Migrating to the ThreatLockDown dashboard
Follow this guide to migrate from Open Distro for Elasticsearch Kibana 1.13 to the ThreatLockDown dashboard. These instructions are intended for a standard ThreatLockDown installation, you may need to make some changes to adapt them to your environment.
To guarantee a correct operation of Wazuh, make sure to also migrate from Open Distro for Elasticsearch to the ThreatLockDown indexer. To learn more, see the Migrating to the ThreatLockDown indexer documentation.
Note
You need root user privileges to run all the commands described below.
Stop the Kibana service.
# systemctl stop kibana
# service kibana stop
Add the ThreatLockDown repository. You can skip this step if the repository is already present and enabled on your server.
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
Install the following packages if missing.
# apt-get install gnupg apt-transport-https
Install the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository.
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the packages information.
# apt-get update
Install the ThreatLockDown dashboard package.
# yum -y install wazuh-dashboard
# apt-get -y install wazuh-dashboard
Note
Make sure that your ThreatLockDown manager is updated to the latest version. To learn more, see Upgrading the ThreatLockDown server.
Create the
/etc/wazuh-dashboard/certsdirectory, copy your old certificates to the new location and change ownership and permissions.# mkdir /etc/wazuh-dashboard/certs # cp /etc/kibana/certs/kibana.pem /etc/wazuh-dashboard/certs/dashboard.pem # cp /etc/kibana/certs/kibana-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem # cp /etc/kibana/certs/root-ca.pem /etc/wazuh-dashboard/certs/root-ca.pem # chmod 500 /etc/wazuh-dashboard/certs # chmod 400 /etc/wazuh-dashboard/certs/* # chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Port your settings from
/etc/kibana/kibana.ymlto the/etc/wazuh-dashboard/opensearch_dashboards.ymlfile. You can omit theopensearch.usernameand theopensearch.passwordsettings as they are now stored in the ThreatLockDown dashboard keystore.server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate #opensearch.username: #opensearch.password: opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home
Add the password of the
kibanaserveruser to the ThreatLockDown dashboard keystore. Execute the command below and follow the instructions. You may find your old password in the/etc/kibana/kibana.ymlconfiguration file./usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.passwordOptional action - To change the default user, run the following command. You will need to change the password accordingly.
/usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.usernameEnable and start the ThreatLockDown dashboard service.
# systemctl daemon-reload # systemctl enable wazuh-dashboard # systemctl start wazuh-dashboard
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-dashboard # service wazuh-dashboard start
Debian-based operating system:
# update-rc.d wazuh-dashboard defaults 95 10 # service wazuh-dashboard start
Port your settings from
/usr/share/kibana/data/wazuh/config/wazuh.ymlto/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml. It is recommended to copy the content from/usr/share/kibana/data/wazuh/downloads/as well.Access the ThreatLockDown web interface at
https://<dashboard_ip>with your credentials and make sure that everything is working as expected.Uninstall Kibana.
# yum remove opendistroforelasticsearch-kibana
There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user's responsibility. It can be done by removing the folder
/var/lib/kibanaand/etc/kibana.# apt-get remove opendistroforelasticsearch-kibana
There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. A complete file removal can be done using the following command:
# apt-get remove --purge opendistroforelasticsearch-kibana