Building Your SIEM: Part 4 - Setting Up the Wazuh Dashboard

Welcome back to our SIEM construction series! In this fourth installment, we're going to tackle one of the most crucial components of our security monitoring setup: the Wazuh Dashboard. This is where all the magic happens visually - think of it as the command center where you'll be analyzing security events, investigating incidents, and getting those beautiful visualizations that make sense of all the data flowing through your SIEM.

What We're Building Today

The Wazuh Dashboard (version 4.12) serves as our web-based interface for interacting with all the security data we've been collecting. It's built on OpenSearch Dashboards technology and provides us with powerful visualization capabilities, real-time monitoring, and comprehensive security analytics.

Step 1: Installing Dependencies

Before we can install the dashboard itself, we need to ensure our system has all the necessary dependencies:

apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

What's happening here? We're installing essential tools that the Wazuh Dashboard needs to function properly:

debhelper: Helps with Debian package management (we need version 9 or later)
tar: For extracting our certificate files
curl: For making HTTP requests
libcap2-bin: Provides capability management tools

Step 2: Installing Wazuh Dashboard

Now for the main event - installing the dashboard itself:

apt-get -y install wazuh-dashboard

This command downloads and installs the Wazuh Dashboard package. The -y flag automatically answers "yes" to any prompts, making the installation smoother.

Step 3: Configuring the Dashboard

Here's where things get interesting. We need to configure our dashboard to communicate securely with our OpenSearch cluster. Let's edit the main configuration file:

File: /etc/wazuh-dashboard/opensearch_dashboards.yml

# Dashboard server binding
server.host: bonsaii.local
# OpenSearch cluster URL
opensearch.hosts: ["https://bonsaii.local:9200"]
# TLS settings for OpenSearch <-> Dashboards communication
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/etc/opensearch-dashboards/certs/root-ca.pem"]
# Authentication credentials for OpenSearch Dashboards to connect to OpenSearch
opensearch.username: kibanaserver
opensearch.password: kibanaserver
# Headers forwarded from Dashboards to OpenSearch
opensearch.requestHeadersAllowlist: ["authorization", "securitytenant"]
# Multi-tenancy support
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
# TLS settings for client <-> Dashboards (HTTPS access from browser)
server.ssl.enabled: true
server.ssl.key: "/etc/opensearch-dashboards/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/opensearch-dashboards/certs/dashboard.pem"

Let me break down what each section does:

Server binding: We're telling the dashboard to listen on bonsaii.local
OpenSearch connection: Points to our OpenSearch cluster running on port 9200
TLS security: Enables encrypted communication between components
Authentication: Uses the kibanaserver user for backend communication
Multi-tenancy: Allows different user groups to have separate workspaces
Client SSL: Enables HTTPS access from web browsers

Step 4: Setting Up SSL Certificates

Security is paramount in a SIEM, so we need to properly configure our SSL certificates:

NODE_NAME=dashboard
mkdir /etc/opensearch-dashboards/certs
tar -xf ./wazuh-certificates.tar -C /etc/opensearch-dashboards/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# dans ce cas rien changer à cause il est déja à le nome "dashboard"
mv -n /etc/opensearch-dashboards/certs/$NODE_NAME.pem /etc/opensearch-dashboards/certs/dashboard.pem
mv -n /etc/opensearch-dashboards/certs/$NODE_NAME-key.pem /etc/opensearch-dashboards/certs/dashboard-key.pem
chmod 500 /etc/opensearch-dashboards/certs
chmod 400 /etc/opensearch-dashboards/certs/*
chown -R opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/certs

What's happening in this certificate setup?

We set our node name as "dashboard"
Create the certificates directory
Extract the specific certificates we need from our certificate bundle
Rename them to match our configuration expectations
Set proper permissions (500 for directory, 400 for files) - this is crucial for security!
Change ownership to the opensearch-dashboards user

The comment in French notes that since our node is already named "dashboard", we don't need to change anything in the naming convention.

Step 5: Starting the Service

Time to bring our dashboard to life:

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

This sequence:

Reloads the systemd daemon to recognize our new service
Enables the dashboard to start automatically on boot
Starts the service immediately

Step 6: Connecting to the Wazuh Server

We need to tell our dashboard where to find the Wazuh management server. Edit this file:

File: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

hosts:
   - default:
      url: "https://<WAZUH_SERVER_IP_ADDRESS>"      
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false

Replace <WAZUH_SERVER_IP_ADDRESS> with your actual Wazuh server's IP address or hostname. This configuration tells the dashboard:

Where to find the Wazuh API (port 55000)
What credentials to use for API access
That it shouldn't run commands as a different user

Step 7: Version Management

To prevent accidental updates that might break our carefully configured setup:

sudo apt-mark hold wazuh-dashboard

This "holds" the package at its current version, preventing automatic updates during system upgrades.

Step 8: The Moment of Truth

Now for the exciting part - accessing your dashboard! Open your web browser and navigate to:

https://bonsaii.local

You should be greeted with the Wazuh Dashboard login interface. Use the credentials you configured during your initial setup.

What's Next?

With your dashboard now running, you have a powerful web interface for:

Real-time monitoring of security events
Creating custom dashboards for your specific use cases
Investigating security incidents with detailed drill-down capabilities
Managing your Wazuh deployment through the web interface

In our next installment, we'll dive into configuring agents and starting to collect real security data. The foundation is solid - now it's time to start seeing the fruits of our labor!

Pro Tips

Always access your dashboard via HTTPS - never disable SSL in a production environment
Consider setting up proper DNS entries instead of relying on local hostnames
Regularly backup your dashboard configurations and customizations
Monitor the dashboard service logs if you encounter any issues: journalctl -u wazuh-dashboard

Your SIEM is really starting to take shape now! The dashboard gives you that professional, enterprise-grade interface that makes all the complex security data accessible and actionable.

Troubleshooting Common Issues

Dashboard Won't Start

Check the service status:

systemctl status wazuh-dashboard

Review the logs:

journalctl -u wazuh-dashboard -f

Certificate Errors

Verify certificate permissions:

ls -la /etc/opensearch-dashboards/certs/

Ensure all certificates are present and have correct ownership.

Connection Issues

Test connectivity to OpenSearch:

curl -k https://bonsaii.local:9200

Verify your configuration file syntax and network connectivity.

Security Considerations

Change default passwords immediately after installation
Use strong, unique passwords for all service accounts
Regularly update SSL certificates before they expire
Monitor access logs for suspicious activity
Implement proper firewall rules to restrict access

Next Steps

In Part 5, we'll cover:

Installing and configuring Wazuh agents
Setting up log collection from various sources
Creating your first security rules and alerts
Testing the complete SIEM pipeline

Stay tuned for more exciting SIEM building adventures!