Using Kibana with LogRhythm SIEM

For customers looking to leverage additional visualization tools, LogRhythm SIEM is compatible with Kibana.

Designing Kibana with LogRhythm

By default, Kibana connects to the local Elasticsearch node running on the host where you install Kibana, listening on localhost:9200 by default. This connection to the local node allows you to visualize data from all nodes within the same cluster.

In a Windows/XM configuration, you should run one Kibana UI for each XM in your environment. This could be multiple instances if you have a DR configuration.

For Linux DX configurations, you should run one Kibana UI for each cluster from which you want to visualize data. You can pick any node in the cluster from which to run Kibana and it will visualize all data within that cluster. Kibana can visualize open index data only (hot tier), so any closed indexes (warm tier) will not be visible.

Support for multi-cluster Kibana configurations is out-of-scope for this documentation. Please refer to our Professional Services team for assistance with this type of configuration.

Kibana Versions

The version of Kibana must match the version of Elasticsearch being used, and the OSS version must always be used. In the event that your LogRhythm version is upgraded, you may need to upgrade Kibana.

LogRhythm Versions 7.8 - 7.17 - Elasticsearch 6.8.23 - Kibana 6.8.23 Download

LogRhythm Versions 7.18+ - Elasticsearch 7.10.2 - Kibana 7.10.2 Download

Warnings and Disclaimers

Kibana is a third-party software and is licensed under third-party terms. The OSS edition falls under the Apache 2.0 license agreement and can be used with LogRhythm. All other editions of Kibana should not be used.

Kibana may have a detrimental effect on LogRhythm SIEM’s indexing and search performance. Use of Kibana is at your own risk.

It is important to note that Kibana requires storage space within the Elasticsearch clusters, which can negatively impact your Data Indexer’s ability to store logs, and can decrease the TTL of available log data.

LogRhythm cannot provide support for Kibana, and if Kibana negatively impacts your Data Indexer, LogRhythm may ask you to remove the instance of Elasticsearch per LogRhythm’s Support Services Addendum.

LogRhythm SIEM and Kibana Configuration

Ensure the Elasticsearch cluster is healthy by performing the following steps:
1. On the DX server, run the curl command:
  BASH
```
curl localhost:9200/_cluster/health?pretty
```
2. If the status isn’t green, consider working with LogRhythm Support to ensure your cluster is healthy before configuring Kibana.
Download Kibana.
1. LogRhythm Versions 7.8 - 7.17 - Elasticsearch 6.8.23 - Kibana 6.8.23 Download
2. LogRhythm Versions 7.18+ - Elasticsearch 7.10.2 - Kibana 7.10.2 Download
Install Kibana on your server using one of the following sets of steps:
1. For a Linux DX, run the following command:
  BASH
```
sudo yum -y localinstall kibana-#.#.#.x86_64.rpm
```
  1. Update firewall rules to allow connections to the Kibana UI listening on TCP/5601:
    BASH
```
sudo firewall-cmd --permanent --zone=public --add-port=5601/tcp #kibana
```
  2. Restart firewalld:
    BASH
```
sudo systemctt restart firewalld
```
2. For a Windows XM:
  1. Extract the folder to a location such as C:\Kibana.
  2. (Optional.) Update firewall rules to allow connections to the Kibana UI externally using Powershell
    CODE
```
New-NetFirewallRule -DisplayName 'Kibana UI' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5601
```
  3. (Optional.) Use a tool such as NSSM to configure Kibana to run as a service.
  4. Start the service by running “C:\Kibana\bin\kibana.bat"
(Optional.) Specify the IP Address/NIC and Port the Kibana UI will listen on.
1. For Linux:
  1. Navigate to /etc/kibana/config/kibana.yml.
  2. Edit the Kibana config file:
    1. vi /etc/kibana/config/kabana.yml
    2. To enter INSERT mode, press I to edit.
    3. Remove “#” from server.port and server.host using vi.
    4. Modify the server.port and server.host values to the IP and Port on which you want the Kibana UI to listen.
  3. To save changes, press ESC and then type :wq to save and quit.
  4. Restart Kibana for the settings to take effect.
2. For Windows:
  1. Navigate to the directory where you extracted the Kibana package and open the Config directory: “C:\Kibana\config"
  2. Edit the Kibana config file:
    1. Open “kibana.yml” in a text editor.
    2. Remove “#” from server.port and server.host.
    3. Modify the server.port and server.host values to the IP and Port on which you want the Kibana UI to listen.
  3. Save “kibana.yml” and restart Kibana for the settings to take effect.
If you have a single-node Elasticsearch cluster (such as an XM or a single DX node), configure Kibana for non-clustered deployment by disabling replica shards.
1. Set the number of replicas to zero:
  CODE
```
curl -XPUT 'localhost:9200/.kabana/_settings?pretty' -H 'Content-Type: application/json' -d'
{
  "index":{
    "number_of_replicas":0
  }
}'
```

If this step is not followed, your Elasticsearch cluster will remain Yellow permanently and will impact your ability to do future upgrades and some normal maintenance tasks LogRhythm performs on the cluster.

The Kibana UI can now be accessed using a web browser to http://localhost:5601 or http://<IP of Host on which you installed Kibana>:5601
Configuring the Kibana Index Pattern is required for you to visualize data:
1. On first login, you will be prompted to “Start by adding your data”. Click the Explore on my own button.
2. Expand the three-line menu in the upper-left corner, under “Management,” select Stack Management.
3. In the left-hand menu, select Index Patterns.
4. Select Create index pattern.
5. Specify the index pattern of “logs-*”.
  If your cluster has data in it, you should see a list of sources at the bottom. This verifies that you typed it correctly.
6. Select Next Step.
7. Specify the Time Field of “normalDate”.
8. Select Create index pattern.
Explore on your own, create dashboards, or discover from the three-line menu in the upper left corner under Kibana.