Wazuh dashboard not starting, reset password yields "ERROR: Could not load the changes."
87 views
Skip to first unread message
jcol
Aug 6, 2025, 10:48:32 AM8/6/25
to Wazuh | Mailing List
Hello, we had a working WAZUH instance, after my vacation and some OS updates it showed "
Wazuh dashboard server is not ready yet
" permanently. I tried to reset the passswords, but then I get:
06/08/2025 14:09:56 INFO: Updating the internal users.
06/08/2025 14:10:04 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
06/08/2025 14:10:04 INFO: Generating password hash
06/08/2025 14:10:18 ERROR: Could not load the changes.
06/08/2025 14:10:04 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
06/08/2025 14:10:04 INFO: Generating password hash
06/08/2025 14:10:18 ERROR: Could not load the changes.
regardless which option I use for the password tool. Certificates etc. seem to be correct and in the expected location. The indexer is running, but it seems it does not store any data although the agents should be able to connect.
How can I get this instance going again?
Best regards, Jakob Curdes
Federico Ramos
Aug 6, 2025, 3:27:30 PM8/6/25
to Wazuh | Mailing List
Hi, could you share the logs for the following components:
Wazuh Indexer:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Wazuh Manager:
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Wazuh Dashboard:
journalctl -u wazuh-dashboard | grep -i -E "error|warn"
Primarily, we need to validate whether the error is related to the Dashboard's connection to the manager or the indexer so we can rule it out.
Wazuh Indexer:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Wazuh Manager:
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Wazuh Dashboard:
journalctl -u wazuh-dashboard | grep -i -E "error|warn"
Primarily, we need to validate whether the error is related to the Dashboard's connection to the manager or the indexer so we can rule it out.
jcol
Aug 7, 2025, 4:35:30 AM8/7/25
to Wazuh | Mailing List
Hello Federico, thank you for helping! Here are the logs:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
[2025-08-06T14:28:24,418][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:33276
[2025-08-06T14:28:24,799][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:54234
[2025-08-06T14:28:26,534][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:54234
[2025-08-06T14:28:29,081][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:54234
[2025-08-06T14:28:24,799][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:54234
[2025-08-06T14:28:26,534][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:54234
[2025-08-06T14:28:29,081][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:54234
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
2025-08-07T07:15:16.474Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
2025-08-07T07:15:46.886Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
2025-08-07T07:15:46.886Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2025/08/07 07:15:17 wazuh-authd: ERROR: Incompatible version for new agent from: 192.168.Y.XXX
2025/08/07 07:16:07 wazuh-authd: ERROR: Incompatible version for new agent from: 192.168.Y.XXX
2025/08/07 07:16:07 wazuh-authd: ERROR: Incompatible version for new agent from: 192.168.Y.XXX
journalctl -u wazuh-dashboard | grep -i -E "error|warn"
Aug 07 07:22:40 ovlxlog1 opensearch-dashboards[970]: {"type":"log","@timestamp":"2025-08-07T07:22:40Z","tags":["error","opensearch","data"],"pid":970,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Aug 07 07:22:43 ovlxlog1 opensearch-dashboards[970]: {"type":"log","@timestamp":"2025-08-07T07:22:43Z","tags":["error","opensearch","data"],"pid":970,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Aug 07 07:22:45 ovlxlog1 opensearch-dashboards[970]: {"type":"log","@timestamp":"2025-08-07T07:22:45Z","tags":["error","opensearch","data"],"pid":970,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Aug 07 07:22:43 ovlxlog1 opensearch-dashboards[970]: {"type":"log","@timestamp":"2025-08-07T07:22:43Z","tags":["error","opensearch","data"],"pid":970,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Aug 07 07:22:45 ovlxlog1 opensearch-dashboards[970]: {"type":"log","@timestamp":"2025-08-07T07:22:45Z","tags":["error","opensearch","data"],"pid":970,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
It looks to me like a credential problem which then prevents ervices from starting?
jcol
Aug 13, 2025, 8:13:52 AM8/13/25
to Wazuh | Mailing List
Hello, any comments to the logs? I would not care to lose the current data, but want to avoid a complete reinstallation because then I need to redeploy all the agents.
Federico Ramos
Aug 22, 2025, 9:49:20 AM8/22/25
to Wazuh | Mailing List
From what I see in the logs, it seems the errors are caused by authentication with Indexer and Kibana. This could be due to passwords. Try logging in manually with the accounts described in the logs. If you can't, I recommend changing the passwords as shown in https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html#changing-the-passwords-for-all-users
Reply all
Reply to author
Forward
0 new messages