indexer-connector: WARNING: Failed to sync agent

[Ethan Thompson]

Hello, Team

Due to an error in version 4.7.3, I upgraded to 4.8.0.

After that, I got the following error.

# My Hardware Spec
OS: UBUNTU 22.04.2
RAM: 32GB
CPU: 8core
Manage Agents: 338ea
Cluster: No, Single

# Questions

Q1) my hardware specifications inadequate?
Q2) Can I set the account and password in the steps below to the account and password set in filebeat.yml?

[Ethan Thompson]

Hello Team

The following information is confirmed in the ossec.log file.

 It appears that the wazuh indexer is connected normally.

2024/07/09 16:31:00 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh~

2024년 7월 9일 화요일 오후 1시 30분 36초 UTC+9에 Ethan Thompson님이 작성:

[Sebastian Falcone]

Hi Ethan, how are you doing?

> 2024/07/09 16:31:00 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh~

Is this the full log? I mean if the full index name is "wazuh~"

[Sebastian Falcone]

> Q1) my hardware specifications inadequate?

It depends on the number of events dispatched by the agents, you will see the anti-flooding mechanism trigger if the manager is throttling 

> Q2) Can I set the account and password in the steps below to the account and password set in filebeat.yml?

Do you mean to set the same values? They possibly match because filebeat "speaks" to the wazuh-indexer as well

[Sebastian Falcone]

Regarding my first question, how did you configure the ossec.conf indexer section?

[Ethan Thompson]

Hi, Sebastian

I minimized the logs on side Agents.

So now there is no log flood. (Rule ID: 202, 203, 204)

(Collect 3 million event logs per day)

I understand the HARDWARE specs are adequate.

Below is not a full log.

- 2024/07/09 16:31:00 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh~ Omitted....

The indexer section is as follows.

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://127.0.0.1:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>

2024년 7월 11일 목요일 오전 2시 40분 46초 UTC+9에 Sebastian Falcone님이 작성:

[Ethan Thompson]

Hi, Sebastian

Add information.
I just re-configured the key-store, but suddenly I get a failure error.

2024/07/11 19:32:06 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-test-wazuh.com', retrying until the connection is successful.

# nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           63          99   4    2.77    2.69     5.52 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

# health?v
epoch      timestamp cluster       status node.total node.data discovered_cluster_manager shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1720693579 10:26:19  wazuh-cluster yellow          1         1                       true    157 157    0    0       42             0                  -                 78.9%

# filebeat.yml

===============================================
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
        - 127.0.0.1:9200
#        - <elasticsearch_ip_node_2>:9200
#        - <elasticsearch_ip_node_3>:9200

output.elasticsearch:
  protocol: https
  username: wazuh
  password: wazuh_passwd
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
seccomp:
    default_action: allow
    syscalls:
    - action: allow
      names:
      - rseq

# opensearch.yml
===============================================
network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
#- "node-2"
#- "node-3"
cluster.name: "wazuh-cluster"
#discovery.seed_hosts:
#  - "node-1-ip"
#  - "node-2-ip"
#  - "node-3-ip"
node.max_local_storage_nodes: "3"
path.data: /data/elasticsearch
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=Docu,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Docu,O=Wazuh,L=California,C=US"
#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-aler
ting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-de
tector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-rep
orts-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".open
distro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true

2024년 7월 11일 목요일 오후 5시 12분 14초 UTC+9에 Ethan Thompson님이 작성:

[Ethan Thompson]

Hi Sebastian

After restoring the iptables configuration changes, the indexer is connected normally.
2024/07/11 20:01:36 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-test-wazuh.com.

I will check tomorrow to see if there is a "indexer-connector: WARNING: Failed to sync agent" error.

2024년 7월 11일 목요일 오후 7시 37분 25초 UTC+9에 Ethan Thompson님이 작성:

[Sebastian Falcone]

The configuration looks good, lets see if the changes you made to the infrastructure fix the problem

I will await for your update

Have a nice day

[Ethan Thompson]

Hi, Sebastian

Unfortunately, I keep getting the "indexer-connector: WARNING: Failed to sync agent" error.

2024년 7월 11일 목요일 오후 9시 11분 12초 UTC+9에 Sebastian Falcone님이 작성:

[Sebastian Falcone]

Hi

Can we validate the status of the indexer? It should be in green for the connection to be successful

• https://opensearch.org/docs/latest/api-reference/cluster-api/cluster-allocation/
• https://opensearch.org/docs/latest/api-reference/cluster-api/cluster-health/

[Ethan Thompson]

Hi, Sebastian

the status of the indexer

4 shards are not deleted. I tried switching accounts but couldn't delete them.

