previous_log"=>{"type"=>"text"}, "GeoLocation"=>{"properties"=>{"area_code"=>{"type"=>"long"}, "city_name"=>{"type"=>"keyword", "doc_values"=>"true"}, "continent_code"=>{"type"=>"text"}, "coordinates"=>{"type"=>"double"}, "country_code2"=>{"type"=>"text"}, "country_code3"=>{"type"=>"text"}, "country_name"=>{"type"=>"keyword", "doc_values"=>"true"}, "dma_code"=>{"type"=>"long"}, "ip"=>{"type"=>"keyword", "doc_values"=>"true"}, "latitude"=>{"type"=>"double"}, "location"=>{"type"=>"geo_point"}, "longitude"=>{"type"=>"double"}, "postal_code"=>{"type"=>"keyword"}, "real_region_name"=>{"type"=>"keyword", "doc_values"=>"true"}, "region_name"=>{"type"=>"keyword", "doc_values"=>"true"}, "timezone"=>{"type"=>"text"}}}, "host"=>{"type"=>"keyword", "doc_values"=>"true"}, "syscheck"=>{"properties"=>{"path"=>{"type"=>"keyword", "doc_values"=>"true"}, "sha1_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "sha1_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "uid_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "uid_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "gid_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "gid_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "perm_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "perm_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "md5_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "md5_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "gname_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "gname_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "inode_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "inode_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "mtime_after"=>{"type"=>"date", "format"=>"dateOptionalTime", "doc_values"=>"true"}, "mtime_before"=>{"type"=>"date", "format"=>"dateOptionalTime", "doc_values"=>"true"}, "uname_after"=>{"type"=>"keyword", "doc_values"=>"true"}, "uname_before"=>{"type"=>"keyword", "doc_values"=>"true"}, "size_before"=>{"type"=>"long", "doc_values"=>"true"}, "size_after"=>{"type"=>"long", "doc_values"=>"true"}, "diff"=>{"type"=>"keyword", "doc_values"=>"true"}, "event"=>{"type"=>"keyword", "doc_values"=>"true"}}}, "location"=>{"type"=>"keyword", "doc_values"=>"true"}, "message"=>{"type"=>"text"}, "offset"=>{"type"=>"keyword"}, "rule"=>{"properties"=>{"description"=>{"type"=>"keyword", "doc_values"=>"true"}, "groups"=>{"type"=>"keyword", "doc_values"=>"true"}, "level"=>{"type"=>"long", "doc_values"=>"true"}, "id"=>{"type"=>"keyword", "doc_values"=>"true"}, "cve"=>{"type"=>"keyword", "doc_values"=>"true"}, "info"=>{"type"=>"keyword", "doc_values"=>"true"}, "frequency"=>{"type"=>"long", "doc_values"=>"true"}, "firedtimes"=>{"type"=>"long", "doc_values"=>"true"}, "cis"=>{"type"=>"keyword", "doc_values"=>"true"}, "pci_dss"=>{"type"=>"keyword", "doc_values"=>"true"}}}, "decoder"=>{"properties"=>{"parent"=>{"type"=>"keyword", "doc_values"=>"true"}, "name"=>{"type"=>"keyword", "doc_values"=>"true"}, "ftscomment"=>{"type"=>"keyword", "doc_values"=>"true"}, "fts"=>{"type"=>"long", "doc_values"=>"true"}, "accumulate"=>{"type"=>"long", "doc_values"=>"true"}}}, "srcip"=>{"type"=>"keyword", "doc_values"=>"true"}, "protocol"=>{"type"=>"keyword", "doc_values"=>"true"}, "action"=>{"type"=>"keyword", "doc_values"=>"true"}, "dstip"=>{"type"=>"keyword", "doc_values"=>"true"}, "dstport"=>{"type"=>"keyword", "doc_values"=>"true"}, "srcuser"=>{"type"=>"keyword", "doc_values"=>"true"}, "program_name"=>{"type"=>"keyword", "doc_values"=>"true"}, "id"=>{"type"=>"keyword", "doc_values"=>"true"}, "status"=>{"type"=>"keyword", "doc_values"=>"true"}, "command"=>{"type"=>"keyword", "doc_values"=>"true"}, "url"=>{"type"=>"keyword", "doc_values"=>"true"}, "data"=>{"type"=>"keyword", "doc_values"=>"true"}, "system_name"=>{"type"=>"keyword", "doc_values"=>"true"}, "type"=>{"type"=>"text