Single sign-on Azure AD different roles
749 views
Skip to first unread message
meganie
Jul 17, 2023, 4:58:22 AM7/17/23
to Wazuh mailing list
I would like to used the Azure AD to assign two different roles (Admin and read-only) to my users.
I've implemented the Admin role (Wazuh_role) using the guide and it works but I get this error sometimes: {"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred."} Is there a fix for that? After reloading the page once or twice it works most of the time.
After that I tried adding a second role (Wazuh_read) to the manifest.
I've implemented the Admin role (Wazuh_role) using the guide and it works but I get this error sometimes: {"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred."} Is there a fix for that? After reloading the page once or twice it works most of the time.
After that I tried adding a second role (Wazuh_read) to the manifest.
I wasn't able to use the appId for the second role because the same Id can't be used twice in the manifest.
Added the role to roles_mapping.yml
Added the role to roles_mapping.yml
And created a role mapping because run_as is set to true in wazuh.yml
The readonly role has been created before using this guide and worked fine with local users.
meganie
Jul 17, 2023, 5:01:02 AM7/17/23
to Wazuh mailing list
The last screenshot is wrong, here is the correct mapping.
Ian Yenien Serrano
Jul 17, 2023, 6:52:33 AM7/17/23
to Wazuh mailing list
Hi Meganie, thanks for using wazuh,
I understand you are having trouble creating the read-only user, right?
The first error you get when logging in may be because it takes a while for the connection to work.
meganie
Jul 20, 2023, 3:33:16 AM7/20/23
to Wazuh mailing list
I've created the read-only user but when I assign it using Azure the users don't have any permission. I've created it using the guide and the config you can see in my first posts.
And the error 500 appears randomly all the time. Sometimes reloading the page does help sometimes I have to use another browser.
meganie
Jul 20, 2023, 5:56:02 AM7/20/23
to Wazuh mailing list
Here is also the complete log after I got the error 500 on the dashboard. I've replaced the
<WAZUH_DASHBOARD_URL> and
<HOSTADDRESS> in the log.
{"type":"response","@timestamp":"2023-07-20T08:06:38Z","tags":[],"pid":989823,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82"},"res":{"statusCode":302,"responseTime":22,"contentLength":9},"message":"GET / 302 22ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:38Z","tags":[],"pid":989823,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment?nextUrl=%2F","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82"},"res":{"statusCode":200,"responseTime":11,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment?nextUrl=%2F 200 11ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:38Z","tags":[],"pid":989823,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":200,"responseTime":3,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 3ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:38Z","tags":[],"pid":989823,"method":"get","statusCode":302,"req":{"url":"/auth/saml/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":302,"responseTime":26,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 302 26ms - 9.0B"}
{"type":"log","@timestamp":"2023-07-20T08:06:39Z","tags":["error","plugins","securityDashboards"],"pid":989823,"message":"SAML SP initiated authentication workflow failed: Error: Authentication Exception"}
{"type":"error","@timestamp":"2023-07-20T08:06:39Z","tags":[],"pid":989823,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:143:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:97:19)\n at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:92:17)\n at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:164:34)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at handler (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:124:50)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs","message":"Internal Server Error"}
{"type":"response","@timestamp":"2023-07-20T08:06:39Z","tags":[],"pid":989823,"method":"post","statusCode":500,"req":{"url":"/_opendistro/_security/saml/acs","method":"post","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","content-length":"7467","cache-control":"max-age=0","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","origin":"https://login.microsoftonline.com","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://login.microsoftonline.com/","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://login.microsoftonline.com/"},"res":{"statusCode":500,"responseTime":171,"contentLength":9},"message":"POST /_opendistro/_security/saml/acs 500 171ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:39Z","tags":[],"pid":989823,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","sec-ch-ua-platform":"\"Windows\"","accept":"image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://<WAZUH_DASHBOARD_URL>.de/_opendistro/_security/saml/acs"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /favicon.ico 