Wazuh API seems to be down

[Naser Aslam]

Hi Wazuh community,

I installed & configured wazuh in distributed mode though single node for each daemon :)

Everything went fine.

However, when I try to access kibana in browser I am seeing following issue.

Wazuh API seems to be down

OS details:

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian

root@d-svr-waz-wm:/var/ossec/bin# ./wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

So you can see wazuh-apid is running...

ossec.log and ossect.conf files are attached below.

Please let me know if you need anything else.

[Aditya Sharma]

Hi Hafiz, Thanks for using Wazuh!

As I can see that your Wazuh Api is not able to connect properly, so to check that configure it properly, please check below configuration in file :   With the first access attempt, the Wazuh Kibana plugin may prompt a message that indicates that it cannot communicate with the Wazuh API. To solve this issue edit the file /usr/share/kibana/data/wazuh/config/wazuh.yml and replace the url by the Wazuh server’s address
hosts:
  - default:
     url: https://localhost
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

To check this out more please go through this documentation also: https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/kibana/index.html#kibana

I hope this helps you. Don't hesitate to ask your questions. We are very happy to help you.

[Naser Aslam]

Hi Aditya,

Thanks for your response. It helped a lot, but still I am not able to completely resolve the issue.

Here is the logs information from /var/ossec/logs/api.log

`2022/04/25 00:10:46 INFO: Listening on 10.10.254.94:55000..
2022/04/25 00:15:25 INFO: unknown_user 10.10.254.95 "GET /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.020s: 401
2022/04/25 00:15:25 INFO: unknown_user 10.10.254.95 "GET /" with parameters {} and body {} done in 0.002s: 401`

Here is the output of a curl test command.

curl -k -X GET "https://10.10.254.94:55000/" -H "Authorization: Bearer $(curl -u wzuh-wui:wazuh-wui -k -X GET 'https://10.10.254.94:55000/security/user/authenticate?raw=true')"

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    59  100    59    0     0   1552      0 --:--:-- --:--:-- --:--:--  1552
{"title": "Unauthorized", "detail": "No authorization token provided"}

The configuration file /var/ossec/api/configuration/api.yml from wazuh-manager and /usr/share/kibana/data/wazuh/config/wazuh.yml file from kibana and the screenshot of the error all are attached below.  Thanks a ton in advance!

Regards

Hafiz Naser Aslam

Research Officer in "High Performance Computing & Networking Lab"

Al-Khawarizmi Institute Of Computer Science (KICS)

University Of Engineering and Technology (UET), Lahore

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/51a5efcc-478c-4cd5-b9bb-693e514cc1ebn%40googlegroups.com.

[Naser Aslam]

Hi Aditya,

Thank you very much, the problem has been fixed, you are right, it was a protocol issue, I have written https://<Wazuh-manager-master-IP-address> and set run_as: false and the issue fixed.

Can you please guide me how I can add worker IP too so that if the master goes down the worker can start working?

Regards

Hafiz Naser Aslam

Research Officer in "High Performance Computing & Networking Lab"

Al-Khawarizmi Institute Of Computer Science (KICS)

University Of Engineering and Technology (UET), Lahore