Wazuh indexer step-by-step installation error during indexer-security-init.sh execution

[Olexandr Yermak]

Unable to start the cluster. 

When we execute indexer-security-init.sh we've the following msg:

root@vm11451:/home/cliosec# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 172.27.232.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.13.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: 30,000 milliseconds timeout on connection http-outgoing-2 [ACTIVE]. This is not an error, will keep on trying ...
  Root cause: java.net.SocketTimeoutException: 30,000 milliseconds timeout on connection http-outgoing-2 [ACTIVE] (java.net.SocketTimeoutException/java.net.SocketTimeoutException)
   * Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
   * Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml
   * If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
   * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.

The same issue occurs on another server with another software.

Trised previouse wazuh installation pkg and previouse version of wazuh-certs-tool.sh

On this server OS is Red Hat. 

I will apritiate if you will help me out with this issue because I'm anable to end the installation. 

[Lamya Imam]

Hello Olexandr Yermak,

Could you please share what version of Wazuh and what type of deployment are you using?

At first, I would need you to check if the indexer is running:
# systemctl status wazuh-indexer 

Also, check the storage availability by using the command:
# df -h
and make sure the hardware requirement is met as recommended in the official documentation:
https://documentation.wazuh.com/current/quickstart.html#requirements

Please share the output of this command to further analyze the issue:
# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Will be waiting for your response!

[Lamya Imam]

Hello Olexandr Yermak,

I wanted to mention something regarding our email communications to help streamline our conversations. When making or replying to queries, I would request you to please use "Reply All". This approach helps ensure that other users in the community can also benefit from the shared information and any responses that follow.

Please provide the required information here so that we can further analyze the issue.
  
Kind regards, 

[Olexandr Yermak]

Hello Lamya, 

thank you for your reply. 

Every curl command i use on indexer API port, gives me back the same ansver: [OpenSearch Security not initialized]

Diskspace:

RAM:

CPU:

It is good as minimal requirements. 

For this acommand you are running too far:

we are at stap 3.2 of step-by-step installation guide:

Installing the Wazuh indexer step by step - Wazuh indexer

Config.yml used during installation is this:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "172.27.232.1"
    - name: node-2
      ip: "172.27.232.2"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "172.27.232.1"
      node_type: master
    - name: wazuh-2
      ip: "172.27.232.2"
      node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "172.27.23.1"

and /etc/wazuh-indexer/opensearch.yml is this: 

network.host: "172.27.232.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
- "node-2"
#- "node-3"
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
  - "node-1-ip"
  - "node-2-ip"
#  - "node-3-ip"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"

- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistr>

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true

Thank you again for your assistance 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/EGf5xMIcuwo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6290b7e8-b309-40f5-a77f-d9f963d088fen%40googlegroups.com.

[Olexandr Yermak]

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/EGf5xMIcuwo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7ea2680e-d8d3-443c-8b48-cf28e68d3760n%40googlegroups.com.

[Olexandr Yermak]

Hello everyone. 
Some news on our problem? 

[Lamya Imam]

Hello Olexandr Yermak,

To further analyze the issue, please share the output of this command:

# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Also, I would suggest you to have odd number of indexer nodes. The Wazuh Indexer Cluster needs to have an odd number of nodes. So once again, 1 node should be fine for smaller environments, and as soon as you need HA, or your data volumes outgrow the single node install, you must jump to 3 nodes or 5 nodes as per your requirement.

Let me know the update!

[Olexandr Yermak]

Hello Lamya,

Thank you for your response.

The command you suggested produced the following output:

It appears that Wazuh is unable to resolve the IP addresses. These two IPs are from OpenVPN, which we use to connect these two cluster servers without utilizing external IPs, as Wazuh does not accept external IPs.

Could you please advise us on how to work around this issue?

Also, thank you for your suggestion regarding the three-node cluster. Currently, we have set up a two-node cluster primarily for redundancy rather than high availability (HA). However, we will consider adding a third node to our infrastructure.

Best regards,

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c0c429f7-1e2a-4612-863f-780e12bccfe6n%40googlegroups.com.

[Olexandr Yermak]

Hello Lamya,

We've closed the servers from the external network, so now the certificate tool is no longer flagging us for using exposed IPs.

We’ve started the process again, and the errors we are encountering are now different.

Please note, we have installed the Wazuh indexer on both nodes, and step 2 (Node installation) has been completed on both.

However, when I run /usr/share/wazuh-indexer/bin/indexer-security-init.sh on the master node (node-1), I encounter the following error:

Additionally, the previous command you suggested produces this output:

Do you have any ideas about what could be causing this issue?

Thank you for your assistance.

Best regards,

[Olexandr Yermak]

Hello Team,

It appears that Lamya is experiencing issues with her email at the moment.

In any case, we may have identified the problem. The customer did not configure the network infrastructure correctly, as indicated in the attached image. 

 It seems that every single port is blocked, even though the iptables are set up correctly.

We will continue our investigation and will keep you updated with a final solution.

The last command that Lamya provided was very helpful:

 cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Thank you once again!

[Olusegun Adenrele Oyebo]

Hello Olexandr,

Sorry for the late response.

I'm glad you were able to identify the problem. One possible cause of the timeout when initializing Wazuh indexer cluster could be because the indexer cluster communication ports(TCP 9300-9400) are blocked. Those ports need to be open both at the host and network level. You can also check the below link for more information on other port requirement:

• https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports
  

If you need any other thing, do not hesitate to reach out. We remain attentive to your queries.

Best regards.