Wazuh dashboard server is not ready yet
4,597 views
Skip to first unread message
Ramakrushna Panda
Jun 29, 2022, 7:04:18 AM6/29/22
to Wazuh mailing list
Hello Team,
Not able to acces wazuh dashbord getting error like "Wazuh dashboard server is not ready yet".
Verified all the service up and running but still not able to access the site.
++++++++++++++++++++
Jun 29 11:03:01 wazuh-indexer.novalocal opensearch-dashboards[552]: {"type":"log","@timestamp":"2022-06-29T11:03:01Z","tags":["error","opensearch","data"],"pid":552,"message":"[ResponseError]: Response Error"}
qJun 29 11:03:04 wazuh-indexer.novalocal opensearch-dashboards[552]: {"type":"log","@timestamp":"2022-06-29T11:03:04Z","tags":["error","opensearch","data"],"pid":552,"message":"[ResponseError]: Response Error"}
^C
[root@wazuh-indexer ~]#
qJun 29 11:03:04 wazuh-indexer.novalocal opensearch-dashboards[552]: {"type":"log","@timestamp":"2022-06-29T11:03:04Z","tags":["error","opensearch","data"],"pid":552,"message":"[ResponseError]: Response Error"}
^C
[root@wazuh-indexer ~]#
[root@wazuh-indexer ~]# curl -v telnet://10.3.0.238:9200
* About to connect() to 10.3.0.238 port 9200 (#0)
* Trying 10.3.0.238...
* Connected to 10.3.0.238 (10.3.0.238) port 9200 (#0)
* About to connect() to 10.3.0.238 port 9200 (#0)
* Trying 10.3.0.238...
* Connected to 10.3.0.238 (10.3.0.238) port 9200 (#0)
+++++++++++++++
Thanks
Ramakrushna
Ramakrushna Panda
Jun 29, 2022, 8:27:37 AM6/29/22
to Wazuh mailing list
Able to telnet to wazuh portal but ui not opening. Below logs attached can someone suggest, please
+++++++++++++++++++++++++
● wazuh-dashboard.service - wazuh-dashboardLoaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-06-29 12:13:19 UTC; 10min ago
Main PID: 4409 (node)
CGroup: /system.slice/wazuh-dashboard.service
└─4409 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c...
Jun 29 12:23:29 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:29Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:32 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:32Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:34 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:34Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:37 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:37Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:39 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:39Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:42 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:42Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:44 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:44Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:47 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:47Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:49 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:49Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Jun 29 12:23:52 wazuh-indexer.novalocal opensearch-dashboards[4409]: {"type":"log","@timestamp":"2022-06-29T12:23:52Z","tags":["error","opensearch","data"],"pid":4409,"message":...e Error"}
Hint: Some lines were ellipsized, use -l to show in full.
+++++++++++++++++++++++++++++++++
[root@wazuh-indexer wazuh-indexer]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2022-06-29 11:55:38 UTC; 30min ago
Process: 2087 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/wazuh-manager.service
├─2143 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2183 /var/ossec/bin/wazuh-authd
├─2200 /var/ossec/bin/wazuh-db
├─2214 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2217 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2230 /var/ossec/bin/wazuh-execd
├─2242 /var/ossec/bin/wazuh-analysisd
├─2254 /var/ossec/bin/wazuh-syscheckd
├─2270 /var/ossec/bin/wazuh-remoted
├─2351 /var/ossec/bin/wazuh-logcollector
├─2363 /var/ossec/bin/wazuh-monitord
└─2383 /var/ossec/bin/wazuh-modulesd
Jun 29 11:55:30 wazuh-indexer.novalocal env[2087]: Started wazuh-execd...
Jun 29 11:55:30 wazuh-indexer.novalocal env[2087]: Started wazuh-analysisd...
Jun 29 11:55:31 wazuh-indexer.novalocal env[2087]: Started wazuh-syscheckd...
Jun 29 11:55:32 wazuh-indexer.novalocal env[2087]: Started wazuh-remoted...
Jun 29 11:55:33 wazuh-indexer.novalocal env[2087]: Started wazuh-logcollector...
Jun 29 11:55:34 wazuh-indexer.novalocal env[2087]: Started wazuh-monitord...
Jun 29 11:55:35 wazuh-indexer.novalocal crontab[2461]: (root) LIST (root)
Jun 29 11:55:35 wazuh-indexer.novalocal env[2087]: Started wazuh-modulesd...
Jun 29 11:55:37 wazuh-indexer.novalocal env[2087]: Completed.
Jun 29 11:55:38 wazuh-indexer.novalocal systemd[1]: Started Wazuh manager.
[root@wazuh-indexer wazuh-indexer]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-06-29 12:11:47 UTC; 14min ago
Docs: https://documentation.wazuh.com
Main PID: 4125 (java)
CGroup: /system.slice/wazuh-indexer.service
└─4125 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1894m -Xmx1894m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-627396289269010164 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -XX:MaxDirectMemorySize=993001472 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,865 main ERROR Unable to locate appender "deprecation_rolling_old" for logger config "org.opensearch.deprecation"
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,865 main ERROR Unable to locate appender "deprecation_rolling" for logger config "org.opensearch.deprecation"
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,866 main ERROR Unable to locate appender "index_search_slowlog_rolling_old" for logger config "index.search.slowlog"
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,866 main ERROR Unable to locate appender "index_search_slowlog_rolling" for logger config "index.search.slowlog"
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: An illegal reflective access operation has occurred
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: All illegal access operations will be denied in a future release
Jun 29 12:11:47 wazuh-indexer.novalocal systemd[1]: Started Wazuh-indexer.
[root@wazuh-indexer wazuh-indexer]#
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2022-06-29 11:55:38 UTC; 30min ago
Process: 2087 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/wazuh-manager.service
├─2143 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2183 /var/ossec/bin/wazuh-authd
├─2200 /var/ossec/bin/wazuh-db
├─2214 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2217 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2230 /var/ossec/bin/wazuh-execd
├─2242 /var/ossec/bin/wazuh-analysisd
├─2254 /var/ossec/bin/wazuh-syscheckd
├─2270 /var/ossec/bin/wazuh-remoted
├─2351 /var/ossec/bin/wazuh-logcollector
├─2363 /var/ossec/bin/wazuh-monitord
└─2383 /var/ossec/bin/wazuh-modulesd
Jun 29 11:55:30 wazuh-indexer.novalocal env[2087]: Started wazuh-execd...
Jun 29 11:55:30 wazuh-indexer.novalocal env[2087]: Started wazuh-analysisd...
Jun 29 11:55:31 wazuh-indexer.novalocal env[2087]: Started wazuh-syscheckd...
Jun 29 11:55:32 wazuh-indexer.novalocal env[2087]: Started wazuh-remoted...
Jun 29 11:55:33 wazuh-indexer.novalocal env[2087]: Started wazuh-logcollector...
Jun 29 11:55:34 wazuh-indexer.novalocal env[2087]: Started wazuh-monitord...
Jun 29 11:55:35 wazuh-indexer.novalocal crontab[2461]: (root) LIST (root)
Jun 29 11:55:35 wazuh-indexer.novalocal env[2087]: Started wazuh-modulesd...