401 2ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:38Z","tags":[],"pid":989823,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment?nextUrl=%2F","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82"},"res":{"statusCode":200,"responseTime":11,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment?nextUrl=%2F 200 11ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:38Z","tags":[],"pid":989823,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":200,"responseTime":3,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 3ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:38Z","tags":[],"pid":989823,"method":"get","statusCode":302,"req":{"url":"/auth/saml/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://<WAZUH_DASHBOARD_URL>/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":302,"responseTime":26,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 302 26ms - 9.0B"}
{"type":"log","@timestamp":"2023-07-20T08:06:39Z","tags":["error","plugins","securityDashboards"],"pid":989823,"message":"SAML SP initiated authentication workflow failed: Error: Authentication Exception"}
{"type":"error","@timestamp":"2023-07-20T08:06:39Z","tags":[],"pid":989823,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:143:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:97:19)\n at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:92:17)\n at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:164:34)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at handler (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:124:50)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs","message":"Internal Server Error"}
{"type":"response","@timestamp":"2023-07-20T08:06:39Z","tags":[],"pid":989823,"method":"post","statusCode":500,"req":{"url":"/_opendistro/_security/saml/acs","method":"post","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","content-length":"7467","cache-control":"max-age=0","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","origin":"https://login.microsoftonline.com","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://login.microsoftonline.com/","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://login.microsoftonline.com/"},"res":{"statusCode":500,"responseTime":171,"contentLength":9},"message":"POST /_opendistro/_security/saml/acs 500 171ms - 9.0B"}
{"type":"response","@timestamp":"2023-07-20T08:06:39Z","tags":[],"pid":989823,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Microsoft Edge\";v=\"114\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","sec-ch-ua-platform":"\"Windows\"","accept":"image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs","accept-encoding":"gzip, deflate, br","accept-language":"de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82","referer":"https://<WAZUH_DASHBOARD_URL>.de/_opendistro/_security/saml/acs"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /favicon.ico 401 2ms - 9.0B"}
meganie
Jul 20, 2023, 6:10:13 AM7/20/23
to Wazuh mailing list
Another log:
{"type":"log","@timestamp":"2023-07-20T10:04:30Z","tags":["error","http","server","OpenSearchDashboards"],"pid":989823,"message":"Error: Authentication Exception\n at SecurityClient.authinfo (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/backend/opensearch_security_client.ts:115:13)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at /usr/share/wazuh-dashboard/plugins/securityDashboards/server/auth/types/authentication_type.ts:208:18\n at Object.interceptAuth [as authenticate] (/usr/share/wazuh-dashboard/src/core/server/http/lifecycle/auth.js:112:22)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at module.exports.internals.Auth._authenticate (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/auth.js:273:30)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"}
{"type":"error","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:80:19)\n at Object.interceptAuth [as authenticate] (/usr/share/wazuh-dashboard/src/core/server/http/lifecycle/auth.js:151:34)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at module.exports.internals.Auth._authenticate (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/auth.js:273:30)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://<WAZUH_DASHBOARD_URL>","message":"Internal Server Error"}
{"type":"response","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"method":"get","statusCode":500,"req":{"url":"/","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"},"res":{"statusCode":500,"responseTime":35,"contentLength":9},"message":"GET / 500 35ms - 9.0B"}
