Unable to save Wazuh API credentials

[Adrian Portway]

• Hi,

I'm currently setting up Wazuh and have hit a problem, after some hours of investigation I've come to the conclusions my Google foo is not up to finding an answer to my problem.

So far the set up has gone smoothly and I can see in Kibana that I have data being saved in Elasticsearch from various servers however when I try to set up the Wazuh app by entering the API information when I click save I'm getting the following error:

• 
  

• Settings: Some error ocurred, could not save data in elasticsearch.

I also have seen these errors although not when trying to save the API info so I'm assuming they are due to my not having the API link set up.

• Settings: Error when loading Wazuh setup info

• Wazuh App: Please set up Wazuh API credentials.
  

Anyone else come across this problem or might be able to point me in the right direction?

Thank you in advance,

Adrian

Possibly relevant system info:

Ubuntu 16.04 server

all Wazuh elements ( i.e. Logstash, Elasticsearch etc ) installed from debian packages as per instructions at documentation.wazuh.com

Netstat -lp output:

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 *:5601                  *:*                     LISTEN      1138/node       

tcp        0      0 *:zabbix-agent          *:*                     LISTEN      1248/zabbix_agentd

tcp        0      0 *:zabbix-trapper        *:*                     LISTEN      1270/zabbix_server

tcp        0      0 localhost:mysql         *:*                     LISTEN      1225/mysqld     

tcp        0      0 *:smtp                  *:*                     LISTEN      2293/master     

tcp        0      0 *:8765                  *:*                     LISTEN      1139/sshd       

tcp6       0      0 localhost:9600          [::]:*                  LISTEN      1135/java       

tcp6       0      0 [::]:zabbix-agent       [::]:*                  LISTEN      1248/zabbix_agentd

tcp6       0      0 [::]:zabbix-trapper     [::]:*                  LISTEN      1270/zabbix_server

tcp6       0      0 localhost:9200          [::]:*                  LISTEN      6539/java       

tcp6       0      0 ip6-localhost:9200      [::]:*                  LISTEN      6539/java       

tcp6       0      0 [::]:http               [::]:*                  LISTEN      1697/apache2    

tcp6       0      0 localhost:9300          [::]:*                  LISTEN      6539/java       

tcp6       0      0 ip6-localhost:9300      [::]:*                  LISTEN      6539/java       

tcp6       0      0 [::]:55000              [::]:*                  LISTEN      1114/nodejs     

tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      2293/master     

tcp6       0      0 [::]:https              [::]:*                  LISTEN      1697/apache2    

tcp6       0      0 [::]:               [::]:*                  LISTEN      1139/sshd       

udp        0      0 *:1514                  *:*                                 1804/ossec-remoted

udp        0      0 :60001 *:*                                 2913/mosh-server

udp        0      0 *:52820                 *:*                                 1600/snmpd      

udp        0      0 *:bootpc                *:*                                 966/dhclient    

udp        0      0 localhost:snmp          *:*                                 1600/snmpd      

[Manuel Albarral]

Hello Adrian,

This error occurs when you are able to communicate with the API, but you can't save your credentials in Elasticsearch.

Did you restart the Elasticsearch service?

Regards,

Manuel

[Adrian Portway]

Hi Manuel,

Thank you for your reply.

I did try restarting Elasticsearch but it made no difference, I have also tried restarting the whole server in the hope that this could resolve the problem but it didn't work.

I've checked the logs in /var/log/elasticsearch but not found anything that is obviously and error.

I'll keep digging around, any suggestions as to why the credentials are not being saved greatly appreciated.

Regards,

Adrian

[Adrian Portway]

I'm still getting no further. I've checked all the configs and versions of installed packages.

Does anyone have any ideas as to why I'm unable to save the API details to Elasticsearch. The error remains: Settings: Some error ocurred, could not save data in elasticsearch.

I have once again gone through the various log files and I've double checked I followed all the documented steps.

