Wazuh don't work

[Thiago Orssato]

Hi!

I'm have a Wazuh 4.8.1 in production subscribe in AWS Marketplace. Actualy it no work on browser, showing the message "Wazuh dashboard server is not ready yet".

In instance EC2, the services are running.

Analysing the logs with commands "journalctl -u wazuh-dashboard | grep -i -E "error|warning" "

The command "filebeat test output"

The open ports:

How can i need to do to resolve this?

Thanks.

[Anthony Faruna]

Hello Thiago,

The message "Wazuh dashboard server is not ready yet" usually appears when you have just started or restarted the Wazuh dashboard.

It can also be produced for one of the following reasons:

1. Your Wazuh dashboard cannot communicate with the Wazuh indexer service.
2. Your Wazuh dashboard service has some error that causes it to reboot constantly.
3. Your Wazuh indexer service is not running or has some error.

To get more detail about these possible problems, do the following:

Verify that the Wazuh dashboard configuration file has the correct Wazuh indexer IP:
File: "/etc/wazuh-dashboard/opensearch_dashboards.yml"
Line: "opensearch.hosts: https://<wazuh-indexer-ip>:9200"

Verify that you have connectivity between the Wazuh dashboard node and the Wazuh indexer node:
curl -v telnet://<wazuh-indexer-ip>:9200

Please let me know the details of this information to troubleshoot further what might be the issue.

Best Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cb18c22a-e427-4c00-abb9-ef4005902558n%40googlegroups.com.

[Thiago Orssato]

Hi Anthony!

I verify the confs and follow:

File: /etc/wazuh-dashboard/opensearch_dashboards.yml

server.host: 0.0.0.0
opensearch.hosts: https://localhost:9200
server.port: 443
opensearch.ssl.verificationMode: certificate
# opensearch.username: kibanaserver
# opensearch.password: kibanaserver
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
opensearch_security.cookie.secure: true
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]

Curl Output:

Thanks

[Anthony Faruna]

Hello Thiago,

Please share the content of the /etc/wazuh-indexer/opensearch.yml file of your Wazuh manager.

Also, please stop the Wazuh manager, indexer, and dashboard services and restart them with the command below

sudo systemctl start wazuh-manager

sudo systemctl start wazuh-dashboard

sudo systemctl start wazuh-indexer

I'm looking forward to your feedback.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/45b3f9ae-d5fc-4803-8824-6060223c7350n%40googlegroups.com.

[Thiago Orssato]

Hi Anthony!

Follow the content of the file /etc/wazuh-indexer/opensearch.yml
network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
cluster.name: "wazuh-cluster"

node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true

I restarted the services in order but the erro continue.

[Anthony Faruna]

Hello Thiago,

Please can you change the value of the opensearch.hosts in the  /etc/wazuh-dashboard/opensearch_dashboards.yml file to 127.0.0.1

Please share the output of "journalctl -u wazuh-dashboard | grep -i -E "error|warning"  again.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd139025-3334-4d56-a06f-59ffb27bacb3n%40googlegroups.com.

[Thiago Orssato]

Hi Anthony!

I've make the change on the file "/etc/wazuh-dashboard/opensearch_dashboards.yml", restart the services in order:

sudo systemctl start wazuh-manager
sudo systemctl start wazuh-dashboard
sudo systemctl start wazuh-indexer

