KIBANA-WAZAH API:- Health Check. 3000 - Error getting the authorization token
6,791 views
Skip to first unread message
Gaurav
Feb 7, 2021, 3:54:04 PM2/7/21
to Wazuh mailing list
Hi Everyone,
I have set-up Wazuh on the AWS EKS cluster using the Wazuh kubernetes repo: https://github.com/wazuh/wazuh-kubernetes/releases/tag/v4.0.4_1.11.0
We are trying to use "Amazon Elasticsearch" instead on opendistro elasticsearch docker image. So, we have setup the AWS ES Node and edit the .yaml file of kubernetes deployment ( Kibana-deploy.yaml & wazuh-master-sts.yaml, wazuh-worker-sts.yaml) to point to ELASTICSEARCH_URL of AWS ES Endpoint (configured to be public & Fine-grained access control with Master user i.e. admin )
I was successfully able to connect to AWS ES Node via Wazuh Master, Worker & Kibana.
Also, I can see via Kibana the Wazuh Index Patterns (wazuh-monitoring-*, wazuh-alerts-*, wazuh-statistics-* ) & Indices creating everyday. And, visualise logs over Kibana.
However, I am not able to view any data or settings on the Wazuh Plugin from Kibana. I am getting "Health Check. 3000 - Error getting the authorization token" error as per below screenshot.
Note: I am not using AWS Kibana console to login & have setup dedicated kibana container in EKS, I am logging to Kibana console via admin user which is the AWS elasticsearch user)
However, I tried running few WAZUH API curl commands as per below link from Kibana using wazuh-wui user, I was successfully able to get responses over command prompt.
From the Wazuh-Kibana Plugin, I can only see the WAZUH API Configuration. The "Test Connection is also successful". 
Other than this am getting authorization error such as below, attaching few examples
Kindly help with the above issue. Any help or guidance will be appriciated.
Regards,
Gaurav
Julio José Reyes Hurtado
Feb 8, 2021, 7:07:05 AM2/8/21
to Wazuh mailing list
Hi Gaurav, thanks to contact us.
Checking your issue and the info provided it seems to be something related to the user that you are using to log into Kibana. Wazuh Api from 4.x works with Role-Based access control, take a look at our doc what might be happening is that your user is not in the context of wazuh-wui that leads us to not have enough permissions to access Wazuh API nor Wazuh
To solve this issue please try to:
To solve this issue please try to:
- use the admin user we provide in the elastic-cred-secret.yaml
- configure new users, roles and role mappings following https://documentation.wazuh.com/4.0/user-manual/api/rbac/configuration.html
Hope it helps, tell me otherwise
Best regards Julio.
Matthew M.
Feb 8, 2021, 1:50:54 PM2/8/21
to Wazuh mailing list
Gaurav,
I've created the user in question and given them the administrator role:
When I get a token and perform a curl operation using those credentials against the API I get a response:
I'm also having this same issue.
I've created the user in question and given them the administrator role:
Here are the configuration settings for my wazuh-api:
hosts:
- default:
url: https://localhost
port: 55000
user: WazuhAPI
password: <Password>
run_as: false
{"data": {"title": "Wazuh API REST", "api_version": "4.0.4", "revision": 40011, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.0/LICENSE", "hostname": "WAZUH", "timestamp": "2021-02-08T18:49:24+0000"}, "error": 0}
Even when using the default "wazuh:wazuh" username and password the API will still fail with the same error.
Thanks,
Matthew
Vikrant Puranik
Feb 8, 2021, 3:01:17 PM2/8/21
to Wazuh mailing list
Hi Julio & Matthew,
Thanks for your responses.
@ Julio I tried to refer the link you shared. I was able to create the user via curl command & assign it the "administrator" role. I am able to run every type of API curl command from Kibana Pod and Wazuh Manager pod. But, No Luck still facing the same issue.
However, below are things I noticed. :-
1) For making any curl request , I have to generate the Token via Basic Authentication and then use the Token for making further Curl WAZUH API commands.
2) I have used the same "admin" user present in the "secrets" file of Kubernetes git repo. And created the same "admin" user on the "Amazon Elasticsearch Domain" for "Fined-grained Access control" ( which Is necessary for AWS ES to work with Wazuh) because I tried creating the AWS ES domain without access control, the Wazuh Pods were unstable and were in error state.
3) As the default password in secrets file for "admin" user is "SecretPassword" .. I couldn't enter this password due to weak complexity. So, I have updated the complex password Both in "elastic-cred-secret.yaml" file and updated the same for "admin" user created on AWS Elasticsearch domain.
When I tried to check the debugger logs in Web Browser while I access Kibana console , I am seeing Error Codes 500, 401 relevant to WAZUH API as below :-
Regards,
Gaurav
Julio José Reyes Hurtado
Feb 9, 2021, 5:32:19 AM2/9/21
to Wazuh mailing list
Hi Gaurav,
It looks like you have no connection with the API can you post the config located in /usr/share/kibana/optimize/wazuh/config/wazuh.yml? We need to check URL, user and password are correct.