The server itself has now been restarted a number of times. The only step I've been unable to complete is this one.

Thanks,

Adrian

[Jesus Linares]

Hi Adrian,

What is your manager and API version?. And your Elastic stack version?.

Check if the API is working: 

$ curl -u foo:bar -k http://127.0.0.1:55000?pretty
{
   "error": 0,
   "data": "Welcome to Wazuh HIDS API"
}

Also, check your Elasticsearch indices:

$ curl -XGET localhost:9200/_cat/indices

Share the output and we help you to find out the issue.

Thanks!.

[12-1...@usb.ve]

Please let me know if you solve this issue... I'm experiencing exactly the same problem.

[Jesus Linares]

Hi,

please, do the tests that I commented before:

1. Check if the API is working:

$ curl -u foo:bar -k http://127.0.0.1:55000?pretty
{
   "error": 0,
   "data": "Welcome to Wazuh HIDS API"
}

2. Check your Elasticsearch

$ curl -XGET localhost:9200/_cat/indices

curl -XGET 'localhost:9200/_cluster/health?pretty'

Do you have the last version of the Wazuh app?.

Thanks.

Regards.

[Manuel Albarral]

Hello Adrian,

We have fix that issue. You can update your App version as follows:

- In case you have Kibana 5.5.1:

systemctl stop kibana

/usr/share/kibana/bin/kibana-plugin remove wazuh

rm -rf /usr/share/kibana/optimize/bundles/

/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip

systemctl start kibana

- In case you have Kibana 5.5.0:

systemctl stop kibana

/usr/share/kibana/bin/kibana-plugin remove wazuh

rm -rf /usr/share/kibana/optimize/bundles/

/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.5.0.zip

systemctl start kibana

Please, let me know if it's all right now.

Regards,

Manuel

[Nick Marakhovskiy]

I have installed the latest versions of all Wazuh components. But while trying to add new API in Kibana I get the error:

Settings. Error. Could not save data in elasticsearch due to reply is not defined

I tried to reinstall the previous version of Wazuh app without success, the same error.

I have now:

# curl -s -u u:p -k -X GET https://localhost/?pretty
{
   "error": 0,
   "data": {
      "msg": "Welcome to Wazuh HIDS API",
      "api_version": "v3.2.2",
      "hostname": "returnpath-ids-00",
      "timestamp": "Wed May 23 2018 14:35:32 GMT+0000 (UTC)"
   }
}

# curl -XGET localhost:9200/_cat/indices
yellow open wazuh-monitoring-3.x-2018.05.23 UlDZ34N-RHizhvlayc6MCg 5 1   0 0   1.2kb   1.2kb
yellow open .wazuh                          1El8LXy5Su-n2Yp7xmhHBw 1 1   0 0    261b    261b
yellow open wazuh-monitoring-3.x-2018.05.22 yi7Xyz7vSTaui6Mcvvk-sQ 5 1   0 0   1.2kb   1.2kb
yellow open .kibana                         SAETU_m5T6iV1ija50bNhw 5 1   2 0  19.1kb  19.1kb
yellow open .wazuh-version                  vMmKfhnEQ-KBvh-aCMzG2A 1 1   1 0   5.1kb   5.1kb
yellow open wazuh-alerts-3.x-2018.05.22     iohjyf50S4KuT7gSAb1TTg 5 1 235 0 480.1kb 480.1kb
yellow open wazuh-alerts-3.x-2018.05.23     oMZCxQ51T2Kh1yckM8u7WQ 5 1 100 0 323.6kb 323.6kb

# curl -XGET 'localhost:9200/_cluster/health?pretty'
{
  "cluster_name" : "elasticsearch",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 27,
  "active_shards" : 27,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 27,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 50.0
}

четверг, 20 июля 2017 г., 22:57:55 UTC+3 пользователь Jesus Linares написал:

[jesus.g...@wazuh.com]

Hi Nick, 

Which version of the Wazuh App are you trying to install?

