Wazuh Manger - OVA installation - VPN and local Host IP conflict

[Nu Man]

Hi !

I have installed wazuh using the OVA file on Virtual Box, the current status is that I'm not able to access the dashboard as I'm getting a error dashboard not ready. I started getting the error after configuring the Wazuh OVA VM with a VPN as I want to forward firewall logs to wazuh server. In spite of having two IP's assigned. I'm not able to access the server with either of those. The first IP is assigned by my local wifi router and the second ip is my vpn assigned IP. Attached is the IP snapshot for your reference.

[Nahuel Figueroa]

Hi, how are you? sorry for the delay

To access the control panel did you execute these steps?
URL: https://<wazuh_server_ip>
user: admin
password: admin

note that wazuh_server_ip can be seen using the ip a command.

You can check your indexer configuration in the /etc/wazuh-indexer/opensearch.yml file. In the network.host key you should have the same ip that you used for the node address set in config.yml to create the SSL certificates.

Also check that your /etc/filebeat/filebeat.yml file in the hosts key has the same IP as the indexer

Finally check this too /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml. The host key should have the ip correctly set too.

[Nahuel Figueroa]

Also remember to verify that the services are running with systemctl status wazuh-manager.service systemctl status wazuh-indexer.service systemctl status filbebeat and systemctl status wazuh-dashboard.service

On Thursday, May 4, 2023 at 8:25:59 AM UTC-3 Nu Man wrote:

[Nu Man]

Hi Nahuel,

Thank you for your response, Please find the attached snapshots of the status of each of the wazuh components. As I can understand wazuh manager, filebeat and dashboard service are running seamlessly. I could see there is error in indexer service which I need your support to troubleshoot. Looking forward to hear from you.

Regards, 

Numan

[Nahuel Figueroa]

The indexer will create the SSL certificates from the config.yml file (a file where you put the IP) and that is then removed when creating the certificates. If you created the certificates with an IP and then changed the IP, those certificates will not work.

You can check your indexer configuration in the /etc/wazuh-indexer/opensearch.yml file. In the network.host key you should have the same ip that you used for the node address configured in config.yml to create the SSL certificates.

It is most likely that your certificates have been deprecated and the indexer cannot run correctly because of that.

[Nu Man]

The opensearch.yml file has network.host assigned as "127.0.0.1" (Attached snapshot). I tried to locate the config.yml file, which I was not able to. When I search for config.yml file in the wazuh documentation, the mentioned path is as follows  "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml". There is no ip mentioned in wazuh.yml, instead it is set to localhost. Now I'm able to access the wazuh dashboard. 

I need to configure it to the other ip that is starting with 10.81.*.* instead of 192.168.29.*. Attached the ip a result of wazuh server.