"}, "title"=>{"type"=>"keyword", "doc_values"=>"true"}, "oscap"=>{"properties"=>{"check.title"=>{"type"=>"keyword", "doc_values"=>"true"}, "check.id"=>{"type"=>"keyword", "doc_values"=>"true"}, "check.result"=>{"type"=>"keyword", "doc_values"=>"true"}, "check.severity"=>{"type"=>"keyword", "doc_values"=>"true"}, "check.description"=>{"type"=>"text"}, "check.rationale"=>{"type"=>"text"}, "check.references"=>{"type"=>"text"}, "check.identifiers"=>{"type"=>"text"}, "check.oval.id"=>{"type"=>"keyword", "doc_values"=>"true"}, "scan.id"=>{"type"=>"keyword", "doc_values"=>"true"}, "scan.content"=>{"type"=>"keyword", "doc_values"=>"true"}, "scan.benchmark.id"=>{"type"=>"keyword", "doc_values"=>"true"}, "scan.profile.title"=>{"type"=>"keyword", "doc_values"=>"true"}, "scan.profile.id"=>{"type"=>"keyword", "doc_values"=>"true"}, "scan.score"=>{"type"=>"double", "doc_values"=>"true"}, "scan.return_code"=>{"type"=>"long", "doc_values"=>"true"}}}, "audit"=>{"properties"=>{"type"=>{"type"=>"keyword", "doc_values"=>"true"}, "id"=>{"type"=>"keyword", "doc_values"=>"true"}, "syscall"=>{"type"=>"keyword", "doc_values"=>"true"}, "exit"=>{"type"=>"keyword", "doc_values"=>"true"}, "ppid"=>{"type"=>"keyword", "doc_values"=>"true"}, "pid"=>{"type"=>"keyword", "doc_values"=>"true"}, "auid"=>{"type"=>"keyword", "doc_values"=>"true"}, "uid"=>{"type"=>"keyword", "doc_values"=>"true"}, "gid"=>{"type"=>"keyword", "doc_values"=>"true"}, "euid"=>{"type"=>"keyword", "doc_values"=>"true"}, "suid"=>{"type"=>"keyword", "doc_values"=>"true"}, "fsuid"=>{"type"=>"keyword", "doc_values"=>"true"}, "egid"=>{"type"=>"keyword", "doc_values"=>"true"}, "sgid"=>{"type"=>"keyword", "doc_values"=>"true"}, "fsgid"=>{"type"=>"keyword", "doc_values"=>"true"}, "tty"=>{"type"=>"keyword", "doc_values"=>"true"}, "session"=>{"type"=>"keyword", "doc_values"=>"true"}, "command"=>{"type"=>"keyword", "doc_values"=>"true"}, "exe"=>{"type"=>"keyword", "doc_values"=>"true"}, "key"=>{"type"=>"keyword", "doc_values"=>"true"}, "cwd"=>{"type"=>"keyword", "doc_values"=>"true"}, "directory.name"=>{"type"=>"keyword", "doc_values"=>"true"}, "directory.inode"=>{"type"=>"keyword", "doc_values"=>"true"}, "directory.mode"=>{"type"=>"keyword", "doc_values"=>"true"}, "file.name"=>{"type"=>"keyword", "doc_values"=>"true"}, "file.inode"=>{"type"=>"keyword", "doc_values"=>"true"}, "file.mode"=>{"type"=>"keyword", "doc_values"=>"true"}, "acct"=>{"type"=>"keyword", "doc_values"=>"true"}, "dev"=>{"type"=>"keyword", "doc_values"=>"true"}, "enforcing"=>{"type"=>"keyword", "doc_values"=>"true"}, "list"=>{"type"=>"keyword", "doc_values"=>"true"}, "old-auid"=>{"type"=>"keyword", "doc_values"=>"true"}, "old-ses"=>{"type"=>"keyword", "doc_values"=>"true"}, "old_enforcing"=>{"type"=>"keyword", "doc_values"=>"true"}, "old_prom"=>{"type"=>"keyword", "doc_values"=>"true"}, "op"=>{"type"=>"keyword", "doc_values"=>"true"}, "prom"=>{"type"=>"keyword", "doc_values"=>"true"}, "res"=>{"type"=>"keyword", "doc_values"=>"true"}, "srcip"=>{"type"=>"keyword", "doc_values"=>"true"}, "subj"=>{"type"=>"keyword", "doc_values"=>"true"}, "success"=>{"type"=>"keyword", "doc_values"=>"true"}}}}}, "agent"=>{"properties"=>{"@timestamp"=>{"type"=>"date", "format"=>"dateOptionalTime"}, "status"=>{"type"=>"keyword"}, "ip"=>{"type"=>"keyword"}, "host"=>{"type"=>"keyword"}, "name"=>{"type"=>"keyword"}, "id"=>{"type"=>"keyword"}}}}}}
[2017-09-14T20:31:07,963][INFO ][logstash.outputs.elasticsearch] Installing elasticsearch template to _template/wazuh
[2017-09-14T20:31:08,153][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2017-09-14T20:31:08,169][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>125}
[2017-09-14T20:31:09,213][INFO ][logstash.pipeline        ] Pipeline main started
[2017-09-14T20:31:09,448][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Tail end of alerts.json

