Filebeat Test Output Error with version 4.8
168 views
Skip to first unread message
Rei Gjata
Sep 3, 2024, 12:04:45 PM9/3/24
to Wazuh | Mailing List
Hello, Im doing a fresh install of Wazuh 4.8.2 on Ubuntu Server 22.4
I Installed the Indexer everything was good.
Installed the Server and Filebeat.
When Im testing the output of filebeat i get the below error.
I tried regenerating all the certificates but no luck.
elasticsearch: https://192.168.x.x:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.x.x
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Wazuh")
wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-09-03 15:39:38 UTC; 7min ago
Main PID: 733 (node)
Tasks: 11 (limit: 19048)
Memory: 301.7M
CPU: 3min 731ms
CGroup: /system.slice/wazuh-dashboard.service
└─733 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
Sep 03 15:46:56 wazuh-opensearch-dashboards[733]: {"type":"log","@timestamp":"2024-09-03T15:46:56Z","tags":["error","opensearch","data"],"pid":733,"message":"[ConnectionError]: unable to verify the first certificate"}
Any ideas?
I Installed the Indexer everything was good.
Installed the Server and Filebeat.
When Im testing the output of filebeat i get the below error.
I tried regenerating all the certificates but no luck.
elasticsearch: https://192.168.x.x:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.x.x
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Wazuh")
I skipped from these and proceeded on installing the dashboard, but
clearly im getting another error for that, as dashboard is not
accessible. Dashboard its not ready yet.
wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-09-03 15:39:38 UTC; 7min ago
Main PID: 733 (node)
Tasks: 11 (limit: 19048)
Memory: 301.7M
CPU: 3min 731ms
CGroup: /system.slice/wazuh-dashboard.service
└─733 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
Sep 03 15:46:56 wazuh-opensearch-dashboards[733]: {"type":"log","@timestamp":"2024-09-03T15:46:56Z","tags":["error","opensearch","data"],"pid":733,"message":"[ConnectionError]: unable to verify the first certificate"}
Any ideas?
Eric Franco Fahnle
Sep 3, 2024, 12:15:30 PM9/3/24
to Wazuh | Mailing List
Hi! Hope you're doing great.
Could you please share the folder where you have the certificates with ls -lah?
Also, please make sure you are specifying the correct node names in the NODE_NAME=<indexer-node-name> and they are the same names you specified in the config.yml file.
Rei Gjata
Sep 3, 2024, 12:52:11 PM9/3/24
to Wazuh | Mailing List
Hi,
Im pretty sure the NODE_NAME is the same as the one specified on Config.yml file . Only if i mistyped something.. Is there any way to check it? or should i Just specify it again to test?
This is the folder /etc/wazuh-indexer/certs when i list with ls -lah
dr-x------ 2 wazuh-indexer wazuh-indexer 4.0K Sep 3 10:45 .
drwxr-x--- 10 wazuh-indexer wazuh-indexer 4.0K Sep 3 10:36 ..
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Sep 3 10:13 admin-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.1K Sep 3 10:13 admin.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Sep 2 14:45 indexer-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Sep 2 14:45 indexer.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.2K Sep 3 10:13 root-ca.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Sep 3 10:13 wazuh-pb-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Sep 3 10:13 wazuh-pb.pem
Thank you
Im pretty sure the NODE_NAME is the same as the one specified on Config.yml file . Only if i mistyped something.. Is there any way to check it? or should i Just specify it again to test?
This is the folder /etc/wazuh-indexer/certs when i list with ls -lah
dr-x------ 2 wazuh-indexer wazuh-indexer 4.0K Sep 3 10:45 .
drwxr-x--- 10 wazuh-indexer wazuh-indexer 4.0K Sep 3 10:36 ..
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Sep 3 10:13 admin-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.1K Sep 3 10:13 admin.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Sep 2 14:45 indexer-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Sep 2 14:45 indexer.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.2K Sep 3 10:13 root-ca.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Sep 3 10:13 wazuh-pb-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Sep 3 10:13 wazuh-pb.pem
Thank you
Rei Gjata
Sep 3, 2024, 1:07:03 PM9/3/24
to Wazuh | Mailing List
Defintly the NODE_NAME is the same as the one on Config.yml since the Certificates created do have the same name as the name of node specified on Config.yml
Eric Franco Fahnle
Sep 3, 2024, 2:19:29 PM9/3/24
to Wazuh | Mailing List
Hi. You can check the environment variable NODE_NAME by doing echo $NODE_NAME if you still haven't logged out.
Also, let's check the following.
1. Verify the configuration file for the indexer: /etc/wazuh-indexer/opensearch.yml
Check that all certificates match the corresponding names and paths
Here's mine for reference (paths may be different as mine is a docker deployment)
bash-5.2$ grep "plugins.security" /usr/share/wazuh-indexer/opensearch.yml
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
plugins.security.restapi.roles_enabled:
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
plugins.security.allow_default_init_securityindex: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
plugins.security.restapi.roles_enabled:
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
plugins.security.allow_default_init_securityindex: true
bash-5.2$ ls -lah /usr/share/wazuh-indexer/certs/
total 44K
drwxr-x--- 1 wazuh-indexer wazuh-indexer 4.0K Aug 28 18:37 .
drwx------ 1 wazuh-indexer wazuh-indexer 4.0K Sep 3 18:05 ..
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 28 18:36 admin-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.1K Aug 28 18:36 admin.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 20 13:36 indexer-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Aug 20 13:36 indexer.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.2K Aug 28 18:36 root-ca.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 28 18:36 wazuh.indexer.key
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Aug 28 18:36 wazuh.indexer.pem
total 44K
drwxr-x--- 1 wazuh-indexer wazuh-indexer 4.0K Aug 28 18:37 .
drwx------ 1 wazuh-indexer wazuh-indexer 4.0K Sep 3 18:05 ..
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 28 18:36 admin-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.1K Aug 28 18:36 admin.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 20 13:36 indexer-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Aug 20 13:36 indexer.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.2K Aug 28 18:36 root-ca.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 28 18:36 wazuh.indexer.key
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Aug 28 18:36 wazuh.indexer.pem
2. You can inspect the cert with openssl, like this: openssl x509 -in <the-cert-file> -noout -text
3. If you still haven't deleted the TAR file, you could try running the certificates deployment again, in case a step was missed: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#deploying-certificates
Let me know how it goes.
Let me know how it goes.
Rei Gjata
Sep 3, 2024, 3:06:12 PM9/3/24
to Wazuh | Mailing List
I'll make sure everything is correct as you said, tomorrow morning since I'm out of office for today.
Thanks for help.
Ill write back tomorrow for anything
Rei Gjata
Sep 4, 2024, 4:18:25 AM9/4/24
to Wazuh | Mailing List
Hello,
I was able to resolve it thanks to your advice.
The names of Certs were not correct at opensearch.yml config file.
They were pointed to to the wrong certificates.
Thanks a lot, very helpful
The names of Certs were not correct at opensearch.yml config file.
They were pointed to to the wrong certificates.
Thanks a lot, very helpful
Eric Franco Fahnle
Sep 4, 2024, 9:03:17 AM9/4/24
to Wazuh | Mailing List
Hi
Glad it worked! Don't hesitate to ask if you have any doubts.
Have a great day.
Regards,
Eric
Reply all
Reply to author
Forward
0 new messages