Wazuh - Change IP

[Miguel Angel Torrez Maldonado]

Hello, I hope you're all well. My question is:
I'm trying to change the IP address of the Wazuh dashboard (Wazuh is currently deployed on three virtual machines: Indexer, Manager, and Dashboard). What changes should I make?
I was planning to edit the "/root/config.yml" file and change it to the new IP address:

Is that all I need to do?

.# Wazuh dashboard nodes 

dashboard: 

- name: dashboard 

ip: "<dashboard-node-ip>"

[Bony V John]

Hi,

To update the IP address of the Wazuh Dashboard, you can follow the steps below:

On the Indexer server:

Step 1: Generate New Certificates
Refer to the Wazuh documentation on certificate generation to create new certificates.
Update the config.yml file with the new IP address of the Wazuh Dashboard server. Keep the rest of the IPs unchanged.

# Wazuh dashboard nodes 

dashboard: 

- name: dashboard 

ip: "<dashboard-node-new-ip>"

After generating the certificates, copy the wazuh-certificate.tar file to all Wazuh servers.

Step 2: Deploy Certificates
Extract the wazuh-certificate.tar file on all servers and place the certificates in their respective paths on the Indexer.
Refer to the Wazuh certificate deployment guide for guidance.
Reload the daemon and restart the Wazuh Indexer service:

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

Step 3: Initialize the Cluster
Run the following script to initialize the cluster:

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

Check the Wazuh Indexer status: 

systemctl status wazuh-indexer

On the Wazuh manager server:

Step 1: Deploy New Certificates
Extract the copied wazuh-certificate.tar file and deploy the certificates.

Refer to the Wazuh certificate deployment documentation for instructions.   

Enable and start the Wazuh manager service:

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Check the status of Wazuh manager service:

systemctl status wazuh-manager

Enable and start the filebeat service:

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

On the Wazuh dashboard server:

Step 1: Update Dashboard Configuration
Edit the file /etc/wazuh-dashboard/opensearch_dashboards.yml and update the server.host field with the new IP address. 

Example:  

server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://localhost:9200
opensearch.ssl.verificationMode: certificate

Step 2: Deploy Certificates
Follow the Wazuh certificate deployment documentation to configure the certificates correctly.

Step 3: Restart the Dashboard Service

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

[Miguel Angel Torrez Maldonado]

Thank you very much, it worked for me, but now I don't see any events in the alerts or when entering the modules... but the agents are already connected and I would also like to know how to enter the wildcard certificates in Wazuh-dashboard

[Bony V John]

If alerts are not showing in the Wazuh dashboard, you can follow the troubleshooting methods below:

Check if alerts are being generated on the Wazuh manager, run the following command on the Wazuh manager server:

cat /var/ossec/logs/alerts/alerts.json

If alerts are not being generated, check the Wazuh manager log file for any error entries:  

cat /var/ossec/logs/ossec.log | grep -iE "error|warn|crit|fatal"

Check Filebeat output status, run the following command to verify Filebeat’s connection and output:  

filebeat test output

Check the Wazuh indexer status:

systemctl status wazuh-indexer

Check Wazuh Indexer health status, run the following command to check the overall health of the indexer:  

curl -XGET -k -u admin:<password> "https://<Indexer_IP>:9200/_cluster/health"

Replace <password> and <Indexer_IP> with the appropriate credentials and the IP address of the Wazuh Indexer.  

Check for shards in the indexer, use the following command:  

curl -XGET -k -u admin:<password> "https://<Indexer_IP>:9200/_cat/shards?v"

Ensure that new alert indices are being generated in the Wazuh Indexer

Check the Wazuh Indexer log file for errors:

cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE "error|warn|crit|fatal"

 

Check Wazuh Dashboard logs for any issues, run the following command:  

journalctl -u wazuh-dashboard | grep -iE "error|warn|crit|fatal"

Please share the findings from the above steps, including the full output of the commands, so we can assist you further with the analysis.

For configuring wildcard certificates for the Wazuh dashboard, you can refer to the Wazuh documentation for step-by-step guidance.

[Miguel Angel Torrez Maldonado]

Thanks, I've solved it now. It was because of Filebeat and the new certificates I generated with different names, so I had to point the different services to the new names.