Difference between revisions of "KHIKA User Guide"

From khika
Jump to navigation Jump to search
(Index)
 
(61 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[File:Example.jpg]]Under construction. The user guide to come here.
+
== Index ==
  
== Accessing the KHIKA Gui ==
+
[[Accessing the KHIKA Gui]]
 +
:[[Accessing the KHIKA Gui#Login|Login]]
 +
:[[Accessing the KHIKA Gui#Change the password|Change the password]]
 +
:[[Accessing the KHIKA Gui#Creating a User Group|Creating a User Group]]
 +
:[[Accessing the KHIKA Gui#Creating a Workspace|Creating a Workspace]]
 +
:[[Accessing the KHIKA Gui#Creating a new User|Creating a new User]]
 +
:[[Accessing the KHIKA Gui#Access Control in KHIKA|Access Control in KHIKA]]
  
=== Login ===
+
[[Getting Data into KHIKA]]
 +
:[[Getting Data into KHIKA#Introduction|Introduction]]
 +
:[[Getting Data into KHIKA#Data Flow and Components in KHIKA|Data Flow and Components in KHIKA]]
 +
:[[Load KHIKA App| Loading KHIKA Apps]]
 +
:[[KHIKA Apps | KHIKA Apps]]
 +
:[[Getting Data into KHIKA#Importing an Application|Importing an Application]]
 +
:[[Getting Data into KHIKA#Exporting an Application|Exporting an Application]]
 +
:[[Getting Data into KHIKA#Server monitoring in KHIKA using OSSEC|Server monitoring in KHIKA using OSSEC]]
 +
::[[Getting Data into KHIKA#Installing OSSEC Agent for Linux|Installing OSSEC Agent for Linux]]
 +
::[[Getting Data into KHIKA#Installing OSSEC Agent for Windows|Installing OSSEC Agent for Windows]]
 +
::[[Getting Data into KHIKA#Configuring OSSEC Adapter in KHIKA|Configuring OSSEC Adapter in KHIKA]]
 +
::[[Getting Data into KHIKA#Adding the device in the Adaptor|Adding the device in the Adaptor]] [https://drive.google.com/open?id=1fvO5XzJfXEykSllfR0qRPGwlH-FyqYgd  (see video)]
 +
::[[Getting Data into KHIKA#Extract key from KHIKA OSSEC Server|Extract key from KHIKA OSSEC Server]]
 +
::[[Getting Data into KHIKA#Insert unique OSSEC key in Linux OSSEC Agent|Insert unique OSSEC key in Linux OSSEC Agent]]
 +
::[[Getting Data into KHIKA#Insert unique OSSEC key in Windows OSSEC Agent|Insert unique OSSEC key in Windows OSSEC Agent]]
 +
::[[Getting Data into KHIKA#Reload Configuration|Reload Configuration]]
 +
::[[Getting Data into KHIKA#Verifying OSSEC data collection|Verifying OSSEC data collection]]
 +
::[[Getting Data into KHIKA#Troubleshooting|Troubleshooting]]
 +
:[[Getting Data into KHIKA#Monitoring in KHIKA using Syslog forwarding|Monitoring in KHIKA using Syslog forwarding]]
  
In this section we assume that your VM is ready. You can login into the GUI using the Web Browser (Google Chrome) for further configuration of KHIKA.
+
[[Discover or Search Data in KHIKA]]
''Note: KHIKA does not support any browser apart from Google Chrome.''
+
:[[Discover or Search Data in KHIKA#Introduction|Introduction]]
 +
:[[Discover or Search Data in KHIKA#Index Pattern|Index Pattern]]
 +
:[[Discover or Search Data in KHIKA#Setting the Time Filter|Setting the Time Filter]]
 +
:[[Discover or Search Data in KHIKA#Searching Your Data|Searching Your Data]]
 +
:[[Discover or Search Data in KHIKA#Lucene Query Syntax|Lucene Query Syntax]]
 +
:[[Discover or Search Data in KHIKA#Saving and Opening Searches|Saving and Opening Searches]]
 +
:[[Discover or Search Data in KHIKA#Changing the Index|Changing the Index]]
 +
:[[Discover or Search Data in KHIKA#Refreshing the Search Results|Refreshing the Search Results]]
 +
:[[Discover or Search Data in KHIKA#Filtering by Field|Filtering by Field]]
 +
:[[Discover or Search Data in KHIKA#Managing Filters|Managing Filters]]
 +
:[[Discover or Search Data in KHIKA#Viewing Document Data|Viewing Document Data]]
  
