Upgraded Wazuh and now web server refusing to connect
2,120 views
Skip to first unread message
Spencer LynnCo
May 19, 2022, 4:06:26 PM5/19/22
to Wazuh mailing list
Hello,
Please let me know which details to provide, but I have followed the installation guide (https://documentation.wazuh.com/current/installation-guide/) to update steps and generate secrets and add them to each section. This has not seemed to fix anything. The wazuh-indexer service is failing to start (I am not sure if my prior deployment supports the Wazuh Indexer).
I recently updated all of the packages on the WAZUH server and after the update/reboot, the wazuh webpage is not loading. It is still emailing alerts, but shows "refused to connect" when trying to load the web page. I received an API mismatch error stating that the API was still at 4.2.6 while the rest of WAZUH was at 4.3.0. I clicked the support link on the WAZUH loading page and followed the steps to "upgrade the API," but did not find anything there and now the web server seems like it has a cert error.
The server was deployed in February on 4.2.6 with the Wazuha installation assistant bash script
All-in-one deployment
Server: Ubuntu 21.10
Wazuh 4.3.0
Please let me know which details to provide, but I have followed the installation guide (https://documentation.wazuh.com/current/installation-guide/) to update steps and generate secrets and add them to each section. This has not seemed to fix anything. The wazuh-indexer service is failing to start (I am not sure if my prior deployment supports the Wazuh Indexer).
Any help is appreciated!
Daniel Folch
May 20, 2022, 6:26:38 AM5/20/22
to Wazuh mailing list
Hello,
The API is included in the same packages of the Wazuh manager, please check that all the Wazuh manager nodes are in version 4.3.0, to do this run:
/var/ossec/bin/wazuh-control info
Also, make sure that you have upgraded the wazuh plugin for kibana, here you can see how to do it:
https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-open-distro.html#upgrading-kibana
Spencer LynnCo
May 20, 2022, 10:54:39 AM5/20/22
to Wazuh mailing list
Thank you Daniel!
I ran /var/ossec/bin/wazuh-control info with these results:
/var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.1"
WAZUH_REVISION="40311"
WAZUH_TYPE="server"
WAZUH_VERSION="v4.3.1"
WAZUH_REVISION="40311"
WAZUH_TYPE="server"
I followed the instructions on the link again. As of now, kibana is at: kibana/stable 7.17.3 amd64
Should I downgrade kibana?
Also, here is my bash history from when things went sideways:
174 apt update
175 apt dist-upgrade -y
176 reboot
177 service --status-all
178 service wazuh-manager status
179 history | tail -n 35
180 fdisk /dev/sda
181 df -h
182 ls -lash /usr/share/kibana/data/wazuh/config/
183 cd /usr/share/kibana/data/wazuh/config/
184 mv wazuh-registry.json wazuh-registryjson.old
185 service kibana restart
186 service kibana status
175 apt dist-upgrade -y
176 reboot
177 service --status-all
178 service wazuh-manager status
179 history | tail -n 35
180 fdisk /dev/sda
181 df -h
182 ls -lash /usr/share/kibana/data/wazuh/config/
183 cd /usr/share/kibana/data/wazuh/config/
184 mv wazuh-registry.json wazuh-registryjson.old
185 service kibana restart
186 service kibana status
188 curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
189 echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
190 apt update
191 nano /etc/apt/sources.list.d/wazuh.list
192 apt update
193 apt install wazuh-agent
194 apt list wazuh-manager --versions
195 apt list wazuh-manager --all-versions
196 exit
197 systemctl stop filebeat.service kibana.service
198 sed -i "s/^deb/#deb/" /et/apt/sources.list.d/opendistroforelasticsearch.list
199 curl -X PUT "https://10.60.26.149:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ,
200 curl -X PUT "https://10.60.26.149:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ,
201 curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
202 {
203 "persistent": {
204 "cluster.routing.allocation.enable": "primaries"
205 }
206 }
207 '
208 systemctl stop elasticsearch.service
209 apt install elasticsearch-oss=7.10.2
210 apt install opendistroforelasticsearch=1.13.2-1
211 apt autoremove
212 mkdir -p /etc/elasticsearch/jvm.options.d
213 echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
214 chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
215 chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options
216 systemctl daemon-reload
217 systemctl enable elasticsearch
218 systemctl start elasticsearch.service
219 apt-get install filebeat=7.10.2
220 curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.3.0/extensions/elasticsearch/7.x/wazuh-template.json
