Filebeat Test Output Error with version 4.8

168 views
Skip to first unread message

Rei Gjata

unread,
Sep 3, 2024, 12:04:45 PM9/3/24
to Wazuh | Mailing List
Hello, Im doing a fresh install of Wazuh 4.8.2 on Ubuntu Server 22.4
I Installed the Indexer everything was good.
Installed the Server and Filebeat.
When Im testing the output of filebeat i get the below error.

I tried regenerating  all the certificates but no luck.



elasticsearch: https://192.168.x.x:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.x.x
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... ERROR x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Wazuh")




I skipped from these and proceeded on installing the  dashboard, but clearly im getting another error for that, as dashboard is not accessible.  Dashboard its not ready yet.


wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-09-03 15:39:38 UTC; 7min ago
   Main PID: 733 (node)
      Tasks: 11 (limit: 19048)
     Memory: 301.7M
        CPU: 3min 731ms
     CGroup: /system.slice/wazuh-dashboard.service
             └─733 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist

Sep 03 15:46:56 wazuh-opensearch-dashboards[733]: {"type":"log","@timestamp":"2024-09-03T15:46:56Z","tags":["error","opensearch","data"],"pid":733,"message":"[ConnectionError]: unable to verify the first certificate"}


Any ideas?


Eric Franco Fahnle

unread,
Sep 3, 2024, 12:15:30 PM9/3/24
to Wazuh | Mailing List
Hi! Hope you're doing great. 

Could you please share the folder where you have the certificates with ls -lah?

Also, please make sure you are specifying the correct node names in the NODE_NAME=<indexer-node-name> and they are the same names you specified in the config.yml file.

Rei Gjata

unread,
Sep 3, 2024, 12:52:11 PM9/3/24
to Wazuh | Mailing List
Hi,

Im pretty sure the NODE_NAME is the same as the one specified on Config.yml file . Only if i mistyped something.. Is there any way to check it? or should i Just specify it again to test?


This is the folder /etc/wazuh-indexer/certs when i list with ls -lah

dr-x------  2 wazuh-indexer wazuh-indexer 4.0K Sep  3 10:45 .
drwxr-x--- 10 wazuh-indexer wazuh-indexer 4.0K Sep  3 10:36 ..
-r--------  1 wazuh-indexer wazuh-indexer 1.7K Sep  3 10:13 admin-key.pem
-r--------  1 wazuh-indexer wazuh-indexer 1.1K Sep  3 10:13 admin.pem
-r--------  1 wazuh-indexer wazuh-indexer 1.7K Sep  2 14:45 indexer-key.pem
-r--------  1 wazuh-indexer wazuh-indexer 1.3K Sep  2 14:45 indexer.pem
-r--------  1 wazuh-indexer wazuh-indexer 1.2K Sep  3 10:13 root-ca.pem
-r--------  1 wazuh-indexer wazuh-indexer 1.7K Sep  3 10:13 wazuh-pb-key.pem
-r--------  1 wazuh-indexer wazuh-indexer 1.3K Sep  3 10:13 wazuh-pb.pem


Thank you

Rei Gjata

unread,
Sep 3, 2024, 1:07:03 PM9/3/24
to Wazuh | Mailing List
Defintly the NODE_NAME is the same as the one on Config.yml since the Certificates created do have the same name as the name of node specified on Config.yml

Eric Franco Fahnle

unread,
Sep 3, 2024, 2:19:29 PM9/3/24
to Wazuh | Mailing List
Hi. You can check the environment variable NODE_NAME by doing echo $NODE_NAME if you still haven't logged out.

Also, let's check the following.

1. Verify the configuration file for the indexer: /etc/wazuh-indexer/opensearch.yml
Check that all certificates match the corresponding names and paths
Here's mine for reference (paths may be different as mine is a docker deployment)

bash-5.2$ grep "plugins.security"  /usr/share/wazuh-indexer/opensearch.yml
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
plugins.security.restapi.roles_enabled:
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
plugins.security.allow_default_init_securityindex: true

bash-5.2$ ls -lah /usr/share/wazuh-indexer/certs/
total 44K
drwxr-x--- 1 wazuh-indexer wazuh-indexer 4.0K Aug 28 18:37 .
drwx------ 1 wazuh-indexer wazuh-indexer 4.0K Sep  3 18:05 ..
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 28 18:36 admin-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.1K Aug 28 18:36 admin.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 20 13:36 indexer-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Aug 20 13:36 indexer.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.2K Aug 28 18:36 root-ca.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1.7K Aug 28 18:36 wazuh.indexer.key
-r-------- 1 wazuh-indexer wazuh-indexer 1.3K Aug 28 18:36 wazuh.indexer.pem

2. You can inspect the cert with openssl, like this: openssl x509 -in <the-cert-file> -noout -text

3. If you still haven't deleted the TAR file, you could try running the certificates deployment again, in case a step was missed: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#deploying-certificates

Let me know how it goes.

Rei Gjata

unread,
Sep 3, 2024, 3:06:12 PM9/3/24
to Wazuh | Mailing List

I'll make sure everything is correct as you said, tomorrow morning since I'm out of office for today.

Thanks for help. 

Ill write back tomorrow for anything 

Rei Gjata

unread,
Sep 4, 2024, 4:18:25 AM9/4/24
to Wazuh | Mailing List
Hello, 
I was able to resolve it thanks to your advice.
The names of Certs were not correct at  opensearch.yml config file.
They were pointed to to the wrong certificates.

Thanks a lot, very helpful

Eric Franco Fahnle

unread,
Sep 4, 2024, 9:03:17 AM9/4/24
to Wazuh | Mailing List
Hi
Glad it worked! Don't hesitate to ask if you have any doubts.
Have a great day.

Regards,
Eric

Reply all
Reply to author
Forward
0 new messages