Open the Google Chrome browser and enter IP address of KHIKA server. The URL is in the format : "https://IP_address_of_KHIKA_App_Server"
+
[[KHIKA Visualizations]]
 +
:[[KHIKA Visualizations#What is a KHIKA Visualization?|What is a KHIKA Visualization?]]
 +
:[[KHIKA Visualizations#Creating a Visualization|Creating a Visualization]]
 +
:[[KHIKA Visualizations#Examples of Visualization|Examples of Visualization]]
 +
::[[KHIKA Visualizations#Area Chart|Area Chart]]
 +
::[[KHIKA Visualizations#Heat Map|Heat Map]]
 +
::[[KHIKA Visualizations#Horizontal and Vertical Bar Chart|Horizontal and Vertical Bar Chart]]
 +
::[[KHIKA Visualizations#Line chart|Line chart]]
 +
::[[KHIKA Visualizations#Pie Chart|Pie Chart]]
 +
::[[KHIKA Visualizations#Data Table|Data Table]]
 +
::[[KHIKA Visualizations#Gauge|Gauge]]
 +
::[[KHIKA Visualizations#Goal|Goal]]
 +
::[[KHIKA Visualizations#Metric|Metric]]
  
Note that the certificate for the web server is self-signed and hence the browse will warn you at this. You may ignore this warning and proceed.
+
[[KHIKA Dashboards]]
 +
:[[KHIKA Dashboards#Introduction|Introduction]]
 +
:[[KHIKA Dashboards#Creating a Dashboard|Creating a Dashboard]]
 +
:[[KHIKA Dashboards#Editing Elements on a Dashboard|Editing Elements on a Dashboard]]
 +
:[[KHIKA Dashboards#Viewing Visualization data on Dashboard|Viewing Visualization data on Dashboard]]
 +
:[[KHIKA Dashboards#Searching / Filtering data on the dashboard|Searching / Filtering data on the dashboard]]
 +
::[[KHIKA Dashboards#Steps for Adding a Filter on a Dashboard|Steps for Adding a Filter on a Dashboard]]
 +
::[[KHIKA Dashboards#Steps to Search and Save on a Dashboard|Steps to Search and Save on a Dashboard]]
  
 +
[[KHIKA Reports]]
 +
:[[KHIKA Reports#Introduction|Introduction]]
 +
:[[KHIKA Reports#Adding a Report|Adding a Report]]
 +
:[[KHIKA Reports#Scheduling Reports|Scheduling Reports]]
 +
:[[KHIKA Reports#Generating KHIKA Report Manually|Generating KHIKA Report Manually]]
 +
:[[KHIKA Reports#Report History|Report History]]
 +
:[[KHIKA Reports#Downloading a Report|Downloading a Report]]
  
[[File:Login1.jpg|600px]]
+
[[KHIKA Alerts & Correlations]]
 +
:[[KHIKA Alerts & Correlations#Introduction|Introduction]]
 +
:[[KHIKA Alerts & Correlations#Alert Dashboard|Alert Dashboard]]
 +
:[[KHIKA Alerts & Correlations#Creating your own Alerts in KHIKA|Creating your own Alerts in KHIKA]]
 +
::[[KHIKA Alerts & Correlations#Before creating an alert :|Before creating an alert :]]
 +
::[[KHIKA Alerts & Correlations#Creating a Simple Alert: Logon Failure on Windows|Creating a Simple Alert: Logon Failure on Windows]]
 +
::[[KHIKA Alerts & Correlations#Slightly Advanced Alert: Multiple Logon failure on Windows for the same user|Slightly Advanced Alert: Multiple Logon failure on Windows for the same user]]
 +
::[[KHIKA Alerts & Correlations#More Advanced Alert: 10 or more unique network connections for a windows host within 1 minute|More Advanced Alert: 10 or more unique network connections for a windows host within 1 minute]]
 +
::[[KHIKA Alerts & Correlations#Advanced Alert: A successful brute-force attack|Advanced Alert: A successful brute-force attack]]
 +
:[[KHIKA Alerts & Correlations#Alert emails for Stakeholders|Alert emails for Stakeholders]]
  