{"timestamp":"2017-09-14T20:29:58+0000","rule":{"level":7,"description":"New dpkg (Debian Package) installed.","id":"2902","firedtimes":14,"mail":false,"groups":["syslog","dpkg","config_changed"],"pci_dss":["10.6.1","10.2.7"]},"agent":{"id":"000","name":"default-ubuntu-1604"},"manager":{"name":"default-ubuntu-1604"},"full_log":"2017-09-14 20:29:58 status installed systemd:amd64 229-4ubuntu16","decoder":{"name":"windows-date-format"},"hostname":"default-ubuntu-1604","location":"/var/log/dpkg.log"}
{"timestamp":"2017-09-14T20:30:00+0000","rule":{"level":7,"description":"New dpkg (Debian Package) installed.","id":"2902","firedtimes":15,"mail":false,"groups":["syslog","dpkg","config_changed"],"pci_dss":["10.6.1","10.2.7"]},"agent":{"id":"000","name":"default-ubuntu-1604"},"manager":{"name":"default-ubuntu-1604"},"full_log":"2017-09-14 20:29:58 status installed ureadahead:amd64 0.100.0-19","decoder":{"name":"windows-date-format"},"hostname":"default-ubuntu-1604","location":"/var/log/dpkg.log"}
{"timestamp":"2017-09-14T20:30:00+0000","rule":{"level":7,"description":"New dpkg (Debian Package) installed.","id":"2902","firedtimes":16,"mail":false,"groups":["syslog","dpkg","config_changed"],"pci_dss":["10.6.1","10.2.7"]},"agent":{"id":"000","name":"default-ubuntu-1604"},"manager":{"name":"default-ubuntu-1604"},"full_log":"2017-09-14 20:29:58 status installed ufw:all 0.35-0ubuntu2","decoder":{"name":"windows-date-format"},"hostname":"default-ubuntu-1604","location":"/var/log/dpkg.log"}

