Skip to main content
Skip table of contents

Using Kibana with LogRhythm SIEM

For customers looking to leverage additional visualization tools, LogRhythm SIEM is compatible with Kibana. Best practices dictate that the version of Kibana used should match the version of Elasticsearch that it is connecting to.

Kibana Versions

All currently supported versions of LogRhythm SIEM should use Kibana 6.8.23, which should be downloaded directly from Kibana’s website.

Warnings and Disclaimers

Kibana is a third-party software and is licensed under third-party terms.

Kibana may have a detrimental effect on LogRhythm SIEM’s indexing and search performance. Use of Kibana is at your own risk.

It is important to note that Kibana will require storage space within the Elasticsearch clusters, which can negatively impact your Data indexer’s ability to store logs and can decrease the TTL of available log data.

LogRhythm cannot provide support for Kibana, and if Kibana negatively impacts your Data Indexer, LogRhythm may ask you to remove the instance of Elasticsearch per LogRhythm’s Support Services Addendum.

LogRhythm SIEM and Kibana Configuration

  1. Ensure the Elasticsearch cluster is healthy by performing the following steps:

    1. On the DX server, run the curl command:

      curl localhost:9200/_cluster/health?pretty
    2. If the status isn’t green, consider working with LogRhythm Support to ensure your cluster is healthy before configuring Kibana.

  2. Download Kibana.
    As of LogRhythm SIEM version 7.16, use Kibana 6.8.23.

  3. Install Kibana on your server using one of the following sets of steps:

    1. If using a Linux DX, run the following command:

      sudo yum -y localinstall kibana-6.8.23.x86_64.rpm
      1. Update firewall rules:

        sudo firewall-cmd --permanent --zone=public --add-port=5601/tcp #kibana
      2. Restart firewalld:

        sudo systemctt restart firewalld
    2. If using a Windows XM:

      1. Extract the folder to a location such as C:\Kibana.

      2. Use a tool such as NSSM to configure Kibana to run as a service.

  4. (Optional.) If you have a single-node Elasticsearch cluster (such as an XM or a single DX node), configure Kibana for non-clustered deployment using the following steps:

    1. Navigate to /etc/kibana/config/kibana.yml.

    2. Remove “#” from server.port and using vi:

      1. vi /etc/kibana/config/kabana.yml

      2. To enter INSERT mode press I to edit.

      3. To save changes, press ESC and then type :wq to save and quit.

    3. Set the number of replicas to zero:

      curl -XPUT 'localhost:9200/.kabana/_settings?pretty' -H 'Content-Type: application/json' -d'
  5. Kibana can now be accessed at http://localhost:5601 or http://<IP of Host you installed Kibana on>:5601.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.