 +
[[Working with KHIKA Adapters]]
 +
:[[Working with KHIKA Adapters#Introduction|Introduction]]
 +
:[[Working with KHIKA Adapters#Adding Adapters|Adding Adapters]]
 +
:[[Working with KHIKA Adapters#Searching Adapters|Searching Adapters]]
 +
:[[Working with KHIKA Adapters#Assigning Data Aggregator Node to Adapters|Assigning Data Aggregator Node to Adapters]]
 +
:[[Working with KHIKA Adapters#Disabling Data Aggregator to Adapters|Disabling Data Aggregator to Adapters]]
 +
:[[Working with KHIKA Adapters#Modifying Adapters|Modifying Adapters]]
 +
:[[Working with KHIKA Adapters#Deleting Adapters|Deleting Adapters]]
 +
:[[Write Your Own Adapter|Writing your own Adaptor]]
  
Click Advanced to proceed to get below message
+
[[Working with KHIKA Aggregators]]
 +
:[[Working with KHIKA Aggregators#Introduction|Introduction]]
 +
:[[Working with KHIKA Aggregators#Adding New Data Aggregator|Adding New Data Aggregator]]
 +
:[[Working with KHIKA Aggregators#Assigning Data Aggregator Node to Workspace|Assigning Data Aggregator Node to Workspace]]
 +
:[[Working with KHIKA Aggregators#Deleting Data Aggregator Node|Deleting Data Aggregator Node]]
 +
:[[Working with KHIKA Aggregators#Deleting Data Aggregator from Workspace|Deleting Data Aggregator from Workspace]]
 +
:[[Working with KHIKA Aggregators#Assign Adapter to Data Aggregator|Assign Adapter to Data Aggregator]]
 +
:[[Working with KHIKA Aggregators#Disabling Adapter to Data Aggregator|Disabling Adapter to Data Aggregator]]
  
 +
[[KHIKA Workspaces]]
 +
:[[KHIKA Workspaces#Introduction|Introduction]]
 +
:[[KHIKA Workspaces#Adding a Workspace|Adding a Workspace]]
 +
:[[KHIKA Workspaces#Suspending a Workspace|Suspending a Workspace]]
 +
:[[KHIKA Workspaces#Resetting a Workspace|Resetting a Workspace]]
 +
:[[KHIKA Workspaces#Applying Configuration to Workspace|Applying Configuration to Workspace]]
 +
:[[KHIKA Workspaces#Archiving a Workspace|Archiving a Workspace]]
 +
:[[KHIKA Workspaces#Adding Data Aggregator to a Workspace|Adding Data Aggregator to a Workspace]]
 +
:[[KHIKA Workspaces#Adding Adapter to a Workspace|Adding Adapter to a Workspace]]
 +
:[[KHIKA Workspaces#Defining and Configuring a Report|Defining and Configuring a Report]]
 +
:[[KHIKA Workspaces#Deleting a Workspace|Deleting a Workspace]]
  
[[File:Login2.jpg|600px]]
+
[[Data Enrichment in KHIKA]]
 +
:[[Data Enrichment in KHIKA#About Enrichment|About Enrichment]]
 +
:[[Data Enrichment in KHIKA#Enrichment of logs in KHIKA|Enrichment of logs in KHIKA]]
 +
:[[Define your own enrichment]]
  
 +
[[Hardening Monitoring & Analysis]]
 +
:[[Hardening Monitoring & Analysis#Introduction|Introduction]]
 +
:[[Hardening Monitoring & Analysis#Business Process flow for Linux Hardening|Business Process flow for Linux Hardening]]
 +
:[[Hardening Monitoring & Analysis#Hardening Dashboard|Hardening Dashboard]]
  