ES Template:

{
  "order": 0,
  "template": "wazuh*",
  "settings": {
    "index.refresh_interval": "5s",
    "number_of_shards":   1,
    "number_of_replicas": 0
  },
  "mappings": {
    "wazuh": {
      "dynamic_templates": [
        {
          "string_as_keyword": {
            "match_mapping_type": "string",
            "mapping": {
              "type": "keyword",
              "doc_values": "true"
            }
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date",
          "format": "dateOptionalTime"
        },
        "@version": {
          "type": "text"
        },
        "agent": {
          "properties": {
            "ip": {
              "type": "keyword",
              "doc_values": "true"
            },
            "id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "name": {
              "type": "keyword",
              "doc_values": "true"
            }
          }
        },
        "manager": {
          "properties": {
            "name": {
              "type": "keyword",
              "doc_values": "true"
            }
          }
        },
        "dstuser": {
          "type": "keyword",
          "doc_values": "true"
        },
        "AlertsFile": {
          "type": "keyword",
          "doc_values": "true"
        },
        "full_log": {
          "type": "text"
        },
        "previous_log": {
          "type": "text"
        },
        "GeoLocation": {
          "properties": {
            "area_code": {
              "type": "long"
            },
            "city_name": {
              "type": "keyword",
              "doc_values": "true"
            },
            "continent_code": {
              "type": "text"
            },
            "coordinates": {
              "type": "double"
            },
            "country_code2": {
              "type": "text"
            },
            "country_code3": {
              "type": "text"
            },
            "country_name": {
              "type": "keyword",
              "doc_values": "true"
            },
            "dma_code": {
              "type": "long"
            },
            "ip": {
              "type": "keyword",
              "doc_values": "true"
            },
            "latitude": {
              "type": "double"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "double"
            },
            "postal_code": {
              "type": "keyword"
            },
            "real_region_name": {
              "type": "keyword",
              "doc_values": "true"
            },
            "region_name": {
              "type": "keyword",
              "doc_values": "true"
            },
            "timezone": {
              "type": "text"
            }
          }
        },
        "host": {
          "type": "keyword",
          "doc_values": "true"
        },
        "syscheck": {
          "properties": {
            "path": {
              "type": "keyword",
              "doc_values": "true"
            },
            "sha1_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "sha1_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "uid_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "uid_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "gid_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "gid_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "perm_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "perm_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "md5_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "md5_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "gname_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "gname_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "inode_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "inode_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "mtime_after": {
              "type": "date",
              "format": "dateOptionalTime",
              "doc_values": "true"
            },
            "mtime_before": {
              "type": "date",
              "format": "dateOptionalTime",
              "doc_values": "true"
            },
            "uname_after": {
              "type": "keyword",
              "doc_values": "true"
            },
            "uname_before": {
              "type": "keyword",
              "doc_values": "true"
            },
            "size_before": {
              "type": "long",
              "doc_values": "true"
            },
            "size_after": {
              "type": "long",
              "doc_values": "true"
            },
            "diff": {
              "type": "keyword",
              "doc_values": "true"
            },
            "event": {
              "type": "keyword",
              "doc_values": "true"
            }
          }
        },
        "location": {
          "type": "keyword",
          "doc_values": "true"
        },
        "message": {
          "type": "text"
        },
        "offset": {
          "type": "keyword"
        },
        "rule": {
          "properties": {
            "description": {
              "type": "keyword",
              "doc_values": "true"
            },
            "groups": {
              "type": "keyword",
              "doc_values": "true"
            },
            "level": {
              "type": "long",
              "doc_values": "true"
            },
            "id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "cve": {
              "type": "keyword",
              "doc_values": "true"
            },
            "info": {
              "type": "keyword",
              "doc_values": "true"
            },
            "frequency": {
              "type": "long",
              "doc_values": "true"
            },
            "firedtimes": {
              "type": "long",
              "doc_values": "true"
            },
            "cis": {
              "type": "keyword",
              "doc_values": "true"
            },
            "pci_dss": {
              "type": "keyword",
              "doc_values": "true"
            }
          }
        },
        "decoder": {
          "properties": {
            "parent": {
              "type": "keyword",
              "doc_values": "true"
            },
            "name": {
              "type": "keyword",
              "doc_values": "true"
            },
            "ftscomment": {
              "type": "keyword",
              "doc_values": "true"
            },
            "fts": {
              "type": "long",
              "doc_values": "true"
            },
            "accumulate": {
              "type": "long",
              "doc_values": "true"
            }
          }
        },
        "srcip": {
          "type": "keyword",
          "doc_values": "true"
        },
        "protocol": {
          "type": "keyword",
          "doc_values": "true"
        },
        "action": {
          "type": "keyword",
          "doc_values": "true"