{"type":"log","@timestamp":"2023-07-20T10:04:30Z","tags":["error","http","server","OpenSearchDashboards"],"pid":989823,"message":"Error: Authentication Exception\n at SecurityClient.authinfo (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/backend/opensearch_security_client.ts:115:13)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at /usr/share/wazuh-dashboard/plugins/securityDashboards/server/auth/types/authentication_type.ts:208:18\n at Object.interceptAuth [as authenticate] (/usr/share/wazuh-dashboard/src/core/server/http/lifecycle/auth.js:112:22)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at module.exports.internals.Auth._authenticate (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/auth.js:273:30)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"}
{"type":"error","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:80:19)\n at Object.interceptAuth [as authenticate] (/usr/share/wazuh-dashboard/src/core/server/http/lifecycle/auth.js:151:34)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at module.exports.internals.Auth._authenticate (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/auth.js:273:30)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://<WAZUH_DASHBOARD_URL>/favicon.ico","message":"Internal Server Error"}
{"type":"response","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"method":"get","statusCode":500,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://<WAZUH_DASHBOARD_URL>","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","referer":"https://<WAZUH_DASHBOARD_URL>"},"res":{"statusCode":500,"responseTime":40,"contentLength":9},"message":"GET /favicon.ico 500 40ms - 9.0B"}
{"type":"error","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:80:19)\n at Object.interceptAuth [as authenticate] (/usr/share/wazuh-dashboard/src/core/server/http/lifecycle/auth.js:151:34)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at module.exports.internals.Auth._authenticate (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/auth.js:273:30)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://<WAZUH_DASHBOARD_URL>","message":"Internal Server Error"}
{"type":"response","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"method":"get","statusCode":500,"req":{"url":"/","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"},"res":{"statusCode":500,"responseTime":35,"contentLength":9},"message":"GET / 500 35ms - 9.0B"}
{"type":"log","@timestamp":"2023-07-20T10:04:30Z","tags":["error","http","server","OpenSearchDashboards"],"pid":989823,"message":"Error: Authentication Exception\n at SecurityClient.authinfo (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/backend/opensearch_security_client.ts:115:13)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at /usr/share/wazuh-dashboard/plugins/securityDashboards/server/auth/types/authentication_type.ts:208:18\n at Object.interceptAuth [as authenticate] (/usr/share/wazuh-dashboard/src/core/server/http/lifecycle/auth.js:112:22)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at module.exports.internals.Auth._authenticate (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/auth.js:273:30)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"}
{"type":"error","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:80:19)\n at Object.interceptAuth [as authenticate] (/usr/share/wazuh-dashboard/src/core/server/http/lifecycle/auth.js:151:34)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at module.exports.internals.Auth._authenticate (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/auth.js:273:30)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://<WAZUH_DASHBOARD_URL>/favicon.ico","message":"Internal Server Error"}
{"type":"response","@timestamp":"2023-07-20T10:04:30Z","tags":[],"pid":989823,"method":"get","statusCode":500,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"<WAZUH_DASHBOARD_URL>","connection":"keep-alive","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://<WAZUH_DASHBOARD_URL>","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"<HOSTADDRESS>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","referer":"https://<WAZUH_DASHBOARD_URL>"},"res":{"statusCode":500,"responseTime":40,"contentLength":9},"message":"GET /favicon.ico 500 40ms - 9.0B"}
Ian Yenien Serrano
Jul 20, 2023, 11:23:11 AM7/20/23
to Wazuh mailing list
Please check this file: "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml".
Can you tell me if the run_as is set to true or false?
Can you tell me if the run_as is set to true or false?
meganie
Jul 20, 2023, 12:26:13 PM7/20/23
to Wazuh mailing list
Here is the config:
hosts:
- default:
url: https://xxx.xxx.xxx.142
port: 55000
username: wazuh-wui
password: "password"
run_as: true
- default:
url: https://xxx.xxx.xxx.142
port: 55000
username: wazuh-wui
password: "password"
run_as: true
I have a cluster with 3 nodes (1 master with dashboard and 2 worker without dashboard) and a nginx load balancer.
Ian Yenien Serrano
Jul 21, 2023, 5:44:47 AM7/21/23
to Wazuh mailing list
I think I can see what the error is, in the documentation appears "User field: backend_roles" and you put "User field: backend_role".
Can you try to change it?
Can you try to change it?
meganie
Jul 21, 2023, 6:22:21 AM7/21/23
to Wazuh mailing list
Oh wow, thank you very much! It's working now.