Following landing page for user login appears.
+
[[Data Archival in KHIKA]]
 +
:[[Data Archival in KHIKA#Overview|Overview]]
 +
:[[Data Archival in KHIKA#Data Archival Workflow|Data Archival Workflow]]
 +
:[[Data Archival in KHIKA#For SaaS|For SaaS]]
 +
:[[Data Archival in KHIKA#For On-Premise|For On-Premise]]
 +
:[[Data Archival in KHIKA#View Data Retention Settings|View Data Retention Settings]]
 +
:[[Data Archival in KHIKA#View Data Archival Status|View Data Archival Status]]
  
 +
[[File Integrity Monitoring]]
  
[[File:Login3.jpg|600px]]
+
[[SMTP Server Settings]]
  
 +
[[Start and Stop KHIKA]]
 +
:[[Start and Stop KHIKA#Overview|Overview]]
 +
:[[Start and Stop KHIKA#Node Stop and Start Procedure|Node Stop and Start Procedure]]
 +
:[[Start and Stop KHIKA#Application Server Start and Stop|Application Server Start and Stop]]
  
If you wish to install your own certificate, please perform below steps
+
[[About OSSEC]]
*Login to the appliance using ‘khika’ user using your favourite ssh client
+
:[[About OSSEC#Overview|Overview]]
*cd /opt/KHIKA/kibana/config
+
:[[About OSSEC#What is OSSEC?|What is OSSEC?]]
*Open kibana.yml in ‘vi’ editor
+
:[[About OSSEC#Why Khika integrates closely with OSSEC?|Why Khika integrates closely with OSSEC?]]
*Locate section ‘server.ssl.enabled’. It looks like below
 
  
 +
[[FAQs]]
  
[[File:Login4.jpg|600px]]
+
<br/>
 +
Refer the next section for [[Accessing the KHIKA Gui]]
  
 
+
<br/>
The default self-signed certificates are installed in following directory: /opt/KHIKA/3rdpartyUnix/Apache24/conf/
+
[[KHIKA Videos | Go to KHIKA Videos]]
 
 
Note that KHIKA supports PEM-Format SSL certificates. Please refer to the documentation of your certificate vendor to convert your certificates into the PEM format, if they are in any other format.
 
 
 
*After you have the .crt (i.e. the certificate) and the .key (i.e. private key) files, copy them in /opt/KHIKA/3rdpartyUnix/Apache24/conf/ directory.
 
*Change the filenames (and directory paths if you have copied the certificate and key anywhere else) if required in kibana.yml file
 
*Make sure that the ‘server.ssl.certificate’ stanza points to the full path of the certificate and ‘server.ssl.key’ stanza points to the full path of the private keys.
 
*After editing and saving kibana.yml, come to the command prompt. Enter cd /opt/KHIKA and fire command “./khika_appserver.sh stop”
 
*Wait for some time (2 to 3 minutes)
 
*Fire command ‘./khika_appserver.sh start’ from /opt/KHIKA directory
 
*Connect using the fresh session of the browser
 
*Login using default credentials (i.e. username = admin, password = admin).
 
 
 
 
 
=== Change the password ===
 
 
 
After logging in for the first time (default user=admin and password=admin), it is recommended to change the password. Steps are mentioned below :
 
 
 
Select “Configure” screen from the left pane
 
 
 
 
 
[[File:Pwd1.jpg|600px]]
 
 
 
 
 
Click on “Users” tab
 
 
 
 
 
[[File:Pwd2.jpg|600px]]
 
 
 
 
 
Click on “Change Password” button
 
 
 
 
 
[[File:Pwd3.jpg|600px]]
 
 
 
 
 
Type the desired password in “New Password” and “Confirm Password” fields. Click on “Change password”
 
 
 
 
 
[[File:Pwd4.jpg|600px]]
 
 
 
 
 
=== Creating a User Group ===
 
 
 
You must be an “admin” user and a user in “admin group” for managing Users and User Groups.
 
A User Group is like a team, in which you can add/remove team members (Users) and assign roles to them. One single User Group is mapped to a Workspace. We can decide which users are a part of this group, and hence can get access to the data in this Workspace.
 
User groups are primarily created to restrict access to Workspaces, and thus data in them.
 
Following are the steps to create a new User Group :
 
 
 
In the “Configure” screen, click on “User Groups” tab.
 
 
 
 
 
[[File:Ug1.jpg|600px]]
 
 
 
 
 
Click on “Create Group” button
 
 
 
 
 
[[File:Ug2.jpg|600px]]
 
 
 
 
 
Type say, “network_team” for Group Name field and click on “Add”
 
 
 
 
 
[[File:Ug3.jpg|600px]]
 
 
 
 
 
We have now successfully created a User Group. This can be mapped to a workspace. However, while creating a User Group itself, we can add Users to it as well.
 
Creating Users, Creating User group, Creating Workspace and Mapping Workspace to User Group are dependent on each other.
 
 
 
 
 
=== Creating a Workspace ===
 
 
 
Workspace is a logical grouping of data sources clubbed together. Workspace consists of :
 
 
 
*Data Aggregator – the collector component from where the data is to be pulled.
 
*Adapters - data collection programs (or scripts) run by the Data Aggregator that convert the raw data to indexed normalised format.
 
 
 
A single Data Aggregator may have multiple Adapters under it.
 
Only a user with “Admin” role can create a new Workspace.
 
You may want to create multiple workspaces for separating data of multiple devices. When different user groups are assigned to each Workspace, each team has access to and can monitor its own separate devices and data. For example, if you have Linux and Windows servers you can make a separate workspace for Linux team and add Linux devices in it and a separate one for Windows workspace and add windows devices in it. Further if there are multiple locations like say Pune and Jamshedpur, you can create separate workspaces for Linux Pune and Linux Jamshedpur teams.
 
Please Note : Multiple workspaces of a single location share one aggregator of that location.
 
For creating a workspace, follow the steps as mentioned below :
 
 
 
In the “Configure” screen, select “Workspace” tab
 
 
 
 
 
[[File:Workspace1.jpg|600px]]
 
 
 
 
 
Click on “Add Workspace” button
 
 
 
 
 
[[File:Workspacec2.jpg|600px]]
 
 
 
 
 
Enter name of the Workspace as “Firewall” in the Workspace Name field. This should be an alpha-numeric string without white spaces.
 
Enter Data Retention (time-to-live) period in days as 30 or 60 days (depending on how long you want to retain the data).
 
 
 
Note on Data Retention in KHIKA: - KHIKA stores data on the local disk. The amount of data that KHIKA can store is only limited by the amount of disk you have. Data can be categorized into two types:
 
#Raw/Log Data (raw messages converted into key-value pairs)
 
#Report Data (i.e. the summarized data derived from the raw logs)
 
 
 
Select the User Group in which you want to add the Workspace from the Group drop-down list.
 
 
 
 
 
[[File:Workspace3.jpg|600px]]
 
 
 
 
 
Click on the “Node” Tab. Select “localhost” as the node here and click on “Add”.
 
Data size field – you can keep it as default value for now.
 
 
 
 
 
=== Creating a new User ===
 
 
 
Only users with “Admin” role can create new users. Steps are mentioned below :
 
Go to “Users” tab on the “Configure” screen.
 
 
 
 
 
[[File:User1.jpg|600px]]
 
 
 
 
 
Click on “New User”
 
 
 
 
 
[[File:User2.jpg|600px]]
 
 
 
 
 
The following dialog box is displayed.
 
 
 
 
 
[[File:User3.jpg|600px]]
 
 
 
 
 
Following table lists the various fields in the New User dialog box. Enter information in the dialog box accordingly.
 
 
 
 
 
{| class="wikitable"
 
|-
 
! Fields !! Description
 
|-
 
| User Name || Name assigned to the user. It should be at least eight characters long.
 
|-
 
| First Name || First name associated with the User.
 
|-
 
| Last Name || Last name associated with the User.
 
|-
 
| Email|| Email ID associated with the User.
 
|-
 
| Password || Password unique to the user
 
|-
 
|Re-enter Password||Re-enter to confirm above password
 
|}
 
 
 
 
 
Click on “Add” button in the bottom
 
 
 
 
 
[[File:User4.jpg|600px]]
 
 
 
 
 
*Assign appropriate role – “Admin” or “Staff” to the new user. Admin users can further create new users, create new alert rules etc. Staff users have read-only access to the system, that serves the purpose of monitoring without any modifications to the configuration.
 
*Go to “Users” tab on the “Configure” screen.
 
 
 
 
 
[[File:User5.jpg|600px]]
 
 
 
 
 
Click  on “Set Role” button of the user for whom you want to assign the role. (In our case it is “user1”)
 
 
 
 
 
[[File:User6.jpg|600px]]
 
 
 
 
 
Select Admin/Staff option from the “Select Role” dropdown.
 
 
 
 
 
[[File:User7.jpg|600px]]
 
 
 
 
 
Click on “Save”
 
 
 
 
 
[[File:User8.jpg|600px]]
 
 
 
 
 
User is created successfully and the list of users can be seen in this tab, for any user management.
 
 
 
 
 
[[File:User9.jpg|600px]]
 
 
 
 
 
Add the new user to the User group. Click on “User Groups” tab
 
 
 
 
 
[[File:User10.jpg|600px]]
 
 
 
 
 
Select the group to which you want to add user in the group dropdown. (In our case it is “network_team”)
 
 
 
 
 
[[File:User11.jpg|600px]]
 
 
 
 
 
Click on “Add User” button.
 
 
 
 
 
[[File:User12.jpg|600px]]
 
 
 
 
 
Select the user you wish to add to user group in “Select Users” dropdown. In our case it is “business_user”
 
 
 
 
 
[[File:User13.jpg|600px]]
 
 
 
 
 
Click on “Add” button.
 
 
 
 
 
[[File:User14.jpg|600px]]
 
 
 
 
 
Our new user “business_user” is now added to the group “network_team”.
 
 
 
 
 
=== Access Control ===
 
 
 
Let us try to understand a bit more about users, user groups and access control. A ‘KHIKA’ user can have access to one or more workspaces. Before creating workspaces, it is important to think which users will have access to which workspaces. Perform following steps to provide controlled access to individual users in ‘KHIKA’
 
 
 
*Design your workspaces with a clear view and understanding of the data
 
*You must know who is going to need access to the data and the level of access required
 
*As a thumb rule, you must create a separate workspace for the data that needs restricted access. (Example:- If you don’t want your Server team to have access to your Firewall data, create a separate workspace for your Firewall data)
 
*Create different “User Groups”, one per “Workspace”
 
*While creating the Workspace, carefully assign it to an appropriate “User Group”
 
*Create Users and assign them to one or more “user Group/s” depending on the access requirements.
 
 
 
 
 
Refer the next section for [[Getting Data into KHIKA|integrating your logs data into KHIKA]]
 
 
 
== Getting Data into KHIKA ==
 
 
 
On completing the configuration steps from previous sections, we are ready to take in data from various devices into KHIKA.
 
Network devices like Firewalls, Routers/Switches, Web proxies etc use Syslog protocol most of the times to forward the data to the KHIKA Aggregator. Linux and Windows Servers use OSSEC Agents and it’s Integration with KHIKA to forward the data.
 
Integrating a device into KHIKA can be done in either of the ways and involves some basic steps :
 
 Pointing the device to be monitored to KHIKA data collector. This can be in different ways (explained separately in sections below for syslog and ossec)
 
 
 
 On the KHIKA end, making the device entry at the adaptor level.
 
For this step, on the KHIKA end, there are two ways of configuring the adaptor.
 
o Install an Application – This is the most recommended method to configure. KHIKA ships some standard applications and it is explained in the next section how to install an Application. This step includes adaptor configuration and adaptors don’t have to be added separately if you have installed relevant application
 
 
 
By Installing an application, you not only get an adaptor configured but also the relevant reports, dashboards and real time critical correlation alerts for this data source are configured in just a single click – by just installing the application.
 