221 chmod go+r /etc/filebeat/wazuh-template.json
222 curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
223 nano /etc/filebeat/filebeat.yml
224 systemctl daemon-reload
225 systemctl enable filebeat
226 systemctl start filebeat.service
227 mkdir -p /usr/share/kibana/data/wazuh/config/
228 cp /usr/share/kibana/optimize/wazuh/config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
229 cd /usr/share/kibana/
230 sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.0_7.10.2-1.zip
231 systemctl daemon-reload
232 systemctl enable kibana
233 systemctl start kibana.service
234 history | tail -n 30
235 history | tail -n 50
236 history
237 cd /
238 systemctl status httpd
239 systemctl status wazuh-manager.service
240 systemctl status apache
241 systemctl status apache2
242 reboot
243 systemctl status filebeat.service
244 systemctl status kibana.service
245 systemctl status wazuh-manager.service
246 history
247 apt update
248 systemctl start elasticsearch
249 systemctl start elasticsearch.service
250 systemctl status elasticsearch.service
251 nano /etc/elasticsearch/jvm.options.d/disabledlog4j.options
252 nano /etc/apt/sources.list.d/opendistroforelasticsearch.list
253 systemctl status wazuh-dashboard
254 systemctl status wazuh-indexer
255 apt install wazuh-indexer
256 apt install wazuh-dashboard
257 systemctl daemon-reload
258 systemctl enable wazuh-dashboard.service wazuh-indexer.service wazuh-indexer-performance-analyzer.service
259 systemctl start wazuh-dashboard.service wazuh-indexer.service wazuh-i
260 systemctl status wazuh-indexer
261 systemctl start wazuh-indexer.service
262 systemctl status wazuh-indexer.service
263 apt remove wazuh-indexer
264 systemctl status wazuh-dashboard.service
265 reboot
266 curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.3/tpl/elastic-basic/elasticsearch_all_in_one.yml
267 /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
268 curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.3/tpl/elastic-basic/instances_aio.yml
269 /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
270 systemctl status elasticsearch.service
271 curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
272 curl -XGET https://localhost:9200 -k
273 curl -XGET https://localhost:9200 -u '[redacted]:[redacted] -k
274 apt list elasticsearch -a
275 apt list elasticsearch --all-versions
276 whichi elasticsearch
277 which elasticsearch
278 which elastic*
279 which *elastic*
280 apt list install-info elasticsearch-oss
281 which elasticsearch-oss
282 apt list opendistroforelasticsearch
283 apt list opendistroforelasticsearch -a
284 history | tail -n 80
285 history | tail -n 120
286 cd /var/
287 ls -lash
288 cd log/
289 ls -lash
290 less dmesg
291 cd
292 systemctl list --help
293 systemctl list-units --type=service
294 apt remove wazuh-dashboard
295 service --status-all
296 htop
297 top
298 systemctl restart wazuh-manager.service
299 cd /var/ossec/
300 ls -lash
301 cd logs/
302 ls -lash
303 cd wazuh/
304 ls -lash
305 cd 2022/
306 ls -lash
307 cd may
308 cd Ma
309 cd May
310 ls -lash
311 less ossec-17.log.gz
312 systemctl status ossec-remoted
313 cd /
314 less /var/ossec/logs/ossec.log
315 cat /var/ossec/logs/ossec.log | grep error
316 cat /var/ossec/logs/ossec.log | grep Error
317 cat /var/ossec/logs/ossec.log | grep critical
318 cat /var/log/elasticsearch/wazuh-cluster.log
319 ufw --help
320 ufw ruleset
321 ufw ruleset --help
322 ufw app list
323 cd etc/ufw/applications.d/
324 ls -lash
325 cd ..
326 ls -lash
327 less ufw.conf
328 less after.rules
329 less before.rules
330 systemctl ufw status
331 systemctl status ufw.service
332 netstat
333 apt install net-tools
334 netstat
335 systemctl restart wazuh-dashboard.service
336 systemctl status wazuh-dashboard.service
337 apt install wazuh-dashboard
338 uft allow https
339 ufw allow https
340 systemctl enable wazuh-dashboard.service
341 systemctl start wazuh-dashboard
342 systemctl status wazuh-dashboard.service
343 apt remove wazuh-indexer
344 systemctl status wazuh-manager.service
345 systemctl status wazuh-dashboard.service
346 systemctl start wazuh-dashboard
347 systemctl status wazuh-dashboard.service
348 reboot
349 ls -lash
350 nano upgrade.sh
351 chmod +x upgrade.sh
352 ./upgrade.sh
353 mkdir -p /usr/share/kibana/data/wazuh/config/
354 cp /usr/share/kibana/optimize/wazuh/config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
355 cd /usr/share/kibana/
356 ls -lash
357 cd data/
358 cd wazuh/config/
359 ls -lash
360 cd /
361 locate wazuh.yml
362 apt install mlocate
363 locate wazuh.yml
364 less /usr/share/kibana/data/wazuh/config/wazuh.yml
365 less /etc/apt/sources.list.d/wazuh.list
366 less /var/ossec/etc/ossec.conf
367 cat /var/log/elasticsearch/wazuh-cluster.log