.opendistro-alerting-config
.opendistro-alerting-alert-history-2024.07.05-000013
.opendistro-alerting-alerts
.opendistro-alerting-alert-history-2024.06.05-000012

curl -k -u wazuh:wazuh_temp https://127.0.0.1:9200/_cat/shards | grep UNASSIGNED | awk '{print $1}' | xargs -i curl -k -XDELETE -u wazuh:wazuh_temp "https://127.0.0.1:9200/{}"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12872  100 12872    0     0   209k      0 --:--:-- --:--:-- --:--:--  213k
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"},"status":403}{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"},"status":403}{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"},"status":403}{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=wazuh, backend_roles=[admin], requestedTenant=null]"},"status":403}

2024년 7월 12일 금요일 오후 11시 9분 17초 UTC+9에 Sebastian Falcone님이 작성:

[Sebastian Falcone]

Sorry for the delay

Given that the status is yellow, we won't be able to index the vulnerability information. How did you install the indexer? Seems to been giving you some authorization errors

[Ethan Thompson]

Hello, Sebastian

Sorry for taking so long to reply.

I decided to try to solve it somehow and reinstall it if it doesn't work.
So today, I finally installed wazuh 4.9 version.
After installation, I linked the existing agent to the new server.

As a result, the error log below keeps occurring, which is so sad.

In addition, an index that cannot be deleted is still created.
For this reason, the status of the index is naturally "yellow".
Why does this problem persist even after a new installation?

I even tried disabling the alerting feature of Elasticsearch related to the index that cannot be deleted below, but the problem persists.

Except for the vulnerability detection feature, wazuh is perfect.
It's a sad situation, but I always appreciate the team that provides good security solutions like wazuh.
I hope this issue is resolved.

.

..

2024/09/12 18:10:40 indexer-connector: WARNING: Failed to sync agent '131' with the indexer.
2024/09/12 18:10:40 indexer-connector: WARNING: Failed to sync agent '124' with the indexer.
2024/09/12 18:10:40 indexer-connector: WARNING: Failed to sync agent '126' with the indexer.

.

.

index                                              shard prirep state      node   unassigned.reason
.opendistro-alerting-alert-history-2024.09.12-1    0     r      UNASSIGNED        CLUSTER_RECOVERED
.opendistro-ism-config                             0     r      UNASSIGNED        CLUSTER_RECOVERED
.opendistro-alerting-alerts                        0     r      UNASSIGNED        CLUSTER_RECOVERED
.opendistro-alerting-config                        0     r      UNASSIGNED        CLUSTER_RECOVERED
.opensearch-alerting-config-lock                   0     r      UNASSIGNED        CLUSTER_RECOVERED
.opendistro-ism-managed-index-history-2024.09.12-1 0     r      UNASSIGNED        CLUSTER_RECOVERED
.opendistro-job-scheduler-lock                     0     r      UNASSIGNED        CLUSTER_RECOVERED
security-auditlog-2024.09.12                       0     p      STARTED    node-1
.opendistro-alerting-alert-history-2024.09.12-1    0     p      STARTED    node-1
.opendistro-ism-config                             0     p      STARTED    node-1
.opendistro-alerting-alerts                        0     p      STARTED    node-1
.opendistro_security                               0     p      STARTED    node-1
.kibana_1                                          0     p      STARTED    node-1
.opendistro-alerting-config                        0     p      STARTED    node-1
wazuh-monitoring-2024.37w                          0     p      STARTED    node-1
wazuh-alerts-4.x-2024.09.11                        0     p      STARTED    node-1
wazuh-alerts-4.x-2024.09.11                        1     p      STARTED    node-1
wazuh-alerts-4.x-2024.09.11                        2     p      STARTED    node-1
.plugins-ml-config                                 0     p      STARTED    node-1
.opensearch-observability                          0     p      STARTED    node-1
wazuh-alerts-4.x-2024.09.12                        0     p      STARTED    node-1
wazuh-alerts-4.x-2024.09.12                        1     p      STARTED    node-1
wazuh-alerts-4.x-2024.09.12                        2     p      STARTED    node-1
.opensearch-sap-log-types-config                   0     p      STARTED    node-1
.opensearch-alerting-config-lock                   0     p      STARTED    node-1
.opendistro-ism-managed-index-history-2024.09.12-1 0     p      STARTED    node-1
.opendistro-job-scheduler-lock                     0     p      STARTED    node-1
wazuh-statistics-2024.37w                          0     p      STARTED    node-1
wazuh-states-vulnerabilities-tp-wazuh              0     p      STARTED    node-1
.opensearch-notifications-config                   0     p      STARTED    node-1 

2024년 7월 20일 토요일 오전 3시 16분 37초 UTC+9에 Sebastian Falcone님이 작성:

[Sebastian Falcone]

Hi Ethan, how are you doing? 

I hope this was solved :(

Your problem is due to shards not being assigned, which makes the cluster be in yellow status. Here I am working with an user with a similar problem:
- https://groups.google.com/g/wazuh/c/irtVzQhOqtg/m/risT0nr1AAAJ