        },
        "dstip": {
          "type": "keyword",
          "doc_values": "true"
        },
        "dstport": {
          "type": "keyword",
          "doc_values": "true"
        },
        "srcuser": {
          "type": "keyword",
          "doc_values": "true"
        },
        "program_name": {
          "type": "keyword",
          "doc_values": "true"
        },
        "id": {
          "type": "keyword",
          "doc_values": "true"
        },
        "status": {
          "type": "keyword",
          "doc_values": "true"
        },
        "command": {
          "type": "keyword",
          "doc_values": "true"
        },
        "url": {
          "type": "keyword",
          "doc_values": "true"
        },
        "data": {
          "type": "keyword",
          "doc_values": "true"
        },
        "system_name": {
          "type": "keyword",
          "doc_values": "true"
        },
        "type": {
          "type": "text"
        },
        "title": {
          "type": "keyword",
          "doc_values": "true"
        },
        "oscap": {
          "properties": {
            "check.title": {
              "type": "keyword",
              "doc_values": "true"
            },
            "check.id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "check.result": {
              "type": "keyword",
              "doc_values": "true"
            },
            "check.severity": {
              "type": "keyword",
              "doc_values": "true"
            },
            "check.description": {
              "type": "text"
            },
            "check.rationale": {
              "type": "text"
            },
            "check.references": {
              "type": "text"
            },
            "check.identifiers": {
              "type": "text"
            },
            "check.oval.id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "scan.id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "scan.content": {
              "type": "keyword",
              "doc_values": "true"
            },
            "scan.benchmark.id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "scan.profile.title": {
              "type": "keyword",
              "doc_values": "true"
            },
            "scan.profile.id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "scan.score": {
              "type": "double",
              "doc_values": "true"
            },
            "scan.return_code": {
              "type": "long",
              "doc_values": "true"
            }
          }
        },
        "audit": {
          "properties": {
            "type": {
              "type": "keyword",
              "doc_values": "true"
            },
            "id": {
              "type": "keyword",
              "doc_values": "true"
            },
            "syscall": {
              "type": "keyword",
              "doc_values": "true"
            },
            "exit": {
              "type": "keyword",
              "doc_values": "true"
            },
            "ppid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "pid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "auid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "uid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "gid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "euid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "suid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "fsuid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "egid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "sgid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "fsgid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "tty": {
              "type": "keyword",
              "doc_values": "true"
            },
            "session": {
              "type": "keyword",
              "doc_values": "true"
            },
            "command": {
              "type": "keyword",
              "doc_values": "true"
            },
            "exe": {
              "type": "keyword",
              "doc_values": "true"
            },
            "key": {
              "type": "keyword",
              "doc_values": "true"
            },
            "cwd": {
              "type": "keyword",
              "doc_values": "true"
            },
            "directory.name": {
              "type": "keyword",
              "doc_values": "true"
            },
            "directory.inode": {
              "type": "keyword",
              "doc_values": "true"
            },
            "directory.mode": {
              "type": "keyword",
              "doc_values": "true"
            },
            "file.name": {
              "type": "keyword",
              "doc_values": "true"
            },
            "file.inode": {
              "type": "keyword",
              "doc_values": "true"
            },
            "file.mode": {
              "type": "keyword",
              "doc_values": "true"
            },
            "acct": {
              "type": "keyword",
              "doc_values": "true"
            },
            "dev": {
              "type": "keyword",
              "doc_values": "true"
            },
            "enforcing": {
              "type": "keyword",
              "doc_values": "true"
            },
            "list": {
              "type": "keyword",
              "doc_values": "true"
            },
            "old-auid": {
              "type": "keyword",
              "doc_values": "true"
            },
            "old-ses": {
              "type": "keyword",
              "doc_values": "true"
            },
            "old_enforcing": {
              "type": "keyword",
              "doc_values": "true"
            },
            "old_prom": {
              "type": "keyword",
              "doc_values": "true"
            },
            "op": {
              "type": "keyword",
              "doc_values": "true"
            },
            "prom": {
              "type": "keyword",
              "doc_values": "true"
            },
            "res": {
              "type": "keyword",
              "doc_values": "true"
            },
            "srcip": {
              "type": "keyword",
              "doc_values": "true"
            },
            "subj": {
              "type": "keyword",
              "doc_values": "true"
            },
            "success": {
              "type": "keyword",
              "doc_values": "true"
            }
          }
        }
      }
    },
    "agent": {
      "properties": {
        "@timestamp": {
          "type": "date",
          "format": "dateOptionalTime"
        },
        "status": {
          "type": "keyword"
        },
        "ip": {
          "type": "keyword"
        },
        "host": {
          "type": "keyword"
        },
        "name": {
          "type": "keyword"
        },
        "id": {
          "type": "keyword"
        }
      }
    }
  }
}

