Urgent | Wazuh Down

127 views
Skip to first unread message

John Carry

unread,
May 17, 2023, 1:17:29 AM5/17/23
to Wazuh mailing list
Dear Wazuh Team,
Wazuh seems down and API connection timeout is shown. 
Below are the screenshots.
Please help
1.PNG
2.PNG
3.PNG

John Carry

unread,
May 17, 2023, 1:59:17 AM5/17/23
to Wazuh mailing list
FYI!
4.PNG

John Carry

unread,
May 17, 2023, 2:02:03 AM5/17/23
to Wazuh mailing list
5.PNG

John Carry

unread,
May 17, 2023, 2:11:35 AM5/17/23
to Wazuh mailing list
6.PNG

John Carry

unread,
May 17, 2023, 2:17:18 AM5/17/23
to Wazuh mailing list
It seems a particular FS is 100%.
7.png

John Carry

unread,
May 17, 2023, 2:22:00 AM5/17/23
to Wazuh mailing list
8.png

Himanshu Sharma

unread,
May 17, 2023, 2:34:39 AM5/17/23
to Wazuh mailing list
Hi John,Thanks for using the wazuh.Can you please share the below information so we can review it and provide you with a better solution?
  1. Also can you please confirm if it was working previously or if it's a new setup?
  2. Check the status of wazuh-manager and wazuh-indexer and restart all components once.
  3. Please validate the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file configuration.
Waiting for your response soon.
Message has been deleted

John Carry

unread,
May 17, 2023, 2:53:35 AM5/17/23
to Wazuh mailing list
Hello Sharma,

Please find responses below:

1) It was working fine yesterday before leaving the office, today morning without making any changes it gives these errors.
2) Have already started and even hard rebooted the server.
3) Please find the configuration of wazuh.yml file below (We are using wazuh-manager, elastic, Kibana - Single Node)
---
#
# Wazuh app - App configuration file
# Copyright (C) 2015-2021 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api     : true
#checks.setup   : true
#checks.metaFields: true
#checks.timeFilter: true
#checks.maxBuckets: true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci       : true
#extensions.gdpr      : true
#extensions.hipaa     : true
#extensions.nist      : true
#extensions.tsc       : true
#extensions.audit     : true
#extensions.oscap     : false
#extensions.ciscat    : false
#extensions.aws       : false
#extensions.gcp       : false
#extensions.virustotal: false
#extensions.osquery   : false
#extensions.docker    : false
#
# ---------------------------------- Timeout ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# -------------------------------- API selector --------------------------------
#
# Defines if the user is allowed to change the selected
# API directly from the Wazuh app top menu.
# Default: true
#api.selector: true
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-*
#
# --------------------------------- wazuh-cron ----------------------------------
#
# Customize the index prefix of predefined jobs
# This change is not retroactive, if you change it new indexes will be created
# cron.prefix: test
#
# --------------------------------- wazuh-sample-alerts -------------------------
#
# Customize the index name prefix of sample alerts
# This change is not retroactive, if you change it new indexes will be created
# It should match with a valid index template to avoid unknown fields on
# dashboards
#alerts.sample.prefix: wazuh-alerts-4.x-
#
# ------------------------------ wazuh-statistics -------------------------------
#
# Custom setting to enable/disable statistics tasks.
#cron.statistics.status: true
#
# Enter the ID of the APIs you want to save data from, leave this empty to run
# the task on all configured APIs
#cron.statistics.apis: []
#
# Define the frequency of task execution using cron schedule expressions
#cron.statistics.interval: 0 */5 * * * *
#
# Define the name of the index in which the documents are to be saved.
#cron.statistics.index.name: statistics
#
# Define the interval in which the index will be created
#cron.statistics.index.creation: w
#
# Configure statistics indices shards and replicas.
#cron.statistics.shards: 2
#cron.statistics.replicas: 0
#
# ---------------------------- Hide manager alerts ------------------------------
# Hide the alerts of the manager in all dashboards and discover
#hideManagerAlerts: false
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
# -------------------------------- Enrollment DNS -------------------------------
# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
# Default value: ''
#enrollment.dns: ''
#
# Wazuh registration password
# Default value: ''
#enrollment.password: ''
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
#  - <id>:
      # URL
      # API url
      # url: http(s)://<url>

      # Port
      # API port
      # port: <port>

      # Username
      # API user's username
      # username: <username>

      # Password
      # API user's password
      # password: <password>

      # Run as
      # Define how the app user gets his/her app permissions.
      # Values:
      #   - true: use his/her authentication context. Require Wazuh API user allows run_as.
      #   - false or not defined: get same permissions of Wazuh API user.
      # run_as: <true|false>

hosts:
  - client_test:
     url: https://localhost
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

hideManagerAlerts: false
customization.logo.app: 'XXX-IS'

John Carry

unread,
May 17, 2023, 3:17:38 AM5/17/23
to Wazuh mailing list
I am suspecting there is some issue with elastic as I am unable to restart it.
FYI!
9.png

John Carry

unread,
May 17, 2023, 3:24:48 AM5/17/23
to Wazuh mailing list
FYI!
10.png

John Carry

unread,
May 17, 2023, 4:01:28 AM5/17/23
to Wazuh mailing list
Hello Sharma,
are you able to diagnose the issue ?

Himanshu Sharma

unread,
May 17, 2023, 4:50:49 AM5/17/23
to Wazuh mailing list
Hi John,

Can you please update us the changes you have done on elasticsearch server? like related to certificates or anything.For the error you are getting in elasticsearch logs you need to run the securityadmin.sh command from /usr/share/elasticsearch/plugins/opendistro_security/tools/ like mentioned here.

John Carry

unread,
May 17, 2023, 5:24:27 AM5/17/23
to Wazuh mailing list
Dear Sharma,
As I already conveyed that no changes were performed from our end, please help us out.

John Carry

unread,
May 17, 2023, 5:27:59 AM5/17/23
to Wazuh mailing list
Dear sharma,
Ran the provided the command and observed below output.
11.PNG

Himanshu Sharma

unread,
May 17, 2023, 5:51:16 AM5/17/23
to Wazuh mailing list
Hi John,

Can you please share the /etc/elasticsearch/elasticsearch.yml file once?

John Carry

unread,
May 17, 2023, 6:01:16 AM5/17/23
to Wazuh mailing list
FYI!


network.host: 127.0.0.1
node.name: node-1
cluster.initial_master_nodes: node-1

opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/certs/elasticsearch.pem
opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/certs/elasticsearch.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/certs/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/certs/elasticsearch_http.pem
opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/certs/elasticsearch_http.key
opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/certs/root-ca.pem
opendistro_security.nodes_dn:
- CN=node-1,OU=Docu,O=Wazuh,L=California,C=US
opendistro_security.authcz.admin_dn:
- CN=admin,OU=Docu,O=Wazuh,L=California,C=US

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.system_call_filter: true

Himanshu Sharma

unread,
May 26, 2023, 9:19:47 AM5/26/23
to Wazuh mailing list
Hi John,

Sorry for the delay.

I can see certificate names are not the same in the command which you have triggered and in /etc/elasticsearch/elasticsearch.yml.

Also please validate certificate names in  /etc/elasticsearch/certs are the same as /etc/elasticsearch/elasticsearch.yml or not.

Reply all
Reply to author
Forward
0 new messages