Above are the last lines in the output the command "journalctl -u wazuh-dashboard | grep -i -E "error|warning" but the problem continue

ago 26 05:00:58 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:00:58Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:00:58 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:00:58Z","tags":["warning","savedobjects-service"],"pid":20966,"message":"Unable to connect to OpenSearch. Error: search_phase_execution_exception: "}
ago 26 05:01:01 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:01Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:04 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:04Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:06 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:06Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:09 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:09Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:11 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:11Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:14 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:14Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:16 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:16Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:19 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:19Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:21 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:21Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:24 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:24Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:26 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:26Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:29 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:29Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:31 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:31Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:34 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:34Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:36 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:36Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:39 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:39Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:41 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:41Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 05:01:44 wazuh-server opensearch-dashboards[20966]: {"type":"log","@timestamp":"2024-08-26T08:01:44Z","tags":["error","opensearch","data"],"pid":20966,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:10:45 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:10:45Z","tags":["warning","config","deprecation"],"pid":12148,"message":"It is not recommended to disable xsrf protections for API endpoints via [server.xsrf.whitelist]. Instead, supply the \"osd-xsrf\" header."}
ago 26 10:10:50 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:10:50Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:10:50 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:10:50Z","tags":["warning","savedobjects-service"],"pid":12148,"message":"Unable to connect to OpenSearch. Error: search_phase_execution_exception: "}
ago 26 10:10:53 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:10:53Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:10:55 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:10:55Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:10:58 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:10:58Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:11:00 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:11:00Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:11:03 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:11:03Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:11:05 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:11:05Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:11:08 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:11:08Z","tags":["error","opensearch","data"],"pid":12148,"message":"[search_phase_execution_exception]: all shards failed"}
ago 26 10:11:11 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:11:11Z","tags":["error","opensearch","data"],"pid":12148,"message":"[resource_already_exists_exception]: index [.kibana_3/l8vrmaR_R3G2OZCDZnce-w] already exists"}
ago 26 10:11:11 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:11:11Z","tags":["warning","savedobjects-service"],"pid":12148,"message":"Unable to connect to OpenSearch. Error: resource_already_exists_exception: [resource_already_exists_exception] Reason: index [.kibana_3/l8vrmaR_R3G2OZCDZnce-w] already exists"}
ago 26 10:11:11 wazuh-server opensearch-dashboards[12148]: {"type":"log","@timestamp":"2024-08-26T13:11:11Z","tags":["warning","savedobjects-service"],"pid":12148,"message":"Another OpenSearch Dashboards instance appears to be migrating the index. Waiting for that migration to complete. If no other OpenSearch Dashboards instance is attempting migrations, you can get past this message by deleting index .kibana_3 and restarting OpenSearchDashboards."}

[Anthony Faruna]

Hello Thiago,

Please let me know how you deployed your Wazuh instance on AWS.

It seems like your Wazuh dashboard is on a different server from the Wazuh manager and indexer.

Please verify the connectivity between the Wazuh dashboard node and the Wazuh indexer node again and specify 127.0.0.1 as the indexer ip

curl -v telnet://<wazuh-indexer-ip>:9200

I will be expecting your feedback.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6cfff07b-c348-4fce-89e7-2a917f25af3fn%40googlegroups.com.

[Thiago Orssato]

Anthony, 

I've deploy the Wazuh through AWS Marketplace with all-in-one according the follow link: https://aws.amazon.com/marketplace/pp/prodview-eju4flv5eqmgq

At test the conection with curl I can access with success. See the print below:

I don't have idea how I can resolv this.

[Anthony Faruna]

Hello Thiago

I'm looking further into your case because it's extraordinary.

I will provide further updates shortly.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c80e31e1-fce3-4c22-bd3c-78a63074beecn%40googlegroups.com.

[Anthony Faruna]

Hello Thiago,

Can you access the dashboard now?

I will be expecting your feedback.

Regards

[Thiago Orssato]

Hello Anthony!

Can't I access the dashboard. I continue investigate what cause this problem.
I disable the IPv6 because observed that 9200 port is open in IPv6 then the service started em IPv4, but the problem persist.
Today update the instance and to version 4.9 and the error continues.
I don't know what can to do to resolve this.

[Anthony Faruna]

Hello Thiago

Please let me know if this Wazuh instance was previously working fine before you started experiencing this issue.

Do you have any data you will lose if you subscribe to a new Wazuh instance?

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/28cf9884-45ad-433a-a524-17d2c05e545an%40googlegroups.com.