Connection error after upgrading to Wazuh 4.10: ECONNREFUSED when connecting to OpenSearch
Limber Cumara Mamani
Hello everyone,
I recently upgraded to Wazuh version 4.10, and I am now facing an issue with the connection to OpenSearch from the Wazuh Dashboard. Below is the error that appears repeatedly in the logs:
[ConnectionError]: connect ECONNREFUSED 10.0.10.253:9200
This occurs when the Wazuh Dashboard tries to connect to the OpenSearch node at IP 10.0.10.253 on port 9200, but the connection is being refused.
Relevant logs:
Jan 10 17:18:31 mre619 opensearch-dashboards[1884886]: [agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
Jan 10 17:18:32 mre619 opensearch-dashboards[1884886]: {"type":"log","@timestamp":"2025-01-10T21:18:32Z","tags":["error","opensearch","data"],"pid":1884886,"message":"[ConnectionError]: connect ECONNREFUSED 10.0.10.253:9200"}
Jan 10 17:18:32 mre619 opensearch-dashboards[1884886]: {"type":"log","@timestamp":"2025-01-10T21:18:32Z","tags":["error","savedobjects-service"],"pid":1884886,"message":"Unable to retrieve version information from OpenSearch nodes."}
I have checked that the OpenSearch service is running and that the configuration in the opensearch.yml file is correct, but the connection is still being refused.
Has anyone else encountered this issue after upgrading to Wazuh 4.10? Any advice on how to resolve it would be greatly appreciated.
Thank you in advance for your help.
Javier Eduardo Rosas Ibarra
Hello Limber,
I hope you’re doing well.
I’m currently reviewing this and will try to replicate the error on my end. In the meantime, could you please share how you installed Wazuh? Specifically, which installation method did you use?
Best regards,
Diego Valiente
Javier Eduardo Rosas Ibarra
Hello again,
In this case, you can check the connection with the Wazuh indexer. To do this, you can review the opensearch_dashboards.yml configuration file. Inside this file, you will find the opensearch.hosts parameter, where the value should be the IP address of the indexer and the port. By default, the Wazuh indexer uses port 9200.
For example, in my case, since all components are on the same machine, the configuration looks like this:
If your indexer is on a different server, you may want to verify the networking and firewall settings.
If your configuration is the same as mine, you can check the indexer logs by navigating to the log directory specified in the opensearch.yml file. To find the log path, search for the path.logs parameter within that file.
Additionally, you can check if the Wazuh indexer is initialized and properly set up by running the following command:
The expected output should look similar to this:
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "Gb1ocewnRyeujb6FVn2d4g",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "3f6ccf6a2243f68b200f3d752d32e51facfe30f6",
"build_date" : "2025-01-08T12:26:21.519600Z",
"build_snapshot" : false,
"lucene_version" : "9.11.1",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Finally, there is a tool for cluster health checks: /var/ossec/bin/cluster_control -i.
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/?highlight=indexer%20health
https://documentation.wazuh.com/current/user-manual/reference/tools/cluster-control.html#get-cluster-s-healthcheck
Check this and tell me if this helps you.
Diego Valiente
# <cluster>
# <name>wazuh</name>
# <node_name>node01</node_name>
# <node_type>master</node_type>
# <key></key>
# <port>1516</port>
# <bind_addr>0.0.0.0</bind_addr>
# <nodes>
# <node>NODE_IP</node>
# </nodes>
# <hidden>no</hidden>
# <disabled>yes</disabled>
# </cluster>