368 at /var/log/elasticsearch/wazuh-cluster-2022-05-17-1.log.gz | grep -i -E "error|warn"
369 cat /var/log/elasticsearch/wazuh-cluster-2022-05-17-1.log.gz | grep -i -E "error|warn"
370 cat /var/log/elasticsearch/wazuh-cluster.log | grep -i -E "error|warn"
371 curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"
372 TOKEN=$(curl -u wazuh:[redacted] -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
373 curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"
374 TOKEN=$(curl -u wazuh:[redacted] -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
375 curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"
376 curl -k -X GET "https://localhost:55000/"
377 curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
378 echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
379 apt update
380 apt install elasticsearch=7.17.3
381 nano /etc/wazuh-dashboard/opensearch_dashboards.yml
382 nano /etc/filebeat/filebeat.yml
383 curl -sO https://packages.wazuh.com/4.3/wazuh-certs-tool.sh
384 curl -sO https://packages.wazuh.com/4.3/config.yml
385 nano config.yml
386 bash ./wazuh-certs-tool.sh -A
387 tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
388 rm -rf ./wazuh-certificates
389 NODE_NAME=10.60.26.149
390 ls /etc/filebeat/certs/
391 NODE_NAME=wazuh-1
392 $NODE_NAME
393 tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
394 mv -n /etc/filebeat/certs/wazuh-1.pem /etc/filebeat/certs/filebeat.pem
395 mv -n /etc/filebeat/certs/wazuh-1-key.pem /etc/filebeat/certs/filebeat-key.pem
396 chmod 500 /etc/filebeat/certs
397 chmod 400 /etc/filebeat/certs/*
398 chown -R root:root /etc/filebeat/certs
399 systemctl daemon-reload
400 systemctl enable filebeat
401 systemctl start filebeat
402 filebeat test output
403 apt install debconf adduser procps
404 apt -y install wazuh-indexer
405 nano /etc/wazuh-indexer/opensearch.yml
406 ls -lash
407 ls -lash wazuh-certificates.tar
408 tar -tvf wazuh-certificates.tar
409 systemctl daemon-reload
410 systemctl enable wazuh-indexer.service
411 systemctl start wazuh-indexer.service
412 journalctl -xeu wazuh-indexer.service
413 less /var/log/wazuh-indexer/wazuh-cluster.log
414 curl -k -u admin:admin https://127.0.0.1:9200
415 curl -k -u admin:admin https://10.60.26.149:9200
416 systemctl status wazuh-manager.service
417 curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.3/tpl/wazuh/filebeat/filebeat.yml
418 nano /etc/filebeat/filebeat.yml
419 filebeat keystore create
420 echo admin | filebeat keystore add username --stdin --force
421 echo admin | filebeat keystore add password --stdin --force
422 curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json
423 chmod go+r /etc/filebeat/wazuh-template.json
424 curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
425 NODE_NAME=wazuh-1
426 tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
427 mv -n /etc/filebeat/certs/wazuh-1.pem /etc/filebeat/certs/filebeat.pem
428 mv -n /etc/filebeat/certs/wazuh-1-key.pem /etc/filebeat/certs/filebeat-key.pem
429 chmod 500 /etc/filebeat/certs
430 chmod 400 /etc/filebeat/certs/*
431 chown -R root:root /etc/filebeat/certs
432 systemctl daemon-reload
433 systemctl enable filebeat
434 systemctl start filebeat
435 filebeat test output
436 apt install debhelper tar curl libcap2-bin
437 nano /etc/wazuh-dashboard/opensearch_dashboards.yml
438 mkdir /etc/wazuh-dashboard/certs
439 tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./.pem ./$NODE_NAME-key.pem ./root-ca.pem
440 tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
441 mv -n /etc/wazuh-dashboard/certs/wazuh-1.pem /etc/wazuh-dashboard/certs/dashboard.pem
442 mv -n /etc/wazuh-dashboard/certs/wazuh-1-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
443 chmod 500 /etc/wazuh-dashboard/certs
444 chmod 400 /etc/wazuh-dashboard/certs/*
445 chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
446 systemctl daemon-reload
447 systemctl enable wazuh-dashboard
448 systemctl start wazuh-dashboard
449 nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
450 reboot
451 curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh
452 bash wazuh-install.sh --wazuh-server wazuh-1
453 bash wazuh-install.sh --wazuh-dashboard dashboard
454 /var/ossec/bin/wazuh-control info
455 cp /usr/share/kibana/optimize/wazuh/config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
456 nano /usr/share/kibana/data/wazuh/config/wazuh.yml
457 cd /usr/share/kibana/
458 sudo -u kibana bin/kibana-plugin remove wazuh
459 apt install opendistroforelasticsearch-kibana=1.13.2
460 chown -R kibana:kibana /usr/share/kibana/data/
461 chown -R kibana:kibana /usr/share/kibana/plugins/
462 cd /usr/share/kibana/