Do you also have an idea why I get this error 500 sometimes?
meganie
Jul 21, 2023, 6:28:38 AM7/21/23
to Wazuh mailing list
Ian Yenien Serrano
Jul 21, 2023, 7:02:06 AM7/21/23
to Wazuh mailing list
You can check if the other steps are OK or if there might be another typo like that.
meganie
Jul 26, 2023, 4:46:11 AM7/26/23
to Wazuh mailing list
Yesterday I started from scratch and went through the complete tutorial again. Still the same problem: I get Error 500 sometimes but not always. So I don't think it's a typo because in that case it would never work?
I've made screenshots of the configs:
Azure Manifest
config.yml
Load config.yml changes
roles_mapping.yml
Load roles_mapping.yml changes
wazuh.yml (Is it ok to use the IP here or should I use the url wazuh.xxxxx.xx?)
Role mapping
opensearch_dashboards.yml
Ian Yenien Serrano
Jul 27, 2023, 4:16:17 AM7/27/23
to Wazuh mailing list
Sorry for the delay,
You can review the logs in the following paths:
/var/log/wazuh-indexer/
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
You can review the logs in the following paths:
- wazuh dashboard
- journalctl -u wazuh-dashboard
- cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
- Wazuh indexer
/var/log/wazuh-indexer/
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
meganie
Jul 27, 2023, 8:10:38 AM7/27/23
to Wazuh mailing list
Ok, I think I found something.
There isn't anything interesting in journalctl -u wazuh-dashboard.
/usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log shows some errors but nothing related I think.
But /var/log/wazuh-indexer/wazuh-indexer-cluster.log shows this:
- one successful login in line 12298-12336
- two unsuccessful login in line 12339 and 12382
- another successful login in line 12384-12426
Do you have any idea what could cause this?
Ian Yenien Serrano
Jul 28, 2023, 3:47:58 AM7/28/23
to Wazuh mailing list
I've been looking for some information so you might be able to try what it says in these links,
https://forum.opensearch.org/t/getting-spam-on-log-invalid-authorization-header-send-401-and-www-authenticate-basic/5909
https://forum.search-guard.com/t/no-basic-authorization-header-send-401-and-www-authenticate-basic-while-using-openid-and-basic-auth-domain/1930
One question, does it happen with any user or only with the administrator?
meganie
Jul 28, 2023, 8:36:45 AM7/28/23
to Wazuh mailing list
Those threads never came to a real solution either. But I've tried to delete everything except basic_auth and saml_auth in config.yml but without luck.
Meanwhile I found this new doc for read-only users: https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/read-only/azure-active-directory.html
This also uses the "Sign on URL (Optional)" and I've set that in Azure but without a difference.
I have the problem with both admin and read-only users assigned via Azure. And basic_auth doesn't work after the config changes of course.
HA
Jul 29, 2023, 5:17:58 AM7/29/23
to Wazuh mailing list
Hi all,
I followed the doc https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/read-only/azure-active-directory.html
SAML integration between Azure AD and WAZUH is working.
I change only one setting: the claim
I returns only the
Roles with (user.assignedroles)
Unique User Identifier Twith oLowercase(user.mail) PS: In fact, it seems that username in Wazuh is case sensitive....
Regards,
HA
Ian Yenien Serrano
Jul 31, 2023, 6:01:33 AM7/31/23
to Wazuh mailing list
Thanks for the suggestion
Saddique Khan
Jul 31, 2023, 10:41:25 AM7/31/23
to Wazuh mailing list
Hello all,
readall:
reserved: true
hidden: false
backend_roles:
- "readall"
- "read_team"
I enabled the LDAP in the Wazuh and give access to my LDAP groups using role_mapping file by this:
all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
reserved: true
hidden: false
backend_roles:
- "admin"
_ "My_LDAP_Group"
This is working perfectly fine with my LDAP users login but when I want to use readall default role like this:
reserved: true
hidden: false
backend_roles:
- "readall"
- "read_team"
Then it is throwing this error while user login in:
You have no permissions. Contact to an administrator:
no permissions for [indices:data/read/search] and User
When I duplicate the role and give tenant global_tenant permission to custom_readall access. The new role works fine. Since, I am using kiubernetes for wazuh, if I restart the master wazuh server pod, then this custom settings vanish away, which I don't like to configure every time and map for all ldap users.. Now I need the name of the files and locations to either resolve default readall
role issue or to create one which doesn't disappear with restarting the master pod.