 
 
o Configure an adaptor in the right workspace, within the KHIKA data collector. This step is required only when you have not installed an application. For example, in case of any specific web application logs in your organisation etc.
 
 
 
 
 
=== Data Flow and Components in KHIKA  ===
 
 
 
 
 
Data is sent from the end node or data source to KHIKA data collector or Aggregator node locally within its network. Inside the Aggregator there are Adaptors, one for each data type. Each Adaptor receives data, parses and normalises it to KHIKA proprietary data format. This is sent to KHIKA application server where it is acted upon by the correlation engine, indexer and storage. This data is stored in the workspace meant for this data type or access. KHIKA creates output in the form of Reports and Dashboards, real time Alerts and Search.
 
Following is a diagram for the same.
 
 
 
 
 
data1
 
 
 
 
 
There can be multiple aggregator nodes collecting data from different locations and transferring data to a single KHIKA App server.
 
When we install an Application, as explained in the following section, the relevant adaptor is configured inside the correct aggregator, and the relevant alerts and reports are configured. There are different inbuilt applications each for standard data sources.
 
When we do not install an application, we have to add the relevant adaptor for that data type into its aggregator node. This step has to be done while the correct workspace is selected.
 
Workspace contains an Aggregator and an Adaptor.
 
A KHIKA user can have access to one or more workspaces. Before creating workspaces, it is important to think which users will have access to which workspaces. Design your workspaces with a clear view and understanding of the data. As a thumb rule, you must create a separate workspace for the data that needs restricted access. (Example:- If you don’t want your IT team to have access to your HR data, create a separate workspace for your HR data). Create different “User Groups”, one per “Workspace”. While creating the Workspace, carefully assign it to an appropriate “User Group”. Create Users and assign them to one or more “user Group/s” depending on the access requirements.
 
 
 
 
 
=== KHIKA Apps  ===
 
 
 
 
 
Go to the [[Load KHIKA App|Load a KHIKA App]] section for more.
 
 
 
 
 
=== Importing an Application ===
 
 
 
This feature is useful when there are newer KHIKA applications, which are not part of the current build. If there are data sources in your network for which there are newly developed KHIKA applications, KHIKA developers can export the KHIKA application (a .tar.gz file)
 
Once you receive it, you can simply import it in a few easy steps. After importing, you can see it in the Applications list, install the imported application as explained in the section 3.1.
 
Select Configure from the left panel. Select the appropriate workspace from the workspace dropdown on the top right. Go to the “Application” tab. Click on “Import Or Export Apps”
 
 
 
 
 
Import1
 
 
 
 
 
You will get a pop up as shown :
 
 
 
 
 
Import2
 
 
 
 
 
Click on “Choose App” button. This will open a browser windows to select the application’s exported file from your local machine, where you have saved it.
 
 
 
 
 
Import3
 
 
 
 
 
Select the file and click on “Upload” button. Click on Close button. We get a confirmation message in a pop up, after successful; upload and import of application.
 
 
 
 
 
Import4
 
 
 
 
 
The newly imported application is now visible in the applications list. When we enter “linux” in search, now we see the additional linux application.
 
 
 
 
 
Import5
 
 
 
 
 
=== Exporting an Application ===
 
 
 
Select Configure from the left panel. Select the appropriate workspace from the workspace dropdown on the top right. Go to the “Application” tab. Click on “Import Or Export Apps”
 
 
 
 
 
export1
 
 
 
 
 
You will get a pop up as shown.  Select “Export App” tab on the top.
 
 
 
 
 
export2
 
 
 
 
 
Another pop up appears where we can enter and select details to be exported in the application.
 
 
 
 
 
export3
 
 
 
 
 
The fields in this pop up are explained in the table below.
 
 
 
 
 
export4
 
 
 
 
 
table
 
 
 
 
 
Click on “Export App” button.
 
 
 
 
 
export5
 
 
 
 
 
Confirmation message appears on successful export.
 
 
 
 
 
export6
 
 
 
 
 
This application, ready to be exported is now visible in the applications list.
 