Wazuh Kibana dashboard empty with errors

Installed the latest version of Wazuh using the docs. I have a single server implementation, where Wazuh server and ELK are running on same host, and agents connect remotely. After configuring the Wazuh app and agents, the "Overview" dashboard is empty and shows errors (Saved "field" parameter is now invalid etc). Screenshot attached below.
I followed instructions on these threads (wazuh/wazuh#111, #24), but they did not fix the issue. There are some fields in "Index Patterns" which do not have check mark for "Searchable" and "Aggregateable".

App tabs empty

Using ELK 5.6.2 and Wazuh 2.1.1 i'm seeing blank overview and agent tabs for all sections - overview, file integrity, policy monitoring, scap, audit, and PCI DSS. The data is coming in - individual Kibana dashboards for these aspects work, and the indices are populating. Something is amiss with the wazuh-kibana app itself (it does show agents registering and all that jazz, so its definitely talking to the Wazuh API).
Am i doing something wrong here? App installed as per instructions in the docs via the kibana-plugin install targeting the 2.1.1 zip.

Kibana, Wazuh HIDS, Wazuh RESTful API installd in same server ??

Hi,
i installed wazuh-kibana plugin in kibana (5.3) successed.
When i run kibana, i got error

Need install Kibana, Wazuh HIDS, Wazuh RESTful API in same server ???

Cannot connect to wazuh-api via Kibana

Hey,

I'm having issues with my connection. When I try to connect to the api, I get the message: "Settings: There are not services running in the given URL."

I've boiled it down to data not being populated into the .wazuh index in ES (the wazuh-configurations "type").

When I run localhost:5601/api/wazuh-api/check, I get the following output:
{"statusCode":200,"error":"2","data":"no_credentials"}

I checked the source, and that's where I came to the conclusion that there was no data for the values, specifically this code block:
https://github.com/wazuh/wazuh-kibana-app/blob/ae7b149a60aeaaaceaa605f941e2cb62d300b10a/server/api/wazuh-api.js#L37
which leads us to our message:
https://github.com/wazuh/wazuh-kibana-app/blob/ae7b149a60aeaaaceaa605f941e2cb62d300b10a/server/api/wazuh-api.js#L215

Also, just FYI, I'm not using X-Pack; I'm just using the proprietary clone from Github:
https://github.com/wazuh/wazuh-docker.git

The creds I'm entering into the plugin in Kibana are:
foo/bar
host: http://127.0.0.1
port: 55000

So, my question boils down to: what is supposed to populate the .wazuh index with configurations (wazuh-manager, kibana, etc), and what might be preventing that configuration data from being inserted?

Wazuh plugin and Kibana 5.3.2 in CentOS7

Hi,
Following your official installation instructions for CentOS7, command "yum install kibana" installs Kibana 5.3.2 wich is not supported by your plugin as you can see here:

# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Transferring 16637026 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation was unsuccessful due to error "Incorrect Kibana version in plugin [wazuh]. Expected [5.3.2]; found [5.3.1]"

I looked at package.json inside the zip file and it looks like only "kibana": { "version" : "5.3.1" } is allowed. So it fails.

A workaround I used was as follows in case you may be interested:

yum erase -y kibana
curl https://artifacts.elastic.co/downloads/kibana/kibana-5.3.1-x86_64.rpm -o kibana-5.3.1-x86_64.rpm
yum localinstall -y kibana-5.3.1-x86_64.rpm

Right after that the plugin installation command completes without error.

It would be great if the plugin also supports 5.3.2 in order to make the installation process smoother.

Cheers

Add Support for Internationalization

Please add Support for Internationalization, so we can be able to translate the Kibana App to other languages.

For example, a recent study from a brazilian IT Magazine reported that 93% of the brazilian IT professionals don't speak any other language than Portuguese. Among them, 83% of IT Managers don't speak English.

So Wazuh could be more spread in my country if translated to pt_br.

Thanks!

Configuring Wazuh-Kibana-App to use an alternative index

Hey. I am working on a monitoring system and I decided to add wazuh into it. But the problem is we are forwarding all the logs into a single index, "xyz", now is there any way that I can configure wazuh to work with the xyz index instead of the regular wazuh-alerts and wazuh-monitoring. I am using ELK Stack 5.6.5 and Wazuh 2.1. Regards.

NFR: Add documentation for server.defaultRoute: "/app/wazuh"

Full disclosure: I'm a Kibana n00b...