# cat /usr/share/kibana/plugins/wazuh/package.json | grep -i -E "version|revision"

Since you are using Wazuh 3.2.2 my suggestion is to have the latest Elastic stack version and our latest Wazuh App installed.

Which version of Elasticsearch is installed? 

# curl elastic_ip:9200/ -s | grep number

Regards,

Jesús

[Nick Marakhovskiy]

Hi Jesús,

Thanks for quick response. Here is the output of commands:

# cat /usr/share/kibana/plugins/wazuh/package.json | grep -i -E "version|revision"

    "version": "3.2.2",
    "revision": "0390",
        "version": "6.2.4"

# curl localhost:9200/ -s | grep number
    "number" : "6.2.4",

среда, 23 мая 2018 г., 18:42:13 UTC+3 пользователь jesus.g...@wazuh.com написал:

[jesus.g...@wazuh.com]

Ok it's seems right, it's pretty weird cause that error is not a common error on that package.

Are you reinstalling using the live link (https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.2_6.2.4.zip) 

or just using a zip downloaded from the same URL, I'm talking you about this because we updated that link some days ago due a to little error.

Stop Kibana:

# systemctl stop kibana

Could you delete the current Wazuh App:

# /usr/share/kibana/bin/kibana-plugin remove wazuh
# rm -rf /usr/share/kibana/optimize/bundles

And then reinstall it using this command:

# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.2_6.2.4.zip

Once done please restart Kibana:

# systemctl restart kibana

Now open a new incognito window on your desired browser or ensure you have cleaned all caché, cookies, etc. from your browser before try it again.

Regards,

Jesús

[Nick Marakhovskiy]

I've already tried reinstalling Wazuh App before. I did the same steps you gave me. I've just tried to reinstall Wazuh App once again and tried to open KIbana on another browser, but I got the same error:

Settings. Error. Could not save data in elasticsearch due to reply is not defined

I also tried to install https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.1_6.2.4.zip - but I get the same error.

I set up ELK on:

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04 LTS
Release: 18.04
Codename: bionic

среда, 23 мая 2018 г., 19:19:06 UTC+3 пользователь jesus.g...@wazuh.com написал:

[Jesús Ángel González]

OK Nick I know what’s happening, that package still has a know bug validating the form fields you inserted, I thought it includes it but that’s not the case.

99% your error come from our validating function, if it fails it’s calling a wrong function, please could you provide us the fields you are using in the App form to add the Wazuh API ? Exclude the password from your response.

Regards,

Jesús 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/76d3cd41-d803-41ac-8b61-c3d98919415d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best regards,
Jesús.

[Nick Marakhovskiy]

I made a screenshot:

среда, 23 мая 2018 г., 20:32:05 UTC+3 пользователь Jesús Ángel González написал:

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/76d3cd41-d803-41ac-8b61-c3d98919415d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best regards,
Jesús.

[jesus.g...@wazuh.com]

Ok, that's the error, in that package parsing the URL field whenever using a custom DNS:

const userRegEx  = new RegExp(/^.{3,100}$/);
const passRegEx  = new RegExp(/^.{3,100}$/);
const urlRegEx   = new RegExp(/^https?:\/\/[a-zA-Z0-9]{1,300}$/);
const urlRegExIP = new RegExp(/^https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/);
const portRegEx  = new RegExp(/^[0-9]{2,5}$/);

const payload = {
 user: 'api',
 password: 'something123e###2!',
 url: 'https://returnpath-ids-00.c.cloudaware-ids.internal',
 port: 443
}


if(!userRegEx.test(payload.user)){
    console.log('user')
}


// Validate password
if(!passRegEx.test(payload.password)){
    console.log('password')
}


// Validate url
if(!urlRegEx.test(payload.url) && !urlRegExIP.test(payload.url)){
    console.log('url')
}


// Validate port
const validatePort = parseInt(payload.port);
if(!portRegEx.test(payload.port) || validatePort <= 0 || validatePort >= 99999) {
    console.log('port')
}

I've tested out-of-the-box your fields, they fail with the URL field. 