Jun 29 11:55:37 wazuh-indexer.novalocal env[2087]: Completed.
Jun 29 11:55:38 wazuh-indexer.novalocal systemd[1]: Started Wazuh manager.
[root@wazuh-indexer wazuh-indexer]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-06-29 12:11:47 UTC; 14min ago
Docs: https://documentation.wazuh.com
Main PID: 4125 (java)
CGroup: /system.slice/wazuh-indexer.service
└─4125 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1894m -Xmx1894m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-627396289269010164 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -XX:MaxDirectMemorySize=993001472 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,865 main ERROR Unable to locate appender "deprecation_rolling_old" for logger config "org.opensearch.deprecation"
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,865 main ERROR Unable to locate appender "deprecation_rolling" for logger config "org.opensearch.deprecation"
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,866 main ERROR Unable to locate appender "index_search_slowlog_rolling_old" for logger config "index.search.slowlog"
Jun 29 12:11:34 wazuh-indexer.novalocal systemd-entrypoint[4125]: 2022-06-29 12:11:33,866 main ERROR Unable to locate appender "index_search_slowlog_rolling" for logger config "index.search.slowlog"
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: An illegal reflective access operation has occurred
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jun 29 12:11:44 wazuh-indexer.novalocal systemd-entrypoint[4125]: WARNING: All illegal access operations will be denied in a future release
Jun 29 12:11:47 wazuh-indexer.novalocal systemd[1]: Started Wazuh-indexer.
[root@wazuh-indexer wazuh-indexer]#
Ramakrushna Panda
Jun 29, 2022, 12:12:23 PM6/29/22
to Wazuh mailing list
Hello Team,
Waiting for your valuable input.
Thank you
Javier Castro
Jun 29, 2022, 2:02:42 PM6/29/22
to Wazuh mailing list
Hello!
first, let's take a look at the Wazuh indexer by checking if it's indexing Wazuh alerts information. You can do that with this command:
curl -u admin:admin_password -XGET https://10.3.0.238:9200/_cat/indices?v -k
Make sure that you replace admin_password with the actual password generated during the installation process for the admin user.
In the command output, you should see at least one wazuh-alerts-4.x-YYYY.MM.DD index with documents in it.
Then, we can check the Wazuh dashboard. We can start with:
systemctl status wazuh-dashboard -l
This will give us the full log lines because the one you provided is not adding all of the information. It will show clues about what is happening.
Hope this helps!
Javier.
Ramakrushna Panda
Jun 30, 2022, 5:23:32 AM6/30/22
to Wazuh mailing list
Thank you Javier, below is the command output.
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open wazuh-alerts-4.x-sample-security O4-ItYS2TACh3dytK2M7Ug 1 0 26696 0 15.5mb 15.5mb
green open wazuh-statistics-2022.25w FRdnchmyTGKR7_5Sv7EnNg 1 0 1835 0 1.4mb 1.4mb
green open wazuh-monitoring-2022.26w mFeRChOFQdOD4oGoR0FL0A 1 0 419 0 458kb 458kb
green open wazuh-monitoring-2022.25w jCASpX-kR2SVvE0Cq3ipmw 1 0 289 0 397.5kb 397.5kb
green open .opendistro-reports-definitions -5yg7p6ZTU2X8BM7eDGy-A 1 0 0 0 208b 208b
green open .kibana_1 7l5Uii3ZRzugqaeb7i3tHQ 1 0 5 6 64.4kb 64.4kb
green open .opendistro_security _9Jx-zEFSNS-6xaUrNN5hQ 1 0 9 8 79.9kb 79.9kb
green open .opendistro-reports-instances _Q71JHPaRoeagKqGYv2LRA 1 0 0 0 208b 208b
green open wazuh-statistics-2022.26w QXWb4iNnSGa702jJ1ahk2g 1 0 1140 0 993.2kb 993.2kb
[root@wazuh-indexer ~]# systemctl status wazuh-dashboard -l
green open wazuh-alerts-4.x-sample-security O4-ItYS2TACh3dytK2M7Ug 1 0 26696 0 15.5mb 15.5mb
green open wazuh-statistics-2022.25w FRdnchmyTGKR7_5Sv7EnNg 1 0 1835 0 1.4mb 1.4mb
green open wazuh-monitoring-2022.26w mFeRChOFQdOD4oGoR0FL0A 1 0 419 0 458kb 458kb
green open wazuh-monitoring-2022.25w jCASpX-kR2SVvE0Cq3ipmw 1 0 289 0 397.5kb 397.5kb
green open .opendistro-reports-definitions -5yg7p6ZTU2X8BM7eDGy-A 1 0 0 0 208b 208b
green open .kibana_1 7l5Uii3ZRzugqaeb7i3tHQ 1 0 5 6 64.4kb 64.4kb
green open .opendistro_security _9Jx-zEFSNS-6xaUrNN5hQ 1 0 9 8 79.9kb 79.9kb
green open .opendistro-reports-instances _Q71JHPaRoeagKqGYv2LRA 1 0 0 0 208b 208b
green open wazuh-statistics-2022.26w QXWb4iNnSGa702jJ1ahk2g 1 0 1140 0 993.2kb 993.2kb
[root@wazuh-indexer ~]# systemctl status wazuh-dashboard -l
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-06-29 17:21:18 UTC; 15h ago
Main PID: 4666 (node)
CGroup: /system.slice/wazuh-dashboard.service
└─4666 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
Jun 30 09:20:53 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:20:53Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:20:55 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:20:55Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:20:58 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:20:58Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:00 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:00Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:03 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:03Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:05 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:05Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:08 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:08Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:10 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:10Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:13 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:13Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:15 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:15Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
[root@wazuh-indexer ~]#
Main PID: 4666 (node)
CGroup: /system.slice/wazuh-dashboard.service
└─4666 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
Jun 30 09:20:53 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:20:53Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:20:55 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:20:55Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:20:58 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:20:58Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:00 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:00Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:03 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:03Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:05 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:05Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:08 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:08Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:10 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:10Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:13 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:13Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
Jun 30 09:21:15 wazuh-indexer.novalocal opensearch-dashboards[4666]: {"type":"log","@timestamp":"2022-06-30T09:21:15Z","tags":["error","opensearch","data"],"pid":4666,"message":"[ResponseError]: Response Error"}
[root@wazuh-indexer ~]#
Javier Castro
Jun 30, 2022, 9:41:17 AM6/30/22
to Wazuh mailing list
No Wazuh alerts indices are present in your Wazuh indexer cluster (there's a sample one, but it doesn't count as actual alerts), which makes me think there's some kind of issue in the data flow.
Let's try to determine the source by going back to Filebeat and testing its output. You can do this on your Wazuh manager side by executing this command:
filebeat test output
Aside from this, let's take a closer look at the Wazuh indexer logs. The name of the log file depends on your Wazuh indexer cluster name. Assuming that the cluster name is Wazuh, please provide the contents of the /var/log/wazuh-indexer/wazuh.log file.
Regards,
Javier.
Ramakrushna Panda
Jun 30, 2022, 10:29:51 AM6/30/22
to Wazuh mailing list
Seems the wazuh.log not generating, i have encountered another issue now the dashboard service not able to start. Attached dashboard service status.