Also, can you, please, make a request to the Wazuh-Api from the kibana pod and check if the request returned what expected.
Also, can you, please, make a request to the Wazuh-Api from the kibana pod and check if the request returned what expected.
Waiting for your response
Regards, Julio
Matthew M.
Feb 9, 2021, 9:56:47 AM2/9/21
to Wazuh mailing list
Julio,
Everything in the wazuh.yml config file is default except for my hosts section. Here it is:
hosts:
- default:
url: https://127.0.0.1
port: 55000
user: WazuhAPI
password: <password>
run_as: false
I am able to connect using those specifics:
root@WAZUH:/usr/share/kibana/optimize/wazuh/config# TOKEN=$(curl -u WazuhAPI:<password> -k -X GET "https://127.0.0.1:55000/security/user/authenticate?raw=true")
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 269 100 269 0 0 392 0 --:--:-- --:--:-- --:--:-- 392
root@WAZUH:/usr/share/kibana/optimize/wazuh/config# curl -k -X GET "https://127.0.0.1:55000/" -H "Authorization: Bearer $TOKEN" {"data": {"title": "Wazuh API REST", "api_version": "4.0.4", "revision": 40011, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.0/LICENSE", "hostname": "WAZUH", "timestamp": "2021-02-09T14:52:11+0000"},"error": 0}
I am still definitely getting that connection error though:
Clicking on the question mark next to offline gives me this error:
3003 - Missing param: API USERNAME
Let me know what other info you need.
--Matthew
Vikrant Puranik
Feb 9, 2021, 10:43:05 AM2/9/21
to Julio José Reyes Hurtado, wa...@googlegroups.com
On Tue, Feb 9, 2021 at 9:06 PM Vikrant Puranik <puranik...@gmail.com> wrote:
Hi Julio,Thanks for your reply.Below is the wazuh.yml config entries I have, just masked the password entry here :-#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# username: <username>
# password: <password>
hosts:
- 1513629884013:
url: https://wazuh-manager-master-0.wazuh-cluster
port: 55000
username: wazuh-wui
password: <Password>
run_as: true
Also, attaching the screenshot of successful API connection. I can make Curl request from Kibana to the WAZUH API
bash-4.2$ TOKEN=$(curl -u wazuh-wui:<pass> -k -X GET https://wazuh-manager-master-0.wazuh-cluster:55000/security/user/authenticate?raw=true)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 271 100 271 0 0 565 0 --:--:-- --:--:-- --:--:-- 565
bash-4.2$
bash-4.2$
bash-4.2$ curl -k -X GET https://wazuh-manager-master-0.wazuh-cluster:55000 -H "Authorization: Bearer $TOKEN"
{"data": {"title": "Wazuh API REST", "api_version": "4.0.4", "revision": 40011, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.0/LICENSE", "hostname": "wazuh-manager-master-0", "timestamp": "2021-02-09T15:26:47+0000"}, "error": 0}bash-4.2$
bash-4.2$
bash-4.2$
bash-4.2$ curl -k -X GET https://wazuh-manager-master-0.wazuh-cluster:55000/cluster/local/info -H "Authorization: Bearer $TOKEN"
{"data": {"affected_items": [{"node": "wazuh-manager-master", "cluster": "wazuh", "type": "master"}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "All selected information was returned", "error": 0}bash-4.2$
bash-4.2$
bash-4.2$
bash-4.2$ curl -k -X GET https://wazuh-manager-master-0.wazuh-cluster:55000/cluster/nodes -H "Authorization: Bearer $TOKEN"
{"data": {"affected_items": [{"name": "wazuh-manager-master", "type": "master", "version": "4.0.4", "ip": "wazuh-manager-master-0.wazuh-cluster.wazuh"}, {"name": "wazuh-manager-worker-0", "type": "worker", "version": "4.0.4", "ip": "10.255.10.54"}, {"name": "wazuh-manager-worker-1", "type": "worker", "version": "4.0.4", "ip": "10.255.10.251"}], "total_affected_items": 3, "total_failed_items": 0, "failed_items": []}, "message": "All selected nodes information was returned", "error": 0}bash-4.2$
But, I always see the error code 500 whenever I load/reload the Wazuh-Kibana App/plugin on Browser and see the response as
message "3000 - Error getting the authorization token: Bad Request" code 3000 statusCode 500
I am stuck at this since last weekend, please suggest a wayout if possible.
Regards,
Gaurav
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/qmvjD_sfzdU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e655963f-ce6c-4b54-b8aa-049b184f3a83n%40googlegroups.com.
