Filebeat error Talk to server - forbidden
167 views
Skip to first unread message
Martin Náděje
Sep 26, 2024, 12:16:45 AM9/26/24
to Wazuh | Mailing List
Hello wazuh team
I installed wazuh on my server today.
Everythings seems to be working, but when i checked filebeat test output i saw this error
filebeat test output
elasticsearch: https://x.x.x.x:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: x.x.x.x
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR Get "https://x.x.x.x:9200": Forbidden
filebeat test output
elasticsearch: https://x.x.x.x:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: x.x.x.x
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR Get "https://x.x.x.x:9200": Forbidden
I googled and checked the forum but noone seems to have the same problem.
Can you assist me with this problem ?
Can you assist me with this problem ?
thanks
Martin
Message has been deleted
Message has been deleted
Message has been deleted
Lamya Imam
Sep 26, 2024, 1:30:26 AM9/26/24
to Wazuh | Mailing List
Hello Martin Náděje,
Could you please share which documentation you have followed for the installation?
This might occur due to authentication or permission issue. I need you to ensure that you have followed the steps from the documentation successfully.
Can you please check the permissions of the folder certs and the files under that directory:
# ll -h /etc/filebeat/
# ll -h /etc/filebeat/certs
# /etc/wazuh-indexer/
# /etc/wazuh-indexer/certs
Please find the attached screenshot for reference!
To validate the indexer certificate please run this command and share the output:
# curl -u <user>:<pass> --cacert /etc/wazuh-indexer/certs/root-ca.pem --cert /etc/wazuh-indexer/certs/wazuh-indexer.pem --key /etc/wazuh-indexer/certs/wazuh-indexer-key.pem -X GET "https://<Indexer_IP> :9200/_cluster/health"
Use the certificate names from the directory /etc/wazuh-indexer/certs to run the above command.
Re-run the same command, but this time with filebeat certs:
# curl -u <user>:<pass> --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-server.pem --key /etc/filebeat/certs/wazuh-server-key.pem -X GET "https://<Indexer_IP>:9200/_cluster/health"
For this, use the certificate names from the directory /etc/filebeat/certs.
Also, please ensure if you have stored the authentication credentials to the filebeat keystore , if not you can try to re-add the credentials of the Wazuh indexer admin user to the filebeat keystore with the below commands :
# filebeat keystore create
# echo admin | filebeat keystore add username --stdin --force
# echo admin | filebeat keystore add password --stdin --force
Restart the filebeat service to apply the changes:
# systemctl restart filebeat
Make sure the IP address of your indexer is configured properly at:
/etc/wazuh-indexer/opensearch.yml
/var/ossec/etc/ossec.conf
/etc/filebeat/filebeat.yml
For further troubleshooting please share the output log of the following command:
Wazuh indexer:
# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Wazuh manager:
# cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Let me know the update on the issue!
Could you please share which documentation you have followed for the installation?
This might occur due to authentication or permission issue. I need you to ensure that you have followed the steps from the documentation successfully.
Can you please check the permissions of the folder certs and the files under that directory:
# ll -h /etc/filebeat/
# ll -h /etc/filebeat/certs
# /etc/wazuh-indexer/
# /etc/wazuh-indexer/certs
Please find the attached screenshot for reference!
To validate the indexer certificate please run this command and share the output:
# curl -u <user>:<pass> --cacert /etc/wazuh-indexer/certs/root-ca.pem --cert /etc/wazuh-indexer/certs/wazuh-indexer.pem --key /etc/wazuh-indexer/certs/wazuh-indexer-key.pem -X GET "https://<Indexer_IP> :9200/_cluster/health"
Use the certificate names from the directory /etc/wazuh-indexer/certs to run the above command.
Re-run the same command, but this time with filebeat certs:
# curl -u <user>:<pass> --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-server.pem --key /etc/filebeat/certs/wazuh-server-key.pem -X GET "https://<Indexer_IP>:9200/_cluster/health"
For this, use the certificate names from the directory /etc/filebeat/certs.
Also, please ensure if you have stored the authentication credentials to the filebeat keystore , if not you can try to re-add the credentials of the Wazuh indexer admin user to the filebeat keystore with the below commands :
# filebeat keystore create
# echo admin | filebeat keystore add username --stdin --force
# echo admin | filebeat keystore add password --stdin --force
Restart the filebeat service to apply the changes:
# systemctl restart filebeat
Make sure the IP address of your indexer is configured properly at:
/etc/wazuh-indexer/opensearch.yml
/var/ossec/etc/ossec.conf
/etc/filebeat/filebeat.yml
For further troubleshooting please share the output log of the following command:
Wazuh indexer:
# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Wazuh manager:
# cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Let me know the update on the issue!
Olusegun Adenrele Oyebo
Oct 3, 2024, 9:03:16 AM10/3/24
to Wazuh | Mailing List
Hello
Martin,
Can you assist to share the output of the below command:
- cat /var/log/filebeat/filebeat | grep -i -E "error|warn|crit|fatal"
Also, share your filebeat configuration file located in the path /etc/filebeat/filebeat.yml
Will be expecting your feedback.
Best regards.
Martin Náděje
Oct 3, 2024, 5:16:26 PM10/3/24
to Olusegun Adenrele Oyebo, Wazuh | Mailing List
Hello,
Thank you for all the replies, i was not able to get the logstash setup working so i basicaly deployed wazuh agent on my server and added custom logs.
Thank you
Martin
Martin Náděje
Service Desk Consultant/Systems specialist
NEWPS.CZ s.r.o.
Vyskočilova 1422/1a, 140 00 Praha 4
Mobil: +420 727 874 282
Telefon recepce: +420 725 017 140
Email: mna...@newps.cz
ID Datové Schránky: 3y2qms4
www.newps.cz
Tímto e-mailem odesílatel neuzavírá, a není-li to v emailu výslovně uvedeno, ani se nezavazuje uzavřít za společnost NEWPS.CZ s.r.o. jakoukoliv smlouvu. Pokud tento email obsahuje návrh smlouvy, vylučuje NEWPS.CZ s.r.o. v souladu s ustanovením § 1740 odst. 3 občanského zákoníku možnost přijetí návrhu smlouvy s jakýmikoli změnami, dodatky či odchylkami. Navržené změny, dodatky či odchylky z Vaší strany budou považovány pouze za podnět k dalšímu jednání o obsahu smlouvy.
Tento e-mail včetně příloh může obsahovat důvěrné informace. Pokud Vám byl omylem doručen, prosím, oznamte to neprodleně jeho odesílateli, okamžitě tento e-mail včetně jeho příloh trvale vymažte ze svého systému, a e-mail nezveřejňujte, nekopírujte, nerozšiřujte.
čt 3. 10. 2024 v 15:03 odesílatel 'Olusegun Adenrele Oyebo' via Wazuh | Mailing List <wa...@googlegroups.com> napsal:
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/kPDWvT1BiqM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82980444-f718-4ee3-999a-6f16489d529an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages