Wazuh and the ELK Stack - Check My Logic, Please



  • As I mentioned in this thread, we're looking to roll out Wazuh.

    I noticed they had an OVA, so naturally I gravitated toward using it as opposed to installing everything myself from a base CentOS 7 install. Not that there's anything wrong with building from scratch, it's just the decision I made. The great thing about their OVA as opposed to many others out there is it happens to be a full CentOS 7 instance that you can update / upgrade via yum (which I love).

    After installing the OVA, I could login to the Kibana interface with no issues, see Wazuh info, etc. But I wanted to update all components so everything would be fully patched when we start (OS and all components of the ELK stack). Here's what you see if you run yum check-update after installing the OVA:
    0_1508429219501_Wazuh_yumcheckupdate.png

    I went ahead and performed the updates and rebooted the CentOS box. After that I could login to Kibana with no issues and see the version had been updated from 5.6.1 to 5.6.3. When I did that I actually lost the Wazuh plugin for Kibana. Then I followed the guide here to remove and re-install the Wazuh Kibana app to get back in business: - https://documentation.wazuh.com/current/installation-guide/upgrading/same_major.html.

    My question here is more about running updates to the ELK stack and how concerned I need to be about their affect on Wazuh moving forward. From what I see from the install guide, if you were rolling your own CentOS instance you would just run yum install kibana and end up with the latest version out there anyway. Maybe I just got lucky because the Wazuh app was already compatible with the latest version of Kibana? When I look in the Kibana interface, I still see the same version of Wazuh (2.1.1, revision 0345), which should be the case since Wazuh itself was not updated at all.

    The OVA on their site shows it is Wazuh 2.1.1 and ELK 5.5.1. I sent out a Tweet about installing Wazuh and being able to update the OVA, and one of their employees mentioned they needed to upgrade elasticsearch in the OVA anyway.



  • I think this may answer it. The Wazuh employee I had been chatting with sent me here - https://github.com/wazuh/wazuh-kibana-app. They don't officially list Kibana 5.6.3 there, but the upgrade and Wazuh app install worked like a champ.

    I'd still love community opinions nonetheless.



  • After asking the Wazuh employee I had been speaking to about Kibana 5.6.3, the GitHub repo was updated to include it.