463 sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.1_7.10.2-1.zip
464 sudo chown kibana:kibana /usr/share/kibana/data/wazuh/config/wazuh.yml
465 chmod 600 /usr/share/kibana/data/wazuh/config/wazuh.yml
466 cat >> /etc/default/kibana << EOF
NODE_OPTIONS="--max_old_space_size=2048"
EOF
467 setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
468 nano /etc/kibana/kibana.yml
469 cd /
470 tar -xf ./wazuh-certificates.tar -C /etc/kibana/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
471 mv -n /etc/kibana/certs/wazuh-1.pem /etc/kibana/certs/kibana.pem
472 systemctl daemon-reload
473 systemctl enable kibana.service
474 systemctl restart kibana.service
475 systemctl status kibana.service
476 systemctl start kibana.service
477 systemctl status kibana.service
478 sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
479 apt update
480 apt list --upgradable
481 apt dist-upgrade -y
482 apt list kibana --all-versions
483 sudo apt install filebeat=7.17.2
484 sudo apt install wazuh-manager=7.17.2
485 sudo apt list wazuh-manager --all-versions
486 sudo apt list wazuh-dashboards --all-versions
487 sudo apt list wazuh-dashboard --all-versions
488 apt install elasticsearch-oss=7.17.2
489 apt list elasticsearch-oss --all-versions
490 apt install opendistroforelasticsearch=1.13.2-1
491 apt list opendistroforelasticsearch --all-versions
492 systemctl stop kibana
493 systemctl stop kibana.service
494 systemctl status kibana.service
495 systemctl stop kibana.service
496 systemctl status kibana.service
497 systemctl start kibana.service
498 systemctl status kibana.service
189 echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
190 apt update
191 nano /etc/apt/sources.list.d/wazuh.list
192 apt update
193 apt install wazuh-agent
194 apt list wazuh-manager --versions
195 apt list wazuh-manager --all-versions
196 exit
197 systemctl stop filebeat.service kibana.service
198 sed -i "s/^deb/#deb/" /et/apt/sources.list.d/opendistroforelasticsearch.list
199 curl -X PUT "https://10.60.26.149:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ,
200 curl -X PUT "https://10.60.26.149:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } ,
201 curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
202 {
203 "persistent": {
204 "cluster.routing.allocation.enable": "primaries"
205 }
206 }
207 '
208 systemctl stop elasticsearch.service
209 apt install elasticsearch-oss=7.10.2
210 apt install opendistroforelasticsearch=1.13.2-1
211 apt autoremove
212 mkdir -p /etc/elasticsearch/jvm.options.d
213 echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
214 chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
215 chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options
216 systemctl daemon-reload
217 systemctl enable elasticsearch
218 systemctl start elasticsearch.service
219 apt-get install filebeat=7.10.2
220 curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.3.0/extensions/elasticsearch/7.x/wazuh-template.json
221 chmod go+r /etc/filebeat/wazuh-template.json
222 curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
223 nano /etc/filebeat/filebeat.yml
224 systemctl daemon-reload
225 systemctl enable filebeat
226 systemctl start filebeat.service
227 mkdir -p /usr/share/kibana/data/wazuh/config/
228 cp /usr/share/kibana/optimize/wazuh/config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
229 cd /usr/share/kibana/
230 sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.0_7.10.2-1.zip
231 systemctl daemon-reload
232 systemctl enable kibana
233 systemctl start kibana.service
234 history | tail -n 30
235 history | tail -n 50
236 history
237 cd /
238 systemctl status httpd
239 systemctl status wazuh-manager.service
240 systemctl status apache
241 systemctl status apache2
242 reboot
243 systemctl status filebeat.service
244 systemctl status kibana.service
245 systemctl status wazuh-manager.service
246 history
247 apt update
248 systemctl start elasticsearch
249 systemctl start elasticsearch.service
250 systemctl status elasticsearch.service
251 nano /etc/elasticsearch/jvm.options.d/disabledlog4j.options
252 nano /etc/apt/sources.list.d/opendistroforelasticsearch.list
253 systemctl status wazuh-dashboard
254 systemctl status wazuh-indexer
255 apt install wazuh-indexer
256 apt install wazuh-dashboard
257 systemctl daemon-reload
258 systemctl enable wazuh-dashboard.service wazuh-indexer.service wazuh-indexer-performance-analyzer.service
259 systemctl start wazuh-dashboard.service wazuh-indexer.service wazuh-i
260 systemctl status wazuh-indexer
261 systemctl start wazuh-indexer.service
262 systemctl status wazuh-indexer.service
263 apt remove wazuh-indexer
264 systemctl status wazuh-dashboard.service
265 reboot