Vikrant Puranik
Feb 10, 2021, 11:01:43 AM2/10/21
to Julio José Reyes Hurtado, wa...@googlegroups.com
Hi Julio/ Wazuh Team,
Did you get a chance to look at the issue ? The API authorization issue is coming up even if the Wazuh cluster is showing as "Online" & connection successful from Kibana-Wazuh UI.
Appreciate any help or guidance on the same.
Regards,
Gaurav.
Julio José Reyes Hurtado
Feb 10, 2021, 12:28:51 PM2/10/21
to Wazuh mailing list
Hi, Gaurav
As we'd had some reports about issues accessing Wazuh API from AWS with opendistro, thanks to one community member that discovered a bug in the pathing of the file opendistro-factory.ts in the path /usr/share/kibana/plugins/wazuh/server/lib/security-factory/factories/. You can check it https://github.com/wazuh/wazuh-kibana-app/pull/2710, as shown in the PR to apply the fix is adding a slash "/" in path: `/_opendistro/_security/api/account`,
Can you please try to apply this change in the path and check if it solves the problem of access?
Can you please try to apply this change in the path and check if it solves the problem of access?
Regards Julio
Juan Carlos
Feb 10, 2021, 12:34:10 PM2/10/21
to Wazuh mailing list
To clarify here, the path is different on a running installation.
You may try to apply the fix by running:
sed
-i 's/path: `_opendistro\/_security\/api\/account`/path:
`\/_opendistro\/_security\/api\/account`/g'
/usr/share/kibana/plugins/wazuh/server/lib/security-factory/factories/opendistro-factory.js
And then restarting the Kibana service.
Please let us know if this works.
Best Regards,
Juan Carlos Tello
Matthew M.
Feb 10, 2021, 12:44:12 PM2/10/21
to Wazuh mailing list
Performed the instructed changes and there is no change in behavior.
Julio José Reyes Hurtado
Feb 10, 2021, 12:53:58 PM2/10/21
to Wazuh mailing list
Hi Matthew,
you have all in one server right? I see you are using 4.0.4 version. Can you tell me, please, if you use the default Wazuh user you can connect to the API?
Since you have run_as set as false you don't have to create users to RBAC just create the users and assign a role using role with the permissions to allow acces mapping in Kibana. To do that go to the browser at kibana and open the menu > Security > Internal users and create the user. After to assign a role go to menu > Security > Roles and go into all_access role > mapped_users tab> Manage mapping and add your new user to the rol.
Hope it helps,
Regards Julio.
Matthew M.
Feb 10, 2021, 1:01:56 PM2/10/21
to Wazuh mailing list
You are correct. It is all on one server. I am able to use the wazuh username password to connect to the API through curl. Adding the wazuh username and password to the config file results in the same behavior.
I upgraded from 3.13 to 4.0.4. I do not have the all_access role, but added another custom role with with full access to the WAZUHAPI user. That has not changed anything.
Thanks,
Matthew
Julio José Reyes Hurtado
Feb 10, 2021, 1:31:48 PM2/10/21
to Wazuh mailing list
Hi Matthew,
I meant to log in into Kibana with the admin user we provide to you. Once you are as admin check if you still have the API connectivity problem when you go to WazuhApp.
I've seen your wazuh.yml file has no default user/password did you change this credentials using https://documentation.wazuh.com/4.0/user-manual/api/securing_api.html ?
Did you change the the credentials after the update or before?
Regards, Julio.
Matthew M.
Feb 10, 2021, 1:33:10 PM2/10/21
to Wazuh mailing list
The user I am logging into Kibana with has complete access.
I changed the credentials after the update.
Julio José Reyes Hurtado
Feb 11, 2021, 6:22:07 AM2/11/21
to Wazuh mailing list
Hi Matthew re-checking the configuration and the error of you wazuh.yaml
3003 - Missing param: API USERNAME
hosts:
- default:
url: https://127.0.0.1
port: 55000
user: WazuhAPI
password: <password>
run_as: false
The problem is that user is not used as a param in wazuh 4.0.4 you have to replace it for "username". The correct config would be:
username: WazuhAPI
password: <password>
run_as: false
Hope it helps, tell me otherwise
Regards, Julio.
Vikrant Puranik
Feb 11, 2021, 6:28:47 AM2/11/21
to Juan Carlos, Julio José Reyes Hurtado, wa...@googlegroups.com
Hi Julio & Juan,
Thank you so much for the help & sharing details about the fix.
I made relevant changes in the Kibana & redeployed it in Kubernetes cluster, it worked like charm :-)
I am still testing few other things to confirm everything is working fine but so far it's all good.
Thanks Again.
Regards,
Gaurav
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/81c0df07-cd38-4f3b-8b4b-81734ea344aan%40googlegroups.com.
Matthew M.
Feb 11, 2021, 1:33:32 PM2/11/21
to Wazuh mailing list
That worked. I didn't notice that difference in between file and the examples. No wonder it wouldn't work.
Thanks!
Reply all
Reply to author
Forward
0 new messages