It took me forever to figure out that adding this directive at the end of /etc/kibana/kibana.yml on the virtual appliance instructs Kibana to start on the Wazuh plugin homescreen:

server.defaultRoute: "/app/wazuh"

Wrong Visualisation Wazuh App Overview General Agents status

Could it be, that the visualization Wazuh App Overview General Agents status is wrong? We had to change it to use id.keyword and status.keyword (Using Kibana 6.1.2)

Fixed visualization:

{
  "title": "Wazuh App Overview General Agents status",
  "type": "histogram",
  "params": {
    "type": "histogram",
    "grid": {
      "categoryLines": false,
      "style": {
        "color": "#eee"
      }
    },
    "categoryAxes": [
      {
        "id": "CategoryAxis-1",
        "type": "category",
        "position": "bottom",
        "show": true,
        "style": {},
        "scale": {
          "type": "linear"
        },
        "labels": {
          "show": true,
          "truncate": 100
        },
        "title": {}
      }
    ],
    "valueAxes": [
      {
        "id": "ValueAxis-1",
        "name": "LeftAxis-1",
        "type": "value",
        "position": "left",
        "show": true,
        "style": {},
        "scale": {
          "type": "linear",
          "mode": "normal"
        },
        "labels": {
          "show": true,
          "rotate": 0,
          "filter": false,
          "truncate": 100
        },
        "title": {
          "text": "Count"
        }
      }
    ],
    "seriesParams": [
      {
        "show": true,
        "mode": "normal",
        "type": "line",
        "drawLinesBetweenPoints": false,
        "showCircles": true,
        "interpolate": "cardinal",
        "lineWidth": 3.5,
        "data": {
          "id": "4",
          "label": "Count"
        },
        "valueAxis": "ValueAxis-1"
      }
    ],
    "addTooltip": true,
    "addLegend": true,
    "legendPosition": "right",
    "times": [],
    "addTimeMarker": false
  },
  "aggs": [
    {
      "id": "2",
      "enabled": true,
      "type": "date_histogram",
      "schema": "segment",
      "params": {
        "field": "@timestamp",
        "interval": "h",
        "customInterval": "2h",
        "min_doc_count": 1,
        "extended_bounds": {}
      }
    },
    {
      "id": "3",
      "enabled": true,
      "type": "terms",
      "schema": "group",
      "params": {
        "field": "status.keyword",
        "size": 5,
        "order": "desc",
        "orderBy": "_term"
      }
    },
    {
      "id": "4",
      "enabled": true,
      "type": "cardinality",
      "schema": "metric",
      "params": {
        "field": "id.keyword",
        "customLabel": "Count"
      }
    }
  ]
}

Kibana App -- blank (white) screen

Hola fellas,

I have just updated the manager (single host deployment with Elastic Stack) and all of the sudden when I click on the Wazuh app, it just shows a blank screen and nothing else.

I'm running the following versions:

elasticsearch 6.1.1

logstash 6.1.1-1

kibana 6.1.1

wazuh-manager 3.1.0-1

wazuh-api 3.1.0-1

the api.log looks OK (nothing unusual).
I'm behind a nginx webserver

below you can find my config

`server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}

server {
listen 443 default_server;
listen [::]:443;
ssl on;
ssl_certificate /etc/ssl/certs/kibana-access.pem;
ssl_certificate_key /etc/ssl/private/kibana-access.key;
access_log /var/log/nginx/nginx.access.log;
error_log /var/log/nginx/nginx.error.log;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://localhost:5601/;
}
}`

is there anything else i could check to get the kibana wazuh-app running again?

cheers,
theresa

wazuh-app plugin unsuccessful

Hi,
I've problem on installing wazuh kibana plugin, it said I need kibana version 6.1.0 while I've installed the latest kibana version 6.1.1 .
I've try using your README link for kibana version 6.1.1 but still did not work. Any solution?

Thanks

Dont show anything in Overview tab

I saw some image demo, have many chart in Overview tab but when i installed plugin in kibana, i dont see anything in Overview tab.
Im using Kibana 5.4. (wzauh-kibana-app for kibana 5.4). Everything function is woking except Overview tab
Demo

My Overview tab

Thanks!

Wazuh Elasticsearch Template Missing

The Template file as listed in the install instructions is missing from GitHub
https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/template_file.json

I used instead
https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/2.1/server/startup/integration_files/template_file.json

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.