266 curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.3/tpl/elastic-basic/elasticsearch_all_in_one.yml
267 /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
268 curl -so /usr/share/elasticsearch/instances.yml https://packages.wazuh.com/4.3/tpl/elastic-basic/instances_aio.yml
269 /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
270 systemctl status elasticsearch.service
271 curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
272 curl -XGET https://localhost:9200 -k
273 curl -XGET https://localhost:9200 -u '[redacted]:[redacted] -k
274 apt list elasticsearch -a
275 apt list elasticsearch --all-versions
276 whichi elasticsearch
277 which elasticsearch
278 which elastic*
279 which *elastic*
280 apt list install-info elasticsearch-oss
281 which elasticsearch-oss
282 apt list opendistroforelasticsearch
283 apt list opendistroforelasticsearch -a
284 history | tail -n 80
285 history | tail -n 120
286 cd /var/
287 ls -lash
288 cd log/
289 ls -lash
290 less dmesg
291 cd
292 systemctl list --help
293 systemctl list-units --type=service
294 apt remove wazuh-dashboard
295 service --status-all
296 htop
297 top
298 systemctl restart wazuh-manager.service
299 cd /var/ossec/
300 ls -lash
301 cd logs/
302 ls -lash
303 cd wazuh/
304 ls -lash
305 cd 2022/
306 ls -lash
307 cd may
308 cd Ma
309 cd May
310 ls -lash
311 less ossec-17.log.gz
312 systemctl status ossec-remoted
313 cd /
314 less /var/ossec/logs/ossec.log
315 cat /var/ossec/logs/ossec.log | grep error
316 cat /var/ossec/logs/ossec.log | grep Error
317 cat /var/ossec/logs/ossec.log | grep critical
318 cat /var/log/elasticsearch/wazuh-cluster.log
319 ufw --help
320 ufw ruleset
321 ufw ruleset --help
322 ufw app list
323 cd etc/ufw/applications.d/
324 ls -lash
325 cd ..
326 ls -lash
327 less ufw.conf
328 less after.rules
329 less before.rules
330 systemctl ufw status
331 systemctl status ufw.service
332 netstat
333 apt install net-tools
334 netstat
335 systemctl restart wazuh-dashboard.service
336 systemctl status wazuh-dashboard.service
337 apt install wazuh-dashboard
338 uft allow https
339 ufw allow https
340 systemctl enable wazuh-dashboard.service
341 systemctl start wazuh-dashboard
342 systemctl status wazuh-dashboard.service
343 apt remove wazuh-indexer
344 systemctl status wazuh-manager.service
345 systemctl status wazuh-dashboard.service
346 systemctl start wazuh-dashboard
347 systemctl status wazuh-dashboard.service
348 reboot
349 ls -lash
350 nano upgrade.sh
351 chmod +x upgrade.sh
352 ./upgrade.sh
353 mkdir -p /usr/share/kibana/data/wazuh/config/
354 cp /usr/share/kibana/optimize/wazuh/config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
355 cd /usr/share/kibana/
356 ls -lash
357 cd data/
358 cd wazuh/config/
359 ls -lash
360 cd /
361 locate wazuh.yml
362 apt install mlocate
363 locate wazuh.yml
364 less /usr/share/kibana/data/wazuh/config/wazuh.yml
365 less /etc/apt/sources.list.d/wazuh.list
366 less /var/ossec/etc/ossec.conf
367 cat /var/log/elasticsearch/wazuh-cluster.log
368 at /var/log/elasticsearch/wazuh-cluster-2022-05-17-1.log.gz | grep -i -E "error|warn"
369 cat /var/log/elasticsearch/wazuh-cluster-2022-05-17-1.log.gz | grep -i -E "error|warn"
370 cat /var/log/elasticsearch/wazuh-cluster.log | grep -i -E "error|warn"
371 curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"
372 TOKEN=$(curl -u wazuh:[redacted] -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
373 curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"
374 TOKEN=$(curl -u wazuh:[redacted] -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
375 curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"
376 curl -k -X GET "https://localhost:55000/"
377 curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
378 echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
379 apt update
380 apt install elasticsearch=7.17.3
381 nano /etc/wazuh-dashboard/opensearch_dashboards.yml
382 nano /etc/filebeat/filebeat.yml
383 curl -sO https://packages.wazuh.com/4.3/wazuh-certs-tool.sh
384 curl -sO https://packages.wazuh.com/4.3/config.yml
385 nano config.yml
386 bash ./wazuh-certs-tool.sh -A
387 tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
388 rm -rf ./wazuh-certificates
389 NODE_NAME=10.60.26.149
390 ls /etc/filebeat/certs/
391 NODE_NAME=wazuh-1
392 $NODE_NAME
393 tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
394 mv -n /etc/filebeat/certs/wazuh-1.pem /etc/filebeat/certs/filebeat.pem
395 mv -n /etc/filebeat/certs/wazuh-1-key.pem /etc/filebeat/certs/filebeat-key.pem
396 chmod 500 /etc/filebeat/certs
397 chmod 400 /etc/filebeat/certs/*
398 chown -R root:root /etc/filebeat/certs
399 systemctl daemon-reload
400 systemctl enable filebeat
401 systemctl start filebeat