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
++++++++++++++++++++++
[root@wazuh-indexer tmp]# filebeat test output
elasticsearch: https://10.3.0.238:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 10.3.0.238
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: certificate signed by unknown authority
[root@wazuh-indexer tmp]# cat /var/log/wazuh-indexer/wazuh.log
cat: /var/log/wazuh-indexer/wazuh.log: No such file or directory
[root@wazuh-indexer tmp]# cd /var/log/wazuh-indexer/
[root@wazuh-indexer wazuh-indexer]# ll
total 2740
-rwxrwxrwx 1 root root 2798585 Jun 30 14:26 gc.log
[root@wazuh-indexer wazuh-indexer]# tail gc.log
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Eden regions: 1135->0(1135)
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Survivor regions: 1->1(142)
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Old regions: 85->85
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Archive regions: 2->2
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Humongous regions: 7->7
[2022-06-30T14:25:28.003+0000][8559][gc,metaspace] GC(40) Metaspace: 108445K(111772K)->108445K(111772K) NonClass: 95234K(97616K)->95234K(97616K) Class: 13210K(14156K)->13210K(14156K)
[2022-06-30T14:25:28.003+0000][8559][gc ] GC(40) Pause Young (Normal) (G1 Evacuation Pause) 1227M->92M(1894M) 3.629ms
[2022-06-30T14:25:28.003+0000][8559][gc,cpu ] GC(40) User=0.00s Sys=0.00s Real=0.00s
[2022-06-30T14:25:28.003+0000][8559][safepoint ] Safepoint "G1CollectForAllocation", Time since last: 237721943786 ns, Reaching safepoint: 227521 ns, At safepoint: 3766103 ns, Total: 3993624 ns
[2022-06-30T14:26:30.015+0000][8559][safepoint ] Safepoint "Cleanup", Time since last: 62011346171 ns, Reaching safepoint: 318310 ns, At safepoint: 4641 ns, Total: 322951 ns
[root@wazuh-indexer wazuh-indexer]#
+++++++++++++++++++++++++++++++++
elasticsearch: https://10.3.0.238:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 10.3.0.238
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: certificate signed by unknown authority
[root@wazuh-indexer tmp]# cat /var/log/wazuh-indexer/wazuh.log
cat: /var/log/wazuh-indexer/wazuh.log: No such file or directory
[root@wazuh-indexer tmp]# cd /var/log/wazuh-indexer/
[root@wazuh-indexer wazuh-indexer]# ll
total 2740
-rwxrwxrwx 1 root root 2798585 Jun 30 14:26 gc.log
[root@wazuh-indexer wazuh-indexer]# tail gc.log
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Eden regions: 1135->0(1135)
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Survivor regions: 1->1(142)
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Old regions: 85->85
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Archive regions: 2->2
[2022-06-30T14:25:28.003+0000][8559][gc,heap ] GC(40) Humongous regions: 7->7
[2022-06-30T14:25:28.003+0000][8559][gc,metaspace] GC(40) Metaspace: 108445K(111772K)->108445K(111772K) NonClass: 95234K(97616K)->95234K(97616K) Class: 13210K(14156K)->13210K(14156K)
[2022-06-30T14:25:28.003+0000][8559][gc ] GC(40) Pause Young (Normal) (G1 Evacuation Pause) 1227M->92M(1894M) 3.629ms
[2022-06-30T14:25:28.003+0000][8559][gc,cpu ] GC(40) User=0.00s Sys=0.00s Real=0.00s
[2022-06-30T14:25:28.003+0000][8559][safepoint ] Safepoint "G1CollectForAllocation", Time since last: 237721943786 ns, Reaching safepoint: 227521 ns, At safepoint: 3766103 ns, Total: 3993624 ns
[2022-06-30T14:26:30.015+0000][8559][safepoint ] Safepoint "Cleanup", Time since last: 62011346171 ns, Reaching safepoint: 318310 ns, At safepoint: 4641 ns, Total: 322951 ns
[root@wazuh-indexer wazuh-indexer]#
+++++++++++++++++++++++++++++++++
[root@wazuh-indexer wazuh-indexer]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2022-06-30 12:59:03 UTC; 1h 28min ago
Process: 13366 ExecStart=/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /etc/wazuh-dashboard/opensearch_dashboards.yml (code=exited, status=1/FAILURE)
Main PID: 13366 (code=exited, status=1/FAILURE)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at readBlockMapping (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1098:9)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at composeNode (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1359:12)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at readDocument (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1525:3)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at loadDocuments (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1588:5)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at load (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1614:19)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at Object.safeLoad (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1637:10)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at readYaml (/usr/share/wazuh-dashboard/node_modules/@osd/apm-config-loader/target/utils/read_config.js:38:38)
Jun 30 12:59:03 wazuh-indexer.novalocal systemd[1]: wazuh-dashboard.service: main process exited, code=exited, status=1/FAILURE
Jun 30 12:59:03 wazuh-indexer.novalocal systemd[1]: Unit wazuh-dashboard.service entered failed state.
Jun 30 12:59:03 wazuh-indexer.novalocal systemd[1]: wazuh-dashboard.service failed.
[root@wazuh-indexer wazuh-indexer]#
Process: 13366 ExecStart=/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /etc/wazuh-dashboard/opensearch_dashboards.yml (code=exited, status=1/FAILURE)
Main PID: 13366 (code=exited, status=1/FAILURE)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at readBlockMapping (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1098:9)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at composeNode (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1359:12)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at readDocument (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1525:3)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at loadDocuments (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1588:5)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at load (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1614:19)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at Object.safeLoad (/usr/share/wazuh-dashboard/node_modules/js-yaml/lib/js-yaml/loader.js:1637:10)
Jun 30 12:59:03 wazuh-indexer.novalocal opensearch-dashboards[13366]: at readYaml (/usr/share/wazuh-dashboard/node_modules/@osd/apm-config-loader/target/utils/read_config.js:38:38)
Jun 30 12:59:03 wazuh-indexer.novalocal systemd[1]: wazuh-dashboard.service: main process exited, code=exited, status=1/FAILURE
Jun 30 12:59:03 wazuh-indexer.novalocal systemd[1]: Unit wazuh-dashboard.service entered failed state.
Jun 30 12:59:03 wazuh-indexer.novalocal systemd[1]: wazuh-dashboard.service failed.
[root@wazuh-indexer wazuh-indexer]#
Javier Castro
Jul 1, 2022, 10:18:35 AM7/1/22
to Wazuh mailing list
Hello,
there's a certificate issue on Filebeat and the Wazuh indexer is not properly running.
Looking at your /_cat/indices?v output I'm assuming this is a new environment (no real alerts have been generated).
May I know what the hardware specs used for this deployment are? Please confirm if this is an all-in-one deployment as well.
Regards,
Javier.
Ramakrushna Panda
Jul 3, 2022, 1:59:02 AM7/3/22
to Wazuh mailing list
Hi Javier,
Thank you for your reply, The manager running on OpenStack Nova.
If this will take more time to fix, could you provide complete steps to reinstall all the modules.