any help will be appreciated.
meganie
Aug 1, 2023, 5:18:16 AM8/1/23
to Wazuh mailing list
This helped and while using Google Chrome I don't have any problems. But many of my colleagues use MS Edge and they still get the Error 500 sometimes.
Ian Yenien Serrano
Aug 2, 2023, 10:43:47 AM8/2/23
to Wazuh mailing list
Great that you got it to work at least with 1 browser, we will be testing to see if it is a browser issue.
meganie
Aug 3, 2023, 2:53:18 AM8/3/23
to Wazuh mailing list
I spoke too soon. Got the problem also with Chrome again.
Ian Yenien Serrano
Aug 7, 2023, 4:34:54 AM8/7/23
to Wazuh mailing list
Sorry for the delay,
This is a very strange error, can you open the browser console and see what request is failing?
To open the browser console once in login you have to right click and press inspect, then you go to network and try to login.
This is a very strange error, can you open the browser console and see what request is failing?
To open the browser console once in login you have to right click and press inspect, then you go to network and try to login.
meganie
Aug 8, 2023, 7:11:11 AM8/8/23
to Wazuh mailing list
I hope this is what you were looking for. Here are the results of two failed logins that happend right after each other but look different.
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
I've replaced:
<WAZUH_DASHBOARD_URL> wazuh.xxxxx.xx
<INTERNAL-IP-ADDRESS> Internal IP Address of the first cluster node with Wazuh Dashboard installed
<HOSTNAME>
Internal Hostname of the first cluster node with Wazuh Dashboard installed
<USER@DOMAIN> Azure/WindowsUser and Domain names
<TOKEN>
First failed login
General >
Request URL:
https://<WAZUH_DASHBOARD_URL>/favicon.ico
Request Method:
GET
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 08:55:30 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding:
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN1>; security_authentication=Fe26.2**<TOKEN2>
Host:
<WAZUH_DASHBOARD_URL>
Referer:
https://<WAZUH_DASHBOARD_URL>/
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
image
Sec-Fetch-Mode:
no-cors
Sec-Fetch-Site:
same-origin
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Request URL:
https://<WAZUH_DASHBOARD_URL>/favicon.ico
Request Method:
GET
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 08:55:30 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding:
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN1>; security_authentication=Fe26.2**<TOKEN2>
Host:
<WAZUH_DASHBOARD_URL>
Referer:
https://<WAZUH_DASHBOARD_URL>/
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
image
Sec-Fetch-Mode:
no-cors
Sec-Fetch-Site:
same-origin
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
General >
Request URL:
https://<WAZUH_DASHBOARD_URL>/favicon.ico
Request Method:
GET
General >
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 08:55:30 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding:
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN>; security_authentication=Fe26.2**<TOKEN>
Host:
<WAZUH_DASHBOARD_URL>
Referer:
https://<WAZUH_DASHBOARD_URL>/
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
image
Sec-Fetch-Mode:
no-cors
Sec-Fetch-Site:
same-origin
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
https://<WAZUH_DASHBOARD_URL>/favicon.ico
Request Method:
GET
General >
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 08:55:30 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding:
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN>; security_authentication=Fe26.2**<TOKEN>
Host:
<WAZUH_DASHBOARD_URL>
Referer:
https://<WAZUH_DASHBOARD_URL>/
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
image
Sec-Fetch-Mode:
no-cors
Sec-Fetch-Site:
same-origin
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Second failed login
General >
Request URL:
https://<WAZUH_DASHBOARD_URL>/
Request Method:
GET