402 filebeat test output
403 apt install debconf adduser procps
404 apt -y install wazuh-indexer
405 nano /etc/wazuh-indexer/opensearch.yml
406 ls -lash
407 ls -lash wazuh-certificates.tar
408 tar -tvf wazuh-certificates.tar
409 systemctl daemon-reload
410 systemctl enable wazuh-indexer.service
411 systemctl start wazuh-indexer.service
412 journalctl -xeu wazuh-indexer.service
413 less /var/log/wazuh-indexer/wazuh-cluster.log
414 curl -k -u admin:admin https://127.0.0.1:9200
415 curl -k -u admin:admin https://10.60.26.149:9200
416 systemctl status wazuh-manager.service
417 curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.3/tpl/wazuh/filebeat/filebeat.yml
418 nano /etc/filebeat/filebeat.yml
419 filebeat keystore create
420 echo admin | filebeat keystore add username --stdin --force
421 echo admin | filebeat keystore add password --stdin --force
422 curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json
423 chmod go+r /etc/filebeat/wazuh-template.json
424 curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
425 NODE_NAME=wazuh-1
426 tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
427 mv -n /etc/filebeat/certs/wazuh-1.pem /etc/filebeat/certs/filebeat.pem
428 mv -n /etc/filebeat/certs/wazuh-1-key.pem /etc/filebeat/certs/filebeat-key.pem
429 chmod 500 /etc/filebeat/certs
430 chmod 400 /etc/filebeat/certs/*
431 chown -R root:root /etc/filebeat/certs
432 systemctl daemon-reload
433 systemctl enable filebeat
434 systemctl start filebeat
435 filebeat test output
436 apt install debhelper tar curl libcap2-bin
437 nano /etc/wazuh-dashboard/opensearch_dashboards.yml
438 mkdir /etc/wazuh-dashboard/certs
439 tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./.pem ./$NODE_NAME-key.pem ./root-ca.pem
440 tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
441 mv -n /etc/wazuh-dashboard/certs/wazuh-1.pem /etc/wazuh-dashboard/certs/dashboard.pem
442 mv -n /etc/wazuh-dashboard/certs/wazuh-1-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
443 chmod 500 /etc/wazuh-dashboard/certs
444 chmod 400 /etc/wazuh-dashboard/certs/*
445 chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
446 systemctl daemon-reload
447 systemctl enable wazuh-dashboard
448 systemctl start wazuh-dashboard
449 nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
450 reboot
451 curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh
452 bash wazuh-install.sh --wazuh-server wazuh-1
453 bash wazuh-install.sh --wazuh-dashboard dashboard
454 /var/ossec/bin/wazuh-control info
455 cp /usr/share/kibana/optimize/wazuh/config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
456 nano /usr/share/kibana/data/wazuh/config/wazuh.yml
457 cd /usr/share/kibana/
458 sudo -u kibana bin/kibana-plugin remove wazuh
459 apt install opendistroforelasticsearch-kibana=1.13.2
460 chown -R kibana:kibana /usr/share/kibana/data/
461 chown -R kibana:kibana /usr/share/kibana/plugins/
462 cd /usr/share/kibana/
463 sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.1_7.10.2-1.zip
464 sudo chown kibana:kibana /usr/share/kibana/data/wazuh/config/wazuh.yml
465 chmod 600 /usr/share/kibana/data/wazuh/config/wazuh.yml
466 cat >> /etc/default/kibana << EOF
NODE_OPTIONS="--max_old_space_size=2048"
EOF
467 setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
468 nano /etc/kibana/kibana.yml
469 cd /
470 tar -xf ./wazuh-certificates.tar -C /etc/kibana/certs/ ./wazuh-1.pem ./wazuh-1-key.pem ./root-ca.pem
471 mv -n /etc/kibana/certs/wazuh-1.pem /etc/kibana/certs/kibana.pem
472 systemctl daemon-reload
473 systemctl enable kibana.service
474 systemctl restart kibana.service
475 systemctl status kibana.service
476 systemctl start kibana.service
477 systemctl status kibana.service
478 sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
479 apt update
480 apt list --upgradable
481 apt dist-upgrade -y
482 apt list kibana --all-versions
483 sudo apt install filebeat=7.17.2
484 sudo apt install wazuh-manager=7.17.2
485 sudo apt list wazuh-manager --all-versions
486 sudo apt list wazuh-dashboards --all-versions
487 sudo apt list wazuh-dashboard --all-versions
488 apt install elasticsearch-oss=7.17.2
489 apt list elasticsearch-oss --all-versions
490 apt install opendistroforelasticsearch=1.13.2-1
491 apt list opendistroforelasticsearch --all-versions
492 systemctl stop kibana
493 systemctl stop kibana.service
494 systemctl status kibana.service
495 systemctl stop kibana.service
496 systemctl status kibana.service
497 systemctl start kibana.service
498 systemctl status kibana.service
There has been much struggle... I am willing to re-deploy on Ubuntu 20.04 if I can keep all of the collected events and configuration files+connected agents
Thoughts?