Thank you !
Javier Castro
Jul 4, 2022, 4:25:38 PM7/4/22
to Wazuh mailing list
Hello,
I'm sorry for the late reply.
I think it's worth deploying the environment from scratch.
You can take a look at the quickstart guide here: https://documentation.wazuh.com/current/quickstart.html
For PoC purposes, my recommendation is to use Ubuntu 18.04 with 4 CPU and 8 GB RAM and run the following command:
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
When the installation finishes you will see something like this:
INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>
User: admin
Password: <ADMIN_PASSWORD>
INFO: Installation finished.
Make sure that you use the admin user with the
<ADMIN_PASSWORD> when you log in from the UI.
Hope that helps!
Javier.
Ramakrushna Panda
Jul 5, 2022, 8:42:53 AM7/5/22
to Wazuh mailing list
Thank you Javier for your reply, I have followed the above procedure and installed all modules.
Now when login into the dashboard get an error "[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]"
I have added a client host agent but not able to see any data on the dashboard, please suggest how to fix the error.
Thank you
Javier Castro
Jul 5, 2022, 4:15:21 PM7/5/22
to Wazuh mailing list
The Wazuh UI issue stems from the Filebeat errors as it is Filebeat the one in charge of adding the template.
Please execute the following command to check the current Filebeat version on the system:
/usr/share/filebeat/bin/filebeat version
My output is this:
filebeat version 7.10.2 (amd64), libbeat 7.10.2 [aacf9ecd9c494aa0908f61fbca82c906b16562a8 built 2021-01-12 22:10:33 +0000 UTC]
I'll wait for your reply.
Javier.
Ramakrushna Panda
Jul 6, 2022, 8:16:55 AM7/6/22
to Wazuh mailing list
I got the same output.
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR Connection marked as failed because the onConnect callback failed: Filebeat requires the default distribution of Elasticsearch. Please update to the default distribution of Elasticsearch for full access to all free features, or switch to the OSS distribution of Filebeat.
[root@wazuh-indexer ~]# /usr/share/filebeat/bin/filebeat version
filebeat version 7.10.2 (amd64), libbeat 7.10.2 [aacf9ecd9c494aa0908f61fbca82c906b16562a8 built 2021-01-12 23:11:24 +0000 UTC]
[root@wazuh-indexer ~]#
filebeat version 7.10.2 (amd64), libbeat 7.10.2 [aacf9ecd9c494aa0908f61fbca82c906b16562a8 built 2021-01-12 23:11:24 +0000 UTC]
[root@wazuh-indexer ~]#
+++++++++++++++++++++++++++++++++++
[root@wazuh-indexer ~]# filebeat test output
elasticsearch: https://127.0.0.1:9200...parse url... OK
connection...
parse host... OK
dns lookup... OK
dial up... OK
TLS...
security: server's certificate chain verification is enabled
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR Connection marked as failed because the onConnect callback failed: Filebeat requires the default distribution of Elasticsearch. Please update to the default distribution of Elasticsearch for full access to all free features, or switch to the OSS distribution of Filebeat.
+++++++++++++
As per the above error seems it is looking for any Elasticsearch or OSS package to be there.
Just verified on my server both packages are not available, Could you suggest how to proceed further.
Thanks,
Ramakrushna
Ramakrushna Panda
Jul 6, 2022, 8:26:36 AM7/6/22
to Wazuh mailing list
The Filebeat service also not starting and the error indicates that the service is not able to start due to Logstash or directly to Elasticsearch.
FYI, I have followed the document and installed."https://documentation.wazuh.com/current/quickstart.html"
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
+++++++++++++++++++++++++++++++++++++
[root@wazuh-indexer ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Wed 2022-07-06 12:21:25 UTC; 5s ago
Docs: https://www.elastic.co/products/beats/filebeat
Process: 29687 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 29687 (code=exited, status=1/FAILURE)
Jul 06 12:21:24 wazuh-indexer.novalocal systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
Jul 06 12:21:24 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 06 12:21:24 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: filebeat.service holdoff time over, scheduling restart.
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: start request repeated too quickly for filebeat.service
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Wed 2022-07-06 12:21:25 UTC; 5s ago
Docs: https://www.elastic.co/products/beats/filebeat
Process: 29687 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 29687 (code=exited, status=1/FAILURE)
Jul 06 12:21:24 wazuh-indexer.novalocal systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
Jul 06 12:21:24 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 06 12:21:24 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: filebeat.service holdoff time over, scheduling restart.
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: start request repeated too quickly for filebeat.service
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 06 12:21:25 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
Thanks,
Ramakrushna
Javier Castro
Jul 6, 2022, 4:26:11 PM7/6/22
to Wazuh mailing list
Hello,
it seems to me that there are pre-existing components installed on that particular server.
The easiest way to move forward would be to start with a fresh VM (I recommend an Ubuntu 18.04 or above).
Alternatively, we can manually uninstall all of the components and run the installation again:
- Follow the uninstallation guide: https://documentation.wazuh.com/current/user-manual/uninstall/central-components.html
- Check if there's a service called elasticsearch on the system with `systemctl status elasticsearch`. If there is, remove that package.
- Check if there's a service called filebeat on the system with `systemctl status filebeat`. If there is, remove that package.
- Check if there's a service called kibana on the system with `systemctl status kibana`. If there is, remove that package.
- Check if there's a service called wazuh-manager on the system with `systemctl status wazuh-manager`. If there is, remove that package.
After this, you can follow the quickstart guide again: https://documentation.wazuh.com/current/quickstart.html
Hope that helps!
Javier.
Ramakrushna Panda
Jul 7, 2022, 8:06:17 AM7/7/22
to Wazuh mailing list
Hi
Javier,
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Thank you for your valuable information, I have tried quickstart installing on a fresh VM with centos-07 OS but still, I got the same error message.
Could you please clarify my query, which services are required to start the Wazuh ? Right now I could see Wazuh-manager , wazuh-indexer, wazuh-dashboard & filebeat packages installed except filebeat all the services are up and running. Filebeat services getting failed due to "Logstash or Elasticsearch" , can you confirm whether we need to install Elastisearch services to start filebeat services.
Waiting for your reply.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[root@wazuh-indexer centos]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Thu 2022-07-07 10:32:04 UTC; 1h 28min ago
Docs: https://www.elastic.co/products/beats/filebeat
Process: 6063 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 6063 (code=exited, status=1/FAILURE)
Jul 07 10:32:03 wazuh-indexer.novalocal systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
Jul 07 10:32:03 wazuh-indexer.novalocal filebeat[6063]: Exiting: Error getting filesets for module wazuh: open /usr/share/filebeat/module/wazuh: no such file or directory
Jul 07 10:32:03 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 07 10:32:03 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: filebeat.service holdoff time over, scheduling restart.
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: start request repeated too quickly for filebeat.service
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
Docs: https://www.elastic.co/products/beats/filebeat
Process: 6063 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 6063 (code=exited, status=1/FAILURE)
Jul 07 10:32:03 wazuh-indexer.novalocal systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
Jul 07 10:32:03 wazuh-indexer.novalocal filebeat[6063]: Exiting: Error getting filesets for module wazuh: open /usr/share/filebeat/module/wazuh: no such file or directory
Jul 07 10:32:03 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 07 10:32:03 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: filebeat.service holdoff time over, scheduling restart.
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: start request repeated too quickly for filebeat.service
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: Unit filebeat.service entered failed state.
Jul 07 10:32:04 wazuh-indexer.novalocal systemd[1]: filebeat.service failed.
Thanks,
Ramakrushna
Javier Castro
Jul 7, 2022, 2:08:25 PM7/7/22
to Wazuh mailing list
Hello,
according to the log, it seems like the Wazuh module for Filebeat was not loaded:
Jul 07 10:32:03 wazuh-indexer.novalocal filebeat[6063]: Exiting: Error getting filesets for module wazuh: open /usr/share/filebeat/module/wazuh: no such file or directory
Let's try to manually install the module by executing the following commands:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
systemctl restart filebeat
I'm curious about the quickstart installation logs as these steps should have been properly performed. Can you share the file located at /var/log/wazuh-install.log?
Regards,
Javier.
Ramakrushna Panda
Jul 11, 2022, 11:33:08 AM7/11/22
to Wazuh mailing list
Hi,
[root@wazuh-indexer ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
[root@wazuh-indexer ~]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
Thank you,
Below is the output
+++++++++++++++++++++++++++++++++++
[root@wazuh-indexer ~]# cat /var/log/wazuh-install.log
07/07/2022 10:26:20 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
07/07/2022 10:26:20 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/07/2022 10:26:27 INFO: Wazuh repository added.
07/07/2022 10:26:27 INFO: --- Configuration files ---
07/07/2022 10:26:27 INFO: Generating configuration files.
Generating a 2048 bit RSA private key
.......................+++
...........................................................................................................................................................................+++
writing new private key to '/tmp/wazuh-certificates/root-ca.key'
-----
Generating RSA private key, 2048 bit long modulus
.............+++
..............................+++
e is 65537 (0x10001)
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=admin
Getting CA Private Key
Generating a 2048 bit RSA private key
.........................+++
.................................................................................+++
writing new private key to '/tmp/wazuh-certificates/wazuh-indexer-key.pem'
-----
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=wazuh-indexer
Getting CA Private Key
Generating a 2048 bit RSA private key
.............+++
......+++
writing new private key to '/tmp/wazuh-certificates/wazuh-server-key.pem'
-----
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=wazuh-server
Getting CA Private Key
Generating a 2048 bit RSA private key
.......................+++
...............+++
writing new private key to '/tmp/wazuh-certificates/wazuh-dashboard-key.pem'
-----
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=wazuh-dashboard
Getting CA Private Key
07/07/2022 10:26:28 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/07/2022 10:26:29 INFO: --- Wazuh indexer ---
07/07/2022 10:26:29 INFO: Starting Wazuh indexer installation.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package wazuh-indexer.x86_64 0:4.3.5-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-indexer x86_64 4.3.5-1 wazuh 361 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 361 M
Installed size: 614 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-indexer-4.3.5-1.x86_64 1/1
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
Verifying : wazuh-indexer-4.3.5-1.x86_64 1/1
Installed:
wazuh-indexer.x86_64 0:4.3.5-1
Complete!
07/07/2022 10:28:32 INFO: Wazuh indexer installation finished.
07/07/2022 10:28:32 INFO: Wazuh indexer post-install configuration finished.
07/07/2022 10:28:32 INFO: Starting service wazuh-indexer.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
07/07/2022 10:28:46 INFO: wazuh-indexer service started.
07/07/2022 10:28:46 INFO: Initializing Wazuh indexer cluster security settings.
Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US
OpenSearch Version: 1.2.4
OpenSearch Security Version: 1.2.4.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/
Will update '_doc/config' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/audit.yml
SUCC: Configuration for 'audit' created or updated
Done with success
07/07/2022 10:28:53 INFO: Wazuh indexer cluster initialized.
07/07/2022 10:28:53 INFO: --- Wazuh server ---
07/07/2022 10:28:53 INFO: Starting the Wazuh manager installation.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package wazuh-manager.x86_64 0:4.3.5-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-manager x86_64 4.3.5-1 wazuh 114 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 114 M
Installed size: 436 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-manager-4.3.5-1.x86_64 1/1
Verifying : wazuh-manager-4.3.5-1.x86_64 1/1
Installed:
wazuh-manager.x86_64 0:4.3.5-1
Complete!
07/07/2022 10:29:43 INFO: Wazuh manager installation finished.
07/07/2022 10:29:43 INFO: Starting service wazuh-manager.
07/07/2022 10:29:53 INFO: wazuh-manager service started.
07/07/2022 10:29:53 INFO: Starting Filebeat installation.
07/07/2022 10:30:07 INFO: Filebeat installation finished.
chmod: cannot access ‘/etc/filebeat/wazuh-template.json’: No such file or directory
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Created filebeat keystore
Successfully updated the keystore
Successfully updated the keystore
07/07/2022 10:30:07 INFO: Filebeat post-install configuration finished.
07/07/2022 10:30:07 INFO: Starting service filebeat.
07/07/2022 10:30:07 INFO: filebeat service started.
07/07/2022 10:30:07 INFO: --- Wazuh dashboard ---
07/07/2022 10:30:07 INFO: Starting Wazuh dashboard installation.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package wazuh-dashboard.x86_64 0:4.3.5-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-dashboard x86_64 4.3.5-1 wazuh 150 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 150 M
Installed size: 588 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-dashboard-4.3.5-1.x86_64 1/1
Verifying : wazuh-dashboard-4.3.5-1.x86_64 1/1
Installed:
wazuh-dashboard.x86_64 0:4.3.5-1
Complete!
07/07/2022 10:31:37 INFO: Wazuh dashboard installation finished.
07/07/2022 10:31:37 INFO: Wazuh dashboard post-install configuration finished.
07/07/2022 10:31:37 INFO: Starting service wazuh-dashboard.
07/07/2022 10:31:37 INFO: wazuh-dashboard service started.
Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US
OpenSearch Version: 1.2.4
OpenSearch Security Version: 1.2.4.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '_doc/config' into /usr/share/wazuh-indexer/backup/config.yml
SUCC: Configuration for 'config' stored in /usr/share/wazuh-indexer/backup/config.yml
Will retrieve '_doc/roles' into /usr/share/wazuh-indexer/backup/roles.yml
SUCC: Configuration for 'roles' stored in /usr/share/wazuh-indexer/backup/roles.yml
Will retrieve '_doc/rolesmapping' into /usr/share/wazuh-indexer/backup/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' stored in /usr/share/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '_doc/internalusers' into /usr/share/wazuh-indexer/backup/internal_users.yml
SUCC: Configuration for 'internalusers' stored in /usr/share/wazuh-indexer/backup/internal_users.yml
Will retrieve '_doc/actiongroups' into /usr/share/wazuh-indexer/backup/action_groups.yml
SUCC: Configuration for 'actiongroups' stored in /usr/share/wazuh-indexer/backup/action_groups.yml
Will retrieve '_doc/tenants' into /usr/share/wazuh-indexer/backup/tenants.yml
SUCC: Configuration for 'tenants' stored in /usr/share/wazuh-indexer/backup/tenants.yml
Will retrieve '_doc/nodesdn' into /usr/share/wazuh-indexer/backup/nodes_dn.yml
SUCC: Configuration for 'nodesdn' stored in /usr/share/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '_doc/whitelist' into /usr/share/wazuh-indexer/backup/whitelist.yml
SUCC: Configuration for 'whitelist' stored in /usr/share/wazuh-indexer/backup/whitelist.yml
Will retrieve '_doc/audit' into /usr/share/wazuh-indexer/backup/audit.yml
SUCC: Configuration for 'audit' stored in /usr/share/wazuh-indexer/backup/audit.yml
Successfully updated the keystore
Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US
OpenSearch Version: 1.2.4
OpenSearch Security Version: 1.2.4.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/
Will update '_doc/config' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/audit.yml
SUCC: Configuration for 'audit' created or updated
Done with success
07/07/2022 10:32:14 INFO: Initializing Wazuh dashboard web application.
07/07/2022 10:32:15 INFO: Wazuh dashboard web application initialized.
07/07/2022 10:32:15 INFO: Installation finished.
[root@wazuh-indexer ~]#
07/07/2022 10:26:20 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
07/07/2022 10:26:20 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/07/2022 10:26:27 INFO: Wazuh repository added.
07/07/2022 10:26:27 INFO: --- Configuration files ---
07/07/2022 10:26:27 INFO: Generating configuration files.
Generating a 2048 bit RSA private key
.......................+++
...........................................................................................................................................................................+++
writing new private key to '/tmp/wazuh-certificates/root-ca.key'
-----
Generating RSA private key, 2048 bit long modulus
.............+++
..............................+++
e is 65537 (0x10001)
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=admin
Getting CA Private Key
Generating a 2048 bit RSA private key
.........................+++
.................................................................................+++
writing new private key to '/tmp/wazuh-certificates/wazuh-indexer-key.pem'
-----
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=wazuh-indexer
Getting CA Private Key
Generating a 2048 bit RSA private key
.............+++
......+++
writing new private key to '/tmp/wazuh-certificates/wazuh-server-key.pem'
-----
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=wazuh-server
Getting CA Private Key
Generating a 2048 bit RSA private key
.......................+++
...............+++
writing new private key to '/tmp/wazuh-certificates/wazuh-dashboard-key.pem'
-----
Signature ok
subject=/C=US/L=California/O=Wazuh/OU=Wazuh/CN=wazuh-dashboard
Getting CA Private Key
07/07/2022 10:26:28 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/07/2022 10:26:29 INFO: --- Wazuh indexer ---
07/07/2022 10:26:29 INFO: Starting Wazuh indexer installation.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package wazuh-indexer.x86_64 0:4.3.5-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-indexer x86_64 4.3.5-1 wazuh 361 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 361 M
Installed size: 614 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-indexer-4.3.5-1.x86_64 1/1
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
Verifying : wazuh-indexer-4.3.5-1.x86_64 1/1
Installed:
wazuh-indexer.x86_64 0:4.3.5-1
Complete!
07/07/2022 10:28:32 INFO: Wazuh indexer installation finished.
07/07/2022 10:28:32 INFO: Wazuh indexer post-install configuration finished.
07/07/2022 10:28:32 INFO: Starting service wazuh-indexer.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
07/07/2022 10:28:46 INFO: wazuh-indexer service started.
07/07/2022 10:28:46 INFO: Initializing Wazuh indexer cluster security settings.
Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US
OpenSearch Version: 1.2.4
OpenSearch Security Version: 1.2.4.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/
Will update '_doc/config' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/audit.yml
SUCC: Configuration for 'audit' created or updated
Done with success
07/07/2022 10:28:53 INFO: Wazuh indexer cluster initialized.
07/07/2022 10:28:53 INFO: --- Wazuh server ---
07/07/2022 10:28:53 INFO: Starting the Wazuh manager installation.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package wazuh-manager.x86_64 0:4.3.5-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-manager x86_64 4.3.5-1 wazuh 114 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 114 M
Installed size: 436 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-manager-4.3.5-1.x86_64 1/1
Verifying : wazuh-manager-4.3.5-1.x86_64 1/1
Installed:
wazuh-manager.x86_64 0:4.3.5-1
Complete!
07/07/2022 10:29:43 INFO: Wazuh manager installation finished.
07/07/2022 10:29:43 INFO: Starting service wazuh-manager.
07/07/2022 10:29:53 INFO: wazuh-manager service started.
07/07/2022 10:29:53 INFO: Starting Filebeat installation.
07/07/2022 10:30:07 INFO: Filebeat installation finished.
chmod: cannot access ‘/etc/filebeat/wazuh-template.json’: No such file or directory
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Created filebeat keystore
Successfully updated the keystore
Successfully updated the keystore
07/07/2022 10:30:07 INFO: Filebeat post-install configuration finished.
07/07/2022 10:30:07 INFO: Starting service filebeat.
07/07/2022 10:30:07 INFO: filebeat service started.
07/07/2022 10:30:07 INFO: --- Wazuh dashboard ---
07/07/2022 10:30:07 INFO: Starting Wazuh dashboard installation.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package wazuh-dashboard.x86_64 0:4.3.5-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-dashboard x86_64 4.3.5-1 wazuh 150 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 150 M
Installed size: 588 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-dashboard-4.3.5-1.x86_64 1/1
Verifying : wazuh-dashboard-4.3.5-1.x86_64 1/1
Installed:
wazuh-dashboard.x86_64 0:4.3.5-1
Complete!
07/07/2022 10:31:37 INFO: Wazuh dashboard installation finished.
07/07/2022 10:31:37 INFO: Wazuh dashboard post-install configuration finished.
07/07/2022 10:31:37 INFO: Starting service wazuh-dashboard.
07/07/2022 10:31:37 INFO: wazuh-dashboard service started.
Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US
OpenSearch Version: 1.2.4
OpenSearch Security Version: 1.2.4.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '_doc/config' into /usr/share/wazuh-indexer/backup/config.yml
SUCC: Configuration for 'config' stored in /usr/share/wazuh-indexer/backup/config.yml
Will retrieve '_doc/roles' into /usr/share/wazuh-indexer/backup/roles.yml
SUCC: Configuration for 'roles' stored in /usr/share/wazuh-indexer/backup/roles.yml
Will retrieve '_doc/rolesmapping' into /usr/share/wazuh-indexer/backup/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' stored in /usr/share/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '_doc/internalusers' into /usr/share/wazuh-indexer/backup/internal_users.yml
SUCC: Configuration for 'internalusers' stored in /usr/share/wazuh-indexer/backup/internal_users.yml
Will retrieve '_doc/actiongroups' into /usr/share/wazuh-indexer/backup/action_groups.yml
SUCC: Configuration for 'actiongroups' stored in /usr/share/wazuh-indexer/backup/action_groups.yml
Will retrieve '_doc/tenants' into /usr/share/wazuh-indexer/backup/tenants.yml
SUCC: Configuration for 'tenants' stored in /usr/share/wazuh-indexer/backup/tenants.yml
Will retrieve '_doc/nodesdn' into /usr/share/wazuh-indexer/backup/nodes_dn.yml
SUCC: Configuration for 'nodesdn' stored in /usr/share/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '_doc/whitelist' into /usr/share/wazuh-indexer/backup/whitelist.yml
SUCC: Configuration for 'whitelist' stored in /usr/share/wazuh-indexer/backup/whitelist.yml
Will retrieve '_doc/audit' into /usr/share/wazuh-indexer/backup/audit.yml
SUCC: Configuration for 'audit' stored in /usr/share/wazuh-indexer/backup/audit.yml
Successfully updated the keystore
Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US
OpenSearch Version: 1.2.4
OpenSearch Security Version: 1.2.4.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/
Will update '_doc/config' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/audit.yml
SUCC: Configuration for 'audit' created or updated
Done with success
07/07/2022 10:32:14 INFO: Initializing Wazuh dashboard web application.
