Error while attempting to change default password
737 views
Skip to first unread message
OSSIM Notify
Dec 13, 2021, 1:50:03 PM12/13/21
to Wazuh mailing list
Good Afternoon,
I was attempting to change the default password for admin user in our test environment that is running Wazuh 4.2.4 all-in-one, following these instructions:
The wazuh-passwords-tool.sh script failed during backup of the YAML files it was copying to /usr/share/elasticsearch/backup so I increased the verbosity of the script and the error occurs with the audit.yml file as seen below:
12/13/2021 13:45:16 INFO: Creating backup...
mkdir: cannot create directory ‘/usr/share/elasticsearch/backup’: File exists
Open Distro Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '_doc/config' into /usr/share/elasticsearch/backup/config.yml
SUCC: Configuration for 'config' stored in /usr/share/elasticsearch/backup/config.yml
Will retrieve '_doc/roles' into /usr/share/elasticsearch/backup/roles.yml
SUCC: Configuration for 'roles' stored in /usr/share/elasticsearch/backup/roles.yml
Will retrieve '_doc/rolesmapping' into /usr/share/elasticsearch/backup/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' stored in /usr/share/elasticsearch/backup/roles_mapping.yml
Will retrieve '_doc/internalusers' into /usr/share/elasticsearch/backup/internal_users.yml
SUCC: Configuration for 'internalusers' stored in /usr/share/elasticsearch/backup/internal_users.yml
Will retrieve '_doc/actiongroups' into /usr/share/elasticsearch/backup/action_groups.yml
SUCC: Configuration for 'actiongroups' stored in /usr/share/elasticsearch/backup/action_groups.yml
Will retrieve '_doc/tenants' into /usr/share/elasticsearch/backup/tenants.yml
SUCC: Configuration for 'tenants' stored in /usr/share/elasticsearch/backup/tenants.yml
Will retrieve '_doc/nodesdn' into /usr/share/elasticsearch/backup/nodes_dn.yml
SUCC: Configuration for 'nodesdn' stored in /usr/share/elasticsearch/backup/nodes_dn.yml
Will retrieve '_doc/whitelist' into /usr/share/elasticsearch/backup/whitelist.yml
SUCC: Configuration for 'whitelist' stored in /usr/share/elasticsearch/backup/whitelist.yml
Will retrieve '_doc/audit' into /usr/share/elasticsearch/backup/audit.yml
FAIL: Configuration for 'audit' failed because of empty source
12/13/2021 13:45:19 ERROR: The backup could not be created
mkdir: cannot create directory ‘/usr/share/elasticsearch/backup’: File exists
Open Distro Security Admin v7
Will connect to 127.0.0.1:9300 ... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '_doc/config' into /usr/share/elasticsearch/backup/config.yml
SUCC: Configuration for 'config' stored in /usr/share/elasticsearch/backup/config.yml
Will retrieve '_doc/roles' into /usr/share/elasticsearch/backup/roles.yml
SUCC: Configuration for 'roles' stored in /usr/share/elasticsearch/backup/roles.yml
Will retrieve '_doc/rolesmapping' into /usr/share/elasticsearch/backup/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' stored in /usr/share/elasticsearch/backup/roles_mapping.yml
Will retrieve '_doc/internalusers' into /usr/share/elasticsearch/backup/internal_users.yml
SUCC: Configuration for 'internalusers' stored in /usr/share/elasticsearch/backup/internal_users.yml
Will retrieve '_doc/actiongroups' into /usr/share/elasticsearch/backup/action_groups.yml
SUCC: Configuration for 'actiongroups' stored in /usr/share/elasticsearch/backup/action_groups.yml
Will retrieve '_doc/tenants' into /usr/share/elasticsearch/backup/tenants.yml
SUCC: Configuration for 'tenants' stored in /usr/share/elasticsearch/backup/tenants.yml
Will retrieve '_doc/nodesdn' into /usr/share/elasticsearch/backup/nodes_dn.yml
SUCC: Configuration for 'nodesdn' stored in /usr/share/elasticsearch/backup/nodes_dn.yml
Will retrieve '_doc/whitelist' into /usr/share/elasticsearch/backup/whitelist.yml
SUCC: Configuration for 'whitelist' stored in /usr/share/elasticsearch/backup/whitelist.yml
Will retrieve '_doc/audit' into /usr/share/elasticsearch/backup/audit.yml
FAIL: Configuration for 'audit' failed because of empty source
12/13/2021 13:45:19 ERROR: The backup could not be created
I have not found a good workaround yet. Does anyone have any experience dealing with this issue? It appears that it may be related to the version of OpenDistro that is running. Thanks in advance.
Diego Ariel Balbuena
Dec 14, 2021, 4:48:44 PM12/14/21
to Wazuh mailing list
Hi Ossim, thanks for using Wazuh!