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 09:39:39 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
Request URL:
https://<WAZUH_DASHBOARD_URL>/
Request Method:
GET
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 09:39:39 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding:
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control:
no-cache
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN>; security_authentication=Fe26.2**<TOKEN>
Host:
<WAZUH_DASHBOARD_URL>
Pragma:
no-cache
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
document
Sec-Fetch-Mode:
navigate
Sec-Fetch-Site:
none
Sec-Fetch-User:
?1
Upgrade-Insecure-Requests:
1
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control:
no-cache
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN>; security_authentication=Fe26.2**<TOKEN>
Host:
<WAZUH_DASHBOARD_URL>
Pragma:
no-cache
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
document
Sec-Fetch-Mode:
navigate
Sec-Fetch-Site:
none
Sec-Fetch-User:
?1
Upgrade-Insecure-Requests:
1
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
General >
Request URL:
https://<WAZUH_DASHBOARD_URL>/favicon.ico
Request Method:
GET
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 09:39:39 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding:
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control:
no-cache
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN>; security_authentication=Fe26.2**<TOKEN>
Host:
<WAZUH_DASHBOARD_URL>
Pragma:
no-cache
Referer:
https://<WAZUH_DASHBOARD_URL>/
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
image
Sec-Fetch-Mode:
no-cors
Sec-Fetch-Site:
same-origin
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Request URL:
https://<WAZUH_DASHBOARD_URL>/favicon.ico
Request Method:
GET
Status Code:
500 Internal Server Error
Remote Address:
<INTERNAL-IP-ADDRESS>:443
Referrer Policy:
strict-origin-when-cross-origin
Response Headers >
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
97
Content-Type:
application/json; charset=utf-8
Date:
Tue, 08 Aug 2023 09:39:39 GMT
Keep-Alive:
timeout=120
Osd-Name:
<HOSTNAME>
Set-Cookie:
security_authentication=Fe26.2**<TOKEN>; Secure; HttpOnly; Path=/
X-Frame-Options:
sameorigin
Request Headers >
Accept:
image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding:
gzip, deflate, br
Accept-Language:
de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control:
no-cache
Connection:
keep-alive
Cookie:
wz-api=default; wz-user=<USER@DOMAIN>; wz-token=<TOKEN>; security_authentication=Fe26.2**<TOKEN>
Host:
<WAZUH_DASHBOARD_URL>
Pragma:
no-cache
Referer:
https://<WAZUH_DASHBOARD_URL>/
Sec-Ch-Ua:
"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
image
Sec-Fetch-Mode:
no-cors
Sec-Fetch-Site:
same-origin
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Ian Yenien Serrano
Aug 9, 2023, 7:18:08 AM8/9/23
to Wazuh mailing list
Can you pass me the logs of wazuh-indexer and wazuh-dashboard? and
journalctl -r -u wazuh-indexer
journalctl -r -u wazuh-indexer
meganie
Aug 9, 2023, 10:10:58 AM8/9/23
to Wazuh mailing list
I've send the logs of wazuh-indexer and wazuh-dashboard to you as files yesterday. Please check your spam folder if you didn't get them.
And a second mail today with the output of journalctl -r -u wazuh-indexer.
Ian Yenien Serrano
Aug 10, 2023, 4:34:15 AM8/10/23
to Wazuh mailing list
From what I could see in the logs, the wazuh indexer is stopping and starting up again,
And you have these errors
1. ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-indexer-cluster_server.json"
2. No space left on device
These 2 reasons may be the reason why it restarts, and you can't log in.
And you have these errors
1. ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-indexer-cluster_server.json"
2. No space left on device
These 2 reasons may be the reason why it restarts, and you can't log in.
Reply all
Reply to author
Forward
0 new messages