Change admin password Docker deployment
611 views
Skip to first unread message
Nik Andreevich
Aug 24, 2022, 7:37:40 AM8/24/22
to Wazuh mailing list
Hello, I use docker deploy in single-node mode& I'v try to change INDEXER_PASSWORD in docker-compose file but health-check always failed with: 
I use this doc page: https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#customize-default-users
and I use same password to docker-compose.yml file.
How to change default admin password without that bloody affect wazuh-indexer
PS: https://packages.wazuh.com/4.3/wazuh-passwords-tool.sh this script doesn't work with docker deployment?
Santiago David Vendramini
Aug 24, 2022, 8:09:55 AM8/24/22
to Wazuh mailing list
Hi! Thanks for using Wazuh!
Let me find more information about this. I will reply to you as soon as posible.
Regards!
Let me find more information about this. I will reply to you as soon as posible.
Regards!
Santiago David Vendramini
Aug 24, 2022, 9:40:09 AM8/24/22
to Wazuh mailing list
Hi! Can you follow this steps?
- From the machine hosting the docker containers, run this to generate the hash of the new password. docker run --rm -ti wazuh/wazuh-indexer:4.3.6 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
- Take for example we are using single-node deployment. Copy the hash and replace it with the admin user here: /single-node/config/wazuh_indexer/internal_users.yml
- Change the default INDEXER_PASSWORD in the docker-compose.yml file to the new one. Search and replace it.
- Start the stack: docker-compose up -d
- Do docker ps and note the name of the Wazuh indexer container.
- Run docker exec -it single-node_wazuh.indexer_1 bash to enter the container ( single-node_wazuh.indexer_1 is the container name obtained in the previous step)
- Set the following variables : export INSTALLATION_DIR=/usr/share/wazuh-indexer export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config CACERT=$OPENSEARCH_PATH_CONF/certs/root-ca.pem KEY=$OPENSEARCH_PATH_CONF/certs/admin-key.pem CERT=$OPENSEARCH_PATH_CONF/certs/admin.pem export JAVA_HOME=/usr/share/wazuh-indexer/jdk
- Run this command bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9300 -icl
- Login in with the new password
I hope this solves your need! Let me know if you need anything else!
Regards!
Regards!
Nik Andreevich
Aug 24, 2022, 10:07:07 AM8/24/22
to Wazuh mailing list
It's work! Thank you.
I think you need to include this to documentation/docker-compose.yml:)
Next step - default API password.
среда, 24 августа 2022 г. в 16:40:09 UTC+3, santiago....@wazuh.com:
Santiago David Vendramini
Aug 24, 2022, 11:22:44 AM8/24/22
to Wazuh mailing list
Great! Yes! Our content team is working on update the documentation! Regards!
Nik Andreevich
Aug 31, 2022, 9:13:07 AM8/31/22
to Wazuh mailing list
Hello again!
After this changes i cannot see any alerts in my dashboard. Just empty, and offer to expand time range. Last alert 08.24.
docker-compose logs show me next error:
single-node-wazuh.manager-1 | 2022-08-31T13:07:48.537Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): 401 Unauthorized: Unauthorized
Please, help to repair
Regards.
среда, 24 августа 2022 г. в 18:22:44 UTC+3, santiago....@wazuh.com:
Nik Andreevich
Sep 2, 2022, 4:32:15 AM9/2/22
to Wazuh mailing list
Hi guys, need some comments, please.
Health check is successfully completed. But still got errors:
ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): 401 Unauthorized: Unauthorized
среда, 31 августа 2022 г. в 16:13:07 UTC+3, Nik Andreevich:
Santiago David Vendramini
Sep 2, 2022, 10:31:00 AM9/2/22
to Wazuh mailing list
Hi! Sorry for the delay! Let me find more information about this, I will back ASAP with an answer! Regards!
Santiago David Vendramini
Sep 2, 2022, 10:44:55 AM9/2/22
to Wazuh mailing list
Can you chek please if the new password is properly configured in /etc/filebeat/filebeat.yml? Can you also tell me what version of Wazuh are you deploying?
Santiago David Vendramini
Sep 2, 2022, 10:46:45 AM9/2/22
to Wazuh mailing list
Can you also run filebeat test output and send me the results?
Nik Andreevich
Sep 2, 2022, 11:17:50 AM9/2/22
to Wazuh mailing list
Okay! Old plain-text password detected. Again:D Let me change it, I will back with some results.
Wazuh version 4.3.6
Wazuh version 4.3.6
Result of filebeat test output I present after all manipulations.
Thank you!
пятница, 2 сентября 2022 г. в 17:46:45 UTC+3, santiago....@wazuh.com:
Message has been deleted
Nik Andreevich
Sep 2, 2022, 11:40:26 AM9/2/22
to Wazuh mailing list
Before /etc/filebeat/filebeat.yml editing
elasticsearch: https://wazuh.indexer:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: <IP_address>
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR 401 Unauthorized: Unauthorized
After:
elasticsearch: https://wazuh.indexer:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: <IP_address>
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: <IP_address>
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
In logs: single-node-wazuh.manager-1 | 2022-09-02T15:33:15.703Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established
We'r very close, I feel it:)
Now after changing I see NEW error)
single-node-wazuh.manager-1 | 2022/09/02 15:34:10 wazuh-remoted: ERROR: Cannot create multigroup directory 'var/multigroups/dc82326a': Permission denied (13)
I pretty sure it's because we still change password not everywhere
пятница, 2 сентября 2022 г. в 18:17:50 UTC+3, Nik Andreevich:
Santiago David Vendramini
Sep 2, 2022, 12:27:01 PM9/2/22
to Wazuh mailing list
Can you check the permisions of the directory var/multigroups ?
Nik Andreevich
Sep 5, 2022, 3:39:18 AM9/5/22
to Wazuh mailing list
Yes, but I need full path to check. /var have no multigroups directory.
пятница, 2 сентября 2022 г. в 19:27:01 UTC+3, santiago....@wazuh.com:
Nik Andreevich
Sep 5, 2022, 3:41:25 AM9/5/22
to Wazuh mailing list
UPD: In wazuh manager /var/ossec/var/mutrigroups
drwxr-xr-x. 2 root root 4096 Sep 1 09:11 multigroups
понедельник, 5 сентября 2022 г. в 10:39:18 UTC+3, Nik Andreevich:
Santiago David Vendramini
Sep 5, 2022, 4:59:12 PM9/5/22
to Wazuh mailing list
Hi! Sorry for the delay! The permisions, user and group are wrong. Can you try to change them?
The correct way is: drwxrwx--- 2 wazuh wazuh 4096 Aug 29 22:03 multigroups/
The correct way is: drwxrwx--- 2 wazuh wazuh 4096 Aug 29 22:03 multigroups/
Nik Andreevich
Sep 6, 2022, 2:19:37 AM9/6/22
to Wazuh mailing list
Okay! Now is:
drwxrwx---. 3 wazuh wazuh 4096 Sep 6 06:00 multigroups
When I change them the errors ended.
Thank You for help!
понедельник, 5 сентября 2022 г. в 23:59:12 UTC+3, santiago....@wazuh.com:
Santiago David Vendramini
Sep 6, 2022, 8:16:59 AM9/6/22
to Wazuh mailing list
Great! Let me know if you need any thing else! Regards!
Reply all
Reply to author
Forward
0 new messages