I am sorry for the late reply. I was reviewing this situation.
Please could you send the output of the following command?
# ls -laR /usr/share/elasticsearch/backup
and
#ls -laR /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
I think that you can remove the backup directory and runs the wazuh-password-tool.sh script again.
# rm -R /usr/share/elasticsearch/backup
Please let me know how it works and I will be glad to help you
Diego Ariel Balbuena
OSSIM Notify
Dec 16, 2021, 11:31:08 AM12/16/21
to Diego Ariel Balbuena, Wazuh mailing list
Hi Diego,
Here is the output of the commands that you requested:
[root@wazuh01 ~]# ls -laR /usr/share/elasticsearch/backup
/usr/share/elasticsearch/backup:
total 32
drwxr-xr-x. 2 root root 194 Dec 13 11:36 .
drwxr-xr-x. 9 root root 155 Dec 13 11:36 ..
-rw-r--r--. 1 root root 54 Dec 13 13:45 action_groups.yml
-rw-r--r--. 1 root root 0 Dec 13 13:45 audit.yml
-rw-r--r--. 1 root root 3845 Dec 13 13:45 config.yml
-rw-r--r--. 1 root root 1548 Dec 13 13:45 internal_users.yml
-rw-r--r--. 1 root root 49 Dec 13 13:45 nodes_dn.yml
-rw-r--r--. 1 root root 963 Dec 13 13:45 roles_mapping.yml
-rw-r--r--. 1 root root 1160 Dec 13 13:45 roles.yml
-rw-r--r--. 1 root root 125 Dec 13 13:45 tenants.yml
-rw-r--r--. 1 root root 153 Dec 13 13:45 whitelist.yml
[root@wazuh01 ~]# ls -laR /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
-rw-r-----. 1 root elasticsearch 2541 Mar 2 2021 /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
/usr/share/elasticsearch/backup:
total 32
drwxr-xr-x. 2 root root 194 Dec 13 11:36 .
drwxr-xr-x. 9 root root 155 Dec 13 11:36 ..
-rw-r--r--. 1 root root 54 Dec 13 13:45 action_groups.yml
-rw-r--r--. 1 root root 0 Dec 13 13:45 audit.yml
-rw-r--r--. 1 root root 3845 Dec 13 13:45 config.yml
-rw-r--r--. 1 root root 1548 Dec 13 13:45 internal_users.yml
-rw-r--r--. 1 root root 49 Dec 13 13:45 nodes_dn.yml
-rw-r--r--. 1 root root 963 Dec 13 13:45 roles_mapping.yml
-rw-r--r--. 1 root root 1160 Dec 13 13:45 roles.yml
-rw-r--r--. 1 root root 125 Dec 13 13:45 tenants.yml
-rw-r--r--. 1 root root 153 Dec 13 13:45 whitelist.yml
[root@wazuh01 ~]# ls -laR /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
-rw-r-----. 1 root elasticsearch 2541 Mar 2 2021 /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
I also removed /usr/share/elasticsearch/backup/ and attempted to run the wazuh-passwords-tool.sh script again, but it still fails on the audit.yml file. I suspect because audit.yml is empty but I do not know enough about the plugin configuration to know how to resolve this. Any assistance you can provide would be greatly appreciated. Thanks.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/14722723-07ed-410b-b073-5e2a802a6374n%40googlegroups.com.
Diego Ariel Balbuena
Dec 23, 2021, 2:42:54 PM12/23/21
to Wazuh mailing list
Hi Ossim! sorry for the late reply. I missed your update.
We found an archived ODFE issue regarding this.
The audit configuration is now stored in the security index. If it is absent in the index and you try to create a backup then it is complaining that configuration is missing in the index which is expected.
To enable hot-reloading of audit configuration (store in index) move all your settings from elasticsearch.yml to audit.yml and restart one of the nodes. There is a tool to help you do the same
sh plugins/opendistro_security/tools/audit_config_migrater.sh -s <path-to-elasticsearch.yml>
Please let me know if this helps.
Best regards,
Diego Ariel Balbuena
OSSIM Notify
Jan 5, 2022, 1:38:14 PM1/5/22
to Diego Ariel Balbuena, Wazuh mailing list
Hi Diego,
Thank you for the additional instructions. I was able to locate the audit_config_migrater.sh script so I will use that to make the necessary changes. I do have some followup questions since I am still new to administering ES. This script created two files named audit.yml and elasticsearch.audit-filtered.yml. Should these new files be placed in /etc/elasticsearch which is the location of my existing elasticsearch.yml file or should they be placed elsewhere? Also, should elasticsearch.audit-filtered.yml be renamed and replace my existing elasticsearch.yml file? Please advise. Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0cfa7c83-8853-451f-8bb7-2cb3f60645b5n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages