How do create security-audit index?
149 views
Skip to first unread message
Daniel D'Angeli
Apr 4, 2023, 8:17:57 AM4/4/23
to Wazuh mailing list
Hi,
Wazuh 4.3.10.
Caused by:
com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException:
mapping values are not allowed here
in 'reader', line 38, column 78:
... trueplugins.security.audit.type: internal_opensearch
^
at [Source: (sun.nio.ch.ChannelInputStream); line: 38, column: 78]
at com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException.from(MarkedYAMLException.java:28)
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:407)
4/4/2023 14:12:09 at org.opensearch.common.xcontent.json.JsonXContentParser.nextToken(JsonXContentParser.java:64)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings.fromXContent(Settings.java:677)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings.fromXContent(Settings.java:646)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings.access$400(Settings.java:96)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings$Builder.loadFromStream(Settings.java:1156)
4/4/2023 14:12:09 ... 10 more
4/4/2023 14:12:09Caused by: mapping values are not allowed here
4/4/2023 14:12:09 in 'reader', line 38, column 78:
4/4/2023 14:12:09 ... trueplugins.security.audit.type: internal_opensearch
in 'reader', line 38, column 78:
... trueplugins.security.audit.type: internal_opensearch
^
at [Source: (sun.nio.ch.ChannelInputStream); line: 38, column: 78]
at com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException.from(MarkedYAMLException.java:28)
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:407)
4/4/2023 14:12:09 at org.opensearch.common.xcontent.json.JsonXContentParser.nextToken(JsonXContentParser.java:64)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings.fromXContent(Settings.java:677)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings.fromXContent(Settings.java:646)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings.access$400(Settings.java:96)
4/4/2023 14:12:09 at org.opensearch.common.settings.Settings$Builder.loadFromStream(Settings.java:1156)
4/4/2023 14:12:09 ... 10 more
4/4/2023 14:12:09Caused by: mapping values are not allowed here
4/4/2023 14:12:09 in 'reader', line 38, column 78:
4/4/2023 14:12:09 ... trueplugins.security.audit.type: internal_opensearch
Any help?
Regards,
Daniel D.
Ujunwa Okonkwo
Apr 4, 2023, 9:11:31 AM4/4/23
to Wazuh mailing list
Hi Daniel,
Based on the error message, it seems that there is a YAML syntax error in your OpenSearch configuration file caused by the line plugins.security.audit.type: internal_opensearch that you added.
The error message indicates that the 'mapping values are not allowed here'. Please make sure that the 'plugins.security.audit.type: internal_opensearch' line is properly formatted and placed in the correct section of the file.
It should be written as follows:
plugins:
security:
audit:
type: internal_opensearch
Make sure that this line is added to the opensearch.yml file in the correct location and with the correct formatting. Additionally, check that there are no other syntax errors in the file.
Once you have made these changes, restart the OpenSearch nodes and see if the issue is resolved.
I hope this is helpful.
Best regards,
Based on the error message, it seems that there is a YAML syntax error in your OpenSearch configuration file caused by the line plugins.security.audit.type: internal_opensearch that you added.
The error message indicates that the 'mapping values are not allowed here'. Please make sure that the 'plugins.security.audit.type: internal_opensearch' line is properly formatted and placed in the correct section of the file.
It should be written as follows:
plugins:
security:
audit:
type: internal_opensearch
Make sure that this line is added to the opensearch.yml file in the correct location and with the correct formatting. Additionally, check that there are no other syntax errors in the file.
Once you have made these changes, restart the OpenSearch nodes and see if the issue is resolved.
I hope this is helpful.
Best regards,
Daniel D'Angeli
Apr 4, 2023, 9:30:19 AM4/4/23
to Wazuh mailing list
Hi,
thanks for the help. Somehow it didnt like it the first time but i am now able to configure the security-auditlog index. i havent changed any configuration on the audit logs section but it doesnt seem to log my accesses at Wazuh Dashboard.
Is there some configuration to check?
Regards,
Daniel D.
Daniel D'Angeli
Apr 4, 2023, 9:44:19 AM4/4/23
to Wazuh mailing list
Hi,
fixed it by removing AUTHENTICATED from the disabled categories.
Thanks,
Daniel D.
Reply all
Reply to author
Forward
0 new messages