Spencer LynnCo
May 25, 2022, 11:03:54 AM5/25/22
to Wazuh mailing list
Any possible solutions out there?
Daniel Folch
May 27, 2022, 3:48:45 AM5/27/22
to Wazuh mailing list
Hello,
From what I see here you are installing the plugin for version 7.10.2 in Kibana 7.17.3:
```
463 sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.1_7.10.2-1.zip
```
To install the correct plugin, uninstall the current one:
```
cd /usr/share/kibana/
sudo -u kibana bin/kibana-plugin remove wazuh
```
And install the plugin for wazuh 4.3.1 and Kibana 7.17.3:
```
cd /usr/share/kibana/
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.1_7.17.3-1.zip
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.3.1_7.17.3-1.zip
```
Here you have the documentation to upgrade Kibana with Elasticsearch basic license:
Spencer LynnCo
May 27, 2022, 2:15:30 PM5/27/22
to Wazuh mailing list
Daniel, thank you again for this assistance. I followed your instruction and tried to follow the elasticsearch-kibaba-filebeat upgrade documentation (again--this is what I was following prior). Still no webserver presence.
504 nano /usr/share/kibana/data/wazuh/config/wazuh.yml
505 chown -R kibana:kibana /usr/share/kibana/
506 cd /usr/share/kibana/
507 chown kibana:kibana /usr/share/kibana/data/wazuh/config/wazuh.yml
508 chmod 600 /usr/share/kibana/data/wazuh/config/wazuh.yml
509 chown -R kibana: /etc/kibana/certs
510 chmod -R 500 /etc/kibana/certs
511 chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
512 ls -lash /
513 cat >> /etc/default/kibana << EOF
514 NODE_OPTIONS="--max_old_space_size=2048"
515 EOF
516 nano /etc/kibana/kibana.yml
517 passwd elasticsearch
518 nano /etc/kibana/kibana.yml
519 setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
520 systemctl daemon-reload
521 systemctl enable kibana
522 systemctl enable kibana.service
523 systemctl start kibana
524 systemctl start kibana.service
525 systemctl status kibana.service
526 reboot
505 chown -R kibana:kibana /usr/share/kibana/
506 cd /usr/share/kibana/
507 chown kibana:kibana /usr/share/kibana/data/wazuh/config/wazuh.yml
508 chmod 600 /usr/share/kibana/data/wazuh/config/wazuh.yml
509 chown -R kibana: /etc/kibana/certs
510 chmod -R 500 /etc/kibana/certs
511 chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*
512 ls -lash /
513 cat >> /etc/default/kibana << EOF
514 NODE_OPTIONS="--max_old_space_size=2048"
515 EOF
516 nano /etc/kibana/kibana.yml
517 passwd elasticsearch
518 nano /etc/kibana/kibana.yml
519 setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
520 systemctl daemon-reload
521 systemctl enable kibana
522 systemctl enable kibana.service
523 systemctl start kibana
524 systemctl start kibana.service
525 systemctl status kibana.service
526 reboot
No webserver prior to or after reboot. kibana.service/kibana failing to start
root@[redacted]:~# systemctl status kibana
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Fri 2022-05-27 13:13:24 CDT; 847ms ago
Docs: https://www.elastic.co
Process: 8422 ExecStart=/usr/share/kibana/bin/kibana --logging.dest=/var/log/kibana/kibana.log --pid.>
Main PID: 8422 (code=exited, status=1/FAILURE)
CPU: 12.135s
May 27 13:13:24 prd-wzh-001 systemd[1]: kibana.service: Failed with result 'exit-code'.
May 27 13:13:24 prd-wzh-001 systemd[1]: kibana.service: Consumed 12.135s CPU time.
root@[redacted]:~# systemctl status kibana
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-05-27 13:13:27 CDT; 4s ago
Docs: https://www.elastic.co
Main PID: 8512 (node)
Tasks: 11 (limit: 39878)
Memory: 117.8M
CPU: 4.908s
CGroup: /system.slice/kibana.service
└─8512 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --loggin>
May 27 13:13:27 prd-wzh-001 systemd[1]: Started Kibana.
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Fri 2022-05-27 13:13:24 CDT; 847ms ago
Docs: https://www.elastic.co
Process: 8422 ExecStart=/usr/share/kibana/bin/kibana --logging.dest=/var/log/kibana/kibana.log --pid.>
Main PID: 8422 (code=exited, status=1/FAILURE)
CPU: 12.135s
May 27 13:13:24 prd-wzh-001 systemd[1]: kibana.service: Failed with result 'exit-code'.
