Wazuh is not loading

[SP_11]

Hi,

The wazuh is not working and giving the below errors. Appreciate it if anyone could assist with me to fix the issue

When I try to access the dashboard, it gives the below error.

And when I run the service wazuh-manager status in CLI,it shows that some services are down

Further, when I run "cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" it shows me the below error

Really appreciate your prompt support on this.

Thank you

[SP_11]

Hi can anyone help me with this please

Thanks

[Julio Gasco]

Hi Shenal,

Sometimes there is a file that may get corrputed. I had this issue on a server that got at 100% disk use.

Please try the following

Remove the following file:

/usr/share/wazuh-dashboard/data/wazuh/config/wazuh-registry.json

and restart the wazuh-dashboard:

systemctl restart wazuh-dashboard

the wazuh-registry.json will be recreated automatically and dashboard should start correctly.

Please let me know if this works

Regards

[SP_11]

Hi Julio

Thanks for the response.

I followed your steps, but now I am getting a new error now

INFO: Current API id [default] INFO: Checking current API id [default]... INFO: Current API id [default] has some problem: 3002 - Request failed with status code 400 INFO: Getting API hosts... INFO: API hosts found: 1 INFO: Checking API host id [default]... INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Some Wazuh daemons are not ready yet in node "node01" (wazuh-analysisd->stopped) INFO: Removed [navigate] cookie ERROR: No API available to connect

[Julio Gasco]

Hi Shenal,

Please restart your wazuh-manager:

systemctl restart wazuh-manager

If the problem still persists please run again:

cat /var/ossec/logs/ossec.log | grep -i -E "error|war

Also share the output of the following command after the restart:

systemctl status wazuh-manager

Regards!

[SP_11]

Hi Julio,

Issue is still there even after the service restart (did a completely hard restart even)

Command output

2022/11/04 12:22:11 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2022/11/04 12:22:11 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2022/11/04 12:22:11 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2022/11/04 12:22:11 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 6 information.

GUI Error

INFO: Current API id [default] INFO: Checking current API id [default]... INFO: Current API id [default] has some problem: 3002 - Request failed with status code 400 INFO: Getting API hosts... INFO: API hosts found: 1 INFO: Checking API host id [default]... INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Some Wazuh daemons are not ready yet in node "node01" (wazuh-modulesd->stopped, wazuh-analysisd->failed, wazuh-remoted->stopped) INFO: Removed [navigate] cookie ERROR: No API available to connect

[SP_11]

Hi Julio,

Were you able to check the provided error.

Thank you

[Julio Gasco]

Hi Shenal,

Please follow the next steps
First check that the filesystem is not filled up.
You can do this with the following command:

df -h

and check that the filesystem where the wazuh-manager is installed (/var/ossec) has space available.
Once you confirm there is space:
Check the file /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
at the end of the file you will see a content similar to this:

hosts:
  - default:
     url: https://<wazuh-server-ip>
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

url is the IP of the server where wazuh-manager is installed. Port is the listening port (55000 by default)
and username and password are the credentials used by the wazuh-api. These values may differ in your configuration but it should look similar with your information.
To test this configuration is ok execute the following curl command:

curl -u api_user:api_pass -k -X GET "https://<wazuh-server-ip>:55000/security/user/authenticate?raw=true"

Replacing api_user and api_pass by the username and password defined in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
And replacing the with the corresponding ip of the server where wazuh-manager is installed.

Once you checked this is working and the above curl command is successful proceed to restart wazuh-dasboard

systemctl restart wazuh-dashboard

Go to your browser and remove the cache (Cookis, local storage, etc) And try to access the wazuh-dashboard again on your browser.

If this still doesn´t work please restart the wazuh-manager

systemctl restart wazuh-manager

Once restarted please run the following command:

/var/ossec/bin/wazuh-control status

And check the following services are running:

wazuh-monitord is running...
wazuh-remoted is running...
wazuh-analysisd is running...
wazuh-db is running...
wazuh-authd is running...

This should have your environment back working, in case you are still getting an error please share it with me which servers are still failing on the /var/ossec/bin/wazuh-control status
and the errors that show up on ossec.log

Regards,

​

[SP_11]

Hi Julio,

Thanks for the information. I was able to identify and troubleshoot the issue.

I'll share the procedure below as it would be helpful for someone else.

The initial issue was that Wazuh ran out of storage and caused the "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh-registry.json" to get corrupted.   

Once that file was deleted and the service restart was done, the JSON error disappears but still, wazuh console didn't come up.

Further checking it was found that the "wazuh-analysisd" service and a few other services were down and not coming up.

When the " /var/ossec/bin/wazuh-analysisd -f " command was executed, it showed that "wazuh-analysisd" is facing privilege errors to create the "archive" file in the " /var/ossec/logs " directory.

This could happen due to the below task which was conducted a few hours ago.

Since the wazuh was running out of space, the "/var/ossec/logs" directory was moved to another partition. During this activity, the folder permissions and owner changed.

Once that permission issue is sorted, wazuh started to work as usual.

Thank you