 
 
 
 
export7
 
 
 
 
 
Click on the download icon next to this application,
 
 
 
 
 
export8
 
 
 
 
 
Now from our example screenshot, this is downloaded as “Linux_ossec_Application.tar.gz” on your local machine.
 

Latest revision as of 02:05, 31 March 2020

Index

Accessing the KHIKA Gui

Login
Change the password
Creating a User Group
Creating a Workspace
Creating a new User
Access Control in KHIKA

Getting Data into KHIKA

Introduction
Data Flow and Components in KHIKA
Loading KHIKA Apps
KHIKA Apps
Importing an Application
Exporting an Application
Server monitoring in KHIKA using OSSEC
Installing OSSEC Agent for Linux
Installing OSSEC Agent for Windows
Configuring OSSEC Adapter in KHIKA
Adding the device in the Adaptor (see video)
Extract key from KHIKA OSSEC Server
Insert unique OSSEC key in Linux OSSEC Agent
Insert unique OSSEC key in Windows OSSEC Agent
Reload Configuration
Verifying OSSEC data collection
Troubleshooting
Monitoring in KHIKA using Syslog forwarding

Discover or Search Data in KHIKA

Introduction
Index Pattern
Setting the Time Filter
Searching Your Data
Lucene Query Syntax
Saving and Opening Searches
Changing the Index
Refreshing the Search Results
Filtering by Field
Managing Filters
Viewing Document Data

KHIKA Visualizations

What is a KHIKA Visualization?
Creating a Visualization
Examples of Visualization
Area Chart
Heat Map
Horizontal and Vertical Bar Chart
Line chart
Pie Chart
Data Table
Gauge
Goal
Metric

KHIKA Dashboards

Introduction
Creating a Dashboard
Editing Elements on a Dashboard
Viewing Visualization data on Dashboard
Searching / Filtering data on the dashboard
Steps for Adding a Filter on a Dashboard
Steps to Search and Save on a Dashboard

KHIKA Reports

Introduction
Adding a Report
Scheduling Reports
Generating KHIKA Report Manually
Report History
Downloading a Report

KHIKA Alerts & Correlations

Introduction
Alert Dashboard
Creating your own Alerts in KHIKA
Before creating an alert :
Creating a Simple Alert: Logon Failure on Windows
Slightly Advanced Alert: Multiple Logon failure on Windows for the same user
More Advanced Alert: 10 or more unique network connections for a windows host within 1 minute
Advanced Alert: A successful brute-force attack
Alert emails for Stakeholders

Working with KHIKA Adapters

Introduction
Adding Adapters
Searching Adapters
Assigning Data Aggregator Node to Adapters
Disabling Data Aggregator to Adapters
Modifying Adapters
Deleting Adapters
Writing your own Adaptor

Working with KHIKA Aggregators

Introduction
Adding New Data Aggregator
Assigning Data Aggregator Node to Workspace
Deleting Data Aggregator Node
Deleting Data Aggregator from Workspace
Assign Adapter to Data Aggregator
Disabling Adapter to Data Aggregator

KHIKA Workspaces

Introduction
Adding a Workspace
Suspending a Workspace
Resetting a Workspace
Applying Configuration to Workspace
Archiving a Workspace
Adding Data Aggregator to a Workspace
Adding Adapter to a Workspace
Defining and Configuring a Report
Deleting a Workspace

Data Enrichment in KHIKA

About Enrichment
Enrichment of logs in KHIKA
Define your own enrichment

Hardening Monitoring & Analysis

Introduction
Business Process flow for Linux Hardening
Hardening Dashboard

Data Archival in KHIKA

Overview
Data Archival Workflow
For SaaS
For On-Premise
View Data Retention Settings
View Data Archival Status

File Integrity Monitoring

SMTP Server Settings

Start and Stop KHIKA

Overview
Node Stop and Start Procedure
Application Server Start and Stop

About OSSEC

Overview
What is OSSEC?
Why Khika integrates closely with OSSEC?

FAQs


Refer the next section for Accessing the KHIKA Gui


Go to KHIKA Videos