May 27 13:13:24 prd-wzh-001 systemd[1]: kibana.service: Consumed 12.135s CPU time.
root@[redacted]:~# systemctl status kibana
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-05-27 13:13:27 CDT; 4s ago
Docs: https://www.elastic.co
Main PID: 8512 (node)
Tasks: 11 (limit: 39878)
Memory: 117.8M
CPU: 4.908s
CGroup: /system.slice/kibana.service
└─8512 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --loggin>
May 27 13:13:27 prd-wzh-001 systemd[1]: Started Kibana.
root@[redacted]:~# systemctl status kibana
× kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-05-27 13:13:56 CDT; 19s ago
Docs: https://www.elastic.co
Process: 8600 ExecStart=/usr/share/kibana/bin/kibana --logging.dest=/var/log/kibana/kibana.log --pid.>
Main PID: 8600 (code=exited, status=1/FAILURE)
CPU: 12.537s
May 27 13:13:52 prd-wzh-001 systemd[1]: kibana.service: Consumed 12.537s CPU time.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
May 27 13:13:56 prd-wzh-001 systemd[1]: Stopped Kibana.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Consumed 12.537s CPU time.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Start request repeated too quickly.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Failed with result 'exit-code'.
May 27 13:13:56 prd-wzh-001 systemd[1]: Failed to start Kibana.
× kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-05-27 13:13:56 CDT; 19s ago
Docs: https://www.elastic.co
Process: 8600 ExecStart=/usr/share/kibana/bin/kibana --logging.dest=/var/log/kibana/kibana.log --pid.>
Main PID: 8600 (code=exited, status=1/FAILURE)
CPU: 12.537s
May 27 13:13:52 prd-wzh-001 systemd[1]: kibana.service: Consumed 12.537s CPU time.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
May 27 13:13:56 prd-wzh-001 systemd[1]: Stopped Kibana.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Consumed 12.537s CPU time.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Start request repeated too quickly.
May 27 13:13:56 prd-wzh-001 systemd[1]: kibana.service: Failed with result 'exit-code'.
May 27 13:13:56 prd-wzh-001 systemd[1]: Failed to start Kibana.
Are there any logs in particular that would help paint the picture of where we are at in this situation?
Again, thank you for the assistance and I am looking forward to your reply
Spencer LynnCo
May 31, 2022, 9:53:09 AM5/31/22
to Wazuh mailing list
Checking back in to see if there are any other ideas out there
Daniel Folch
Jun 1, 2022, 7:21:33 AM6/1/22
to Wazuh mailing list
Hello again,
Sorry for the late response, I have tested the upgrade process following the documentation and I didn’t find any problem in my test lab, lets try to make some recap to see if we can find the issue:
- Which packages do you have installed? Are you using Elasticsearch basic license, opendistro or Wazuh indexer/dashboard?
Remember that you should only have one of them installed at the same time
Are the services running properly?
Is elasticsearch/wazuh-indexer running and responding to API calls? You can test this by running:
curl -XGET https://localhost:9200 -u <user>:<password> -kThe user is admin if you are using wazuh-indexer/opendistro and elastic if you are using Elasticsearch basic license
Are there any error logs appearing when you run
journalctl -u kibana -rorjournalctl -u wazuh-dashboard -r?
Spencer LynnCo
Jun 1, 2022, 2:12:38 PM6/1/22
to Wazuh mailing list
Some of the users I am not sure about as I used the basic deployment script for Wazuh 4.2. The only user that it showed was the wazuh user from what I can recall.
I am attaching output of multiple commands showing packages, services, logs, and info about the server environment.
I am happy to dig around and look for anything else that you'd like to see.
The server seems to have more failed services now than immediately post upgrade to 4.3. I have followed multiple articles in the documentation and think that I have wound up with a bit of a worse mess than after the initial upgrade.
Spencer LynnCo
Jun 2, 2022, 12:34:22 PM6/2/22
to Wazuh mailing list
Alright--I redeployed from the script and I have wazuh running again.
I now receive this error: [Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]
How would I resolve this issue?
46 of my 120 agents survived the re-deploy. Should there be a simple way to recover all of the former agents?
Daniel Folch
Jun 3, 2022, 6:01:12 AM6/3/22
to Wazuh mailing list
Hello,
The error:
[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]
May be caused, by Filebeat not pushing the index template run:
filebeat test output
To check if filebeat is running correctly, Also you can manually insert the template running:
curl --silent https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT 'https://wazuh-indexer-node-ip:9200/_template/wazuh' -H 'Content-Type: application/json' -d @- -uadmin:<password> -k --silent
About the agents, if the new manager is using the same IP, the agents should try to register to the new manager after failing to connect to the old manager using the enrollment procedure, but in some cases, you may need to register them manually again.
Spencer LynnCo
Jun 3, 2022, 12:25:15 PM6/3/22
to Wazuh mailing list
Daniel, thank you for the input. I finally stood up a new server and am now ready to migrate agents to it.
I have checked around the docs and not found anything to assist my case.
Is there a way with either remote shell (Connectwise) or MDM (Intune) or anything like that to change the endpoints' agents to point to the new server?
Reply all
Reply to author
Forward
0 new messages