07/07/2022 10:32:15 INFO: Wazuh dashboard web application initialized.
07/07/2022 10:32:15 INFO: Installation finished.
[root@wazuh-indexer ~]#
[root@wazuh-indexer ~]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/module.yml
[root@wazuh-indexer ~]# systemctl restart filebeat
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/module.yml
[root@wazuh-indexer ~]# systemctl restart filebeat
[root@wazuh-indexer ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2022-07-11 15:30:37 UTC; 9s ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 22097 (filebeat)
CGroup: /system.slice/filebeat.service
└─22097 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/f...
Jul 11 15:30:37 wazuh-indexer.novalocal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 22097 (filebeat)
CGroup: /system.slice/filebeat.service
└─22097 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/f...
Jul 11 15:30:37 wazuh-indexer.novalocal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
[root@wazuh-indexer ~]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR 401 Unauthorized: Unauthorized
[root@wazuh-indexer ~]#
[root@wazuh-indexer ~]#
Sebastian Cruz
Jul 12, 2022, 9:11:43 AM7/12/22
to Wazuh mailing list
Buenos dias
Les escribo solicitando su ayuda presentó un problema con wazuh ya que se realizó el reinicio del servidor el aplicativo se instaló desde la versión offline por lo tanto no tiene elasticsearch tiene filebeat instalado por lo tanto quisiera sabr como puedo colocar el servicio de dashboard arriba ya que he buscado la forma y no la he encontrado
Quedo atento
 |
|
||||||||||||||
|
El presente correo electrónico puede contener información confidencial o legalmente protegida y está destinado única y exclusivamente para el uso del destinatario(s) previsto, para su utilización especifica. Se le notifica por el presente que está prohibida su divulgación, revisión, transmisión, difusión o cualquier otro tipo de uso de la información contenida por personas extrañas al destinatario original. Si Usted no es el destinatario a quien se desea enviar este mensaje, tendrá prohibido darlo a conocer a persona alguna, así como a reproducirlo o copiarlo. Si recibe este mensaje por error, favor de notificarlo al remitente de inmediato y desecharlo de su sistema. COBRANDO BPO no se hace responsable de los errores u omisiones de este mensaje y niega cualquier responsabilidad por daños derivados de la utilización del correo electrónico. Cualquier opinión y otra declaración contenida en este mensaje y cualquier archivo adjunto son de exclusiva responsabilidad del autor y no representan necesariamente las de la empresa. En caso de querer presentar Consultas, Quejas o Reclamos puede realizar la solicitud al siguiente correo electrónico protecciondedatosperso...@cobrando.com.co o de forma presencial en la siguiente dirección: Av. Cra 50 # 93 a – 29 de la ciudad de Bogotá. Para más información sobre nuestra Política de Tratamiento de datos personales y sus modificaciones consulte en www.cobrando.com.co
Ramakrushna Panda
Jul 13, 2022, 6:45:19 AM7/13/22
to Wazuh mailing list
Any suggestion to fix this issue? waiting for your update
Javier Castro
Jul 13, 2022, 12:58:08 PM7/13/22
to Wazuh mailing list
Hello,
Javier.
there was an issue when downloading the Filebeat template. I was discussing this with the team and it seems that the curl command that downloads the template didn't succeed.
Can you manually execute this command?
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json --max-time 300
Maybe there's a proxy or firewall configuration preventing the connection.
Hope that helps!
Javier.
Ramakrushna Panda
Jul 14, 2022, 6:24:52 AM7/14/22
to Wazuh mailing list
Hi Javier/Team,
[root@wazuh-indexer ~]# systemctl restart filebeat
[root@wazuh-indexer ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
[root@wazuh-indexer ~]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR 401 Unauthorized: Unauthorized
[root@wazuh-indexer ~]#
The correct file is already available again i have downloaded and placed, please suggest to fix this issue permanent.
++++++++++++++++++++++++++
[root@wazuh-indexer ~]# ls -ltr /etc/filebeat/wazuh-template.json
-rw-r--r-- 1 root root 56492 Jul 14 10:07 /etc/filebeat/wazuh-template.json
[root@wazuh-indexer ~]# systemctl daemon-reload
-rw-r--r-- 1 root root 56492 Jul 14 10:07 /etc/filebeat/wazuh-template.json
[root@wazuh-indexer ~]# systemctl daemon-reload
[root@wazuh-indexer ~]# systemctl restart filebeat
[root@wazuh-indexer ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-07-14 10:22:26 UTC; 7s ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 4607 (filebeat)
CGroup: /system.slice/filebeat.service
└─4607 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/fi...
Jul 14 10:22:26 wazuh-indexer.novalocal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 4607 (filebeat)
CGroup: /system.slice/filebeat.service
└─4607 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/fi...
Jul 14 10:22:26 wazuh-indexer.novalocal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
[root@wazuh-indexer ~]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR 401 Unauthorized: Unauthorized
[root@wazuh-indexer ~]#
Ramakrushna Panda
Jul 15, 2022, 11:53:15 AM7/15/22
to Wazuh mailing list
Hello team,
Please suggest/guide me to complete the POC, I have re-installed it multiple times and getting the same error message on the dashboard.
I have followed the below procedure and installed request you to suggest me if any alternate method to complete the installation.
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a"
++++++++++++++++++++++++
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Getting list of valid index patterns...
INFO: Valid index patterns found: 1
INFO: Found default index pattern with title [wazuh-alerts-*]: yes
INFO: Checking the app default pattern exists: id [wazuh-alerts-*]...
INFO: Default pattern with id [wazuh-alerts-*] exists: yes
ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern
INFO: Checking the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id exists [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Checking if the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*]
INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*]
INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: no
ERROR: No template found for the selected index-pattern title [wazuh-alerts-*]
INFO: Index pattern id in cookie: [wazuh-alerts-*]
INFO: Getting index pattern data [wazuh-alerts-*]...
INFO: Index pattern data found: [yes]
INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]...
ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]
++++++++++++++++++++++++++
++++++++++++++++++++++++++
Sebastian Cruz
Jul 15, 2022, 6:57:22 PM7/15/22
to Javier Castro, Wazuh mailing list
Buenas tardes
Realice lo que me indicaste pero no ocurre nada, al ver el estado de (systemctl status wazuh-dashboard) sale este fallo pero pues lo unico que se me ocurre es que algun yml configurado se alla desconfigurado, me podrian indicar que mas puedo hacer
 |
|
|
|
||
|
|
|
|
|
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2a81b93d-df9d-41eb-acc6-9e5760a3f788n%40googlegroups.com.
Antonio Salcedo
Jul 17, 2022, 2:42:09 AM7/17/22
to Sebastian Cruz, Javier Castro, Wazuh mailing list
Buenos días saben de alguien que me pueda ayudar con wazuh en español?
El presente correo electrónico puede contener información confidencial o legalmente protegida y está destinado única y exclusivamente para el uso del destinatario(s) previsto, para su utilización especifica. Se le notifica por el presente que está prohibida su divulgación, revisión, transmisión, difusión o cualquier otro tipo de uso de la información contenida por personas extrañas al destinatario original. Si Usted no es el destinatario a quien se desea enviar este mensaje, tendrá prohibido darlo a conocer a persona alguna, así como a reproducirlo o copiarlo. Si recibe este mensaje por error, favor de notificarlo al remitente de inmediato y desecharlo de su sistema. COBRANDO BPO no se hace responsable de los errores u omisiones de este mensaje y niega cualquier responsabilidad por daños derivados de la utilización del correo electrónico. Cualquier opinión y otra declaración contenida en este mensaje y cualquier archivo adjunto son de exclusiva responsabilidad del autor y no representan necesariamente las de la empresa. En caso de querer presentar Consultas, Quejas o Reclamos puede realizar la solicitud al siguiente correo electrónico proteccionded...@cobrando.com.co o de forma presencial en la siguiente dirección: Av. Cra 50 # 93 a – 29 de la ciudad de Bogotá. Para más información sobre nuestra Política de Tratamiento de datos personales y sus modificaciones consulte en www.cobrando.com.co
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAKRNmu8VXzJ6%3DZ4%3DEdD0TectcEB2RLD6zxLZZwWx2t%2BWt0uJrw%40mail.gmail.com.
Javier Castro
Jul 18, 2022, 2:53:11 PM7/18/22
to Wazuh mailing list
Hello,
Filebeat is complaining about unauthorized access in the last log you sent.
Several steps in the installation guide, mostly involving Filebeat, were not wholly executed and some things are missing (configuration files, template, and/or pipelines).
Is it possible that the server you are using to install Wazuh has restricted internet access?
Given the number of steps involved in the installation process, it is difficult to know which ones failed during the automated script execution.
One way to find out is to follow the step-by-step guide and check if all of the steps are successfully executed or not (if they are not it will help us determine the root cause).
Please start with this guide to install the Wazuh indexer: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html
Keep in mind that you need to generate certificates for your environment. My recommendation is to use the IP address of your server when filling in the config.yml file for them.
Then proceed with the Wazuh server guide: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
And finally install the Wazuh dashboard with this guide: https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/index.html
Note: The certificates generated in the Wazuh indexer guide will be used for the rest of the installation.
Hope this helps.
Javier.
Ramakrushna Panda
Jul 19, 2022, 6:59:52 AM7/19/22
to Wazuh mailing list
Hi Javier,
Thank you so much for your reply, yes this server's internet is going through the proxy.
I have followed the "Step-by-Step" installation on the Wazuh server installation guide and encountered an error.
+++++++++++++++++++
[root@wazuh-indexer ~]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
+++++++++++++++++++
Javier Castro
Jul 19, 2022, 1:10:16 PM7/19/22
to Wazuh mailing list
Hello,
let's make sure that everything we need for Filebeat to send information to the Wazuh indexer is available.
First, let's check if the Wazuh template is available by doing:
ll /etc/filebeat/wazuh-template.json
This is my output:
total 452
-rw-r--r-- 1 root root 297349 Jan 12 2021 fields.yml
-rw-r--r-- 1 root root 91838 Jan 12 2021 filebeat.reference.yml
-r-------- 1 root root 808 Jun 29 13:17 filebeat.yml
drwxr-xr-x 2 root root 4096 Jun 29 13:17 modules.d
-r-------- 1 root root 58530 Jun 29 13:17 wazuh-template.json
-rw-r--r-- 1 root root 297349 Jan 12 2021 fields.yml
-rw-r--r-- 1 root root 91838 Jan 12 2021 filebeat.reference.yml
-r-------- 1 root root 808 Jun 29 13:17 filebeat.yml
drwxr-xr-x 2 root root 4096 Jun 29 13:17 modules.d
-r-------- 1 root root 58530 Jun 29 13:17 wazuh-template.json
Then, let's check if the Wazuh module for Filebeat is available by doing:
ll /usr/share/filebeat/module/wazuh/
This is my output:
total 4
drwxr-xr-x 4 root root 54 Jun 29 13:30 alerts
drwxr-xr-x 4 root root 54 May 25 14:29 archives
-rw-r--r-- 1 root root 12 May 25 14:29 module.yml
drwxr-xr-x 4 root root 54 Jun 29 13:30 alerts
drwxr-xr-x 4 root root 54 May 25 14:29 archives
-rw-r--r-- 1 root root 12 May 25 14:29 module.yml
Now, let's see exactly what Filebeat is doing by checking its configuration file:
cat /etc/filebeat/filebeat.yml
This is my output:
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
# Send events directly to Wazuh indexer
output.elasticsearch:
hosts:
- your_ip:9200
username: wazuh
password: "your_password"
protocol: https
ssl.certificate_authorities:
- /etc/pki/filebeat/root-ca.pem
ssl.certificate: "/etc/pki/filebeat/node-4.pem"
ssl.key: "/etc/pki/filebeat/node-4-key.pem"
# Optional. Send events to Logstash instead of Wazuh indexer
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
# Send events directly to Wazuh indexer
output.elasticsearch:
hosts:
- your_ip:9200
username: wazuh
password: "your_password"
protocol: https
ssl.certificate_authorities:
- /etc/pki/filebeat/root-ca.pem
ssl.certificate: "/etc/pki/filebeat/node-4.pem"
ssl.key: "/etc/pki/filebeat/node-4-key.pem"
# Optional. Send events to Logstash instead of Wazuh indexer
Now, let's make sure that the Wazuh indexer is running by doing:
curl -u admin:your_password https://your_ip:9200 -k
This is my output:
{
"name" : "node-1",
"cluster_name" : "wazuh",
"cluster_uuid" : "DLoVBdDKQzqVOnCrO7pKEg",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f",
"build_date" : "2022-01-14T03:38:06.881862Z",
"build_snapshot" : false,
"lucene_version" : "8.10.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
"name" : "node-1",
"cluster_name" : "wazuh",
"cluster_uuid" : "DLoVBdDKQzqVOnCrO7pKEg",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f",
"build_date" : "2022-01-14T03:38:06.881862Z",
"build_snapshot" : false,
"lucene_version" : "8.10.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Hope that helps!
Javier.
Reply all
Reply to author
Forward
0 new messages