One important thing is to use our latest package: https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.2_6.2.4.zip

Please use it if you have installed a different version. This package will still failing for you but I have two solutions for you while

we are publishing the fix:

Solution 1:

- Use directly the IP address instead DNS

Solution 2 (if solution 1 doesn't work for you):

- Modify by yourself the function, it's pretty simple.

Stop Kibana:

# systemctl stop kibana

Open with a text editor the file under /usr/share/kibana/plugins/wazuh/server/controllers/wazuh-api-elastic.js then look

at the function named validateData at line 101, it should be like this:

    validateData (payload) {
        // Validate user
        if(!userRegEx.test(payload.user)){
            return reply({ statusCode: 400, error: 10001, message: 'Invalid user field' }).code(400);
        }


        // Validate password
        if(!passRegEx.test(payload.password)){
            return reply({ statusCode: 400, error: 10002, message: 'Invalid password field' }).code(400);
        }


        // Validate url
        if(!urlRegEx.test(payload.url) && !urlRegExIP.test(payload.url)){
            return reply({ statusCode: 400, error: 10003, message: 'Invalid url field' }).code(400);
        }


        // Validate port
        const validatePort = parseInt(payload.port);
        if(!portRegEx.test(payload.port) || validatePort <= 0 || validatePort >= 99999) {
            return reply({ statusCode: 400, error: 10004, message: 'Invalid port field' }).code(400);
        }


        return false;
    }

Replace that function by this:

    validateData (payload) {
        return false;
    }

This way we are disabling that validation on the server side. Once done please clean the bundles, and restart Kibana but not reinstall.

# rm -rf /usr/share/kibana/optimize/bundles
# systemctl restart kibana

It will take about 3 minutes, so stay calm for few minutes. Once done you'll be able to try it again (remember clear browser too).

Tip: execute systemctl status kibana -l to see if it's optimizing or finished.

Best regards,

Jesús

[Nick Marakhovskiy]

Jesús, thanks a lot, Solution 1 works for me. I've successfully saved Wazuh API in Kibana.

I will wait for a new version of Wazuh App.

среда, 23 мая 2018 г., 21:14:03 UTC+3 пользователь jesus.g...@wazuh.com написал:

[jesus.g...@wazuh.com]

Ok Nick, then this thread is closed. We are going to release new Wazuh version soon and Wazuh App too, 

stay updated tracking the mailing list, it'll come with some new features and lot of improvements. Open a new thread 

whenever you need it, also you could use our GitHub repositories to post a new issue.

Best regards,

Jesús

[Simon Tideswell]

Hello

Just a brief follow up on this. I found I was totally unable to add some new API end-points to an existing (upgraded from 2.x to 3.x) Wazuh/ELK server. I got an "Invalid URL" error (or something similar - cannot remember precise details). The issue turned out to be the following file /usr/share/kibana/plugins/wazuh/server/controllers/wazuh-api-elastic.js. The "validator" for the URL is incorrect IMHO. It only permits non-FQDN's and it does not allow for hyphens in the name. Once you allow the "validator" to allow full stops and hyphens (as per my fixed file) I was able to save off the change to the new API and everything worked as expected.

18c18

< const urlRegEx   = new RegExp(/^https?:\/\/[a-zA-Z0-9]{1,300}$/);

---

> const urlRegEx   = new RegExp(/^https?:\/\/[a-zA-Z0-9\-\.]{1,300}$/);

Simon

[jesus.g...@wazuh.com]

Hi @Simon, you are right and we've fixed it in https://github.com/wazuh/wazuh-kibana-app/pull/690 and your explanation is right.

Regards,

Jesús