wazuh API error

672 views
Skip to first unread message

Raony Jose

unread,
Jun 28, 2022, 12:38:49 PM6/28/22
to Wazuh mailing list
hello, I have a strange problem in my wazuh, specifically in the API part, the service works normally and out of nowhere it gives an error 400 (I will leave a print), 
imagem_2022-06-28_133611777.png
but when I restart the wazuh-manager it works again for a while and then the error is repeated, looking at the wazuh-api logs, I realized that the error starts to appear because out of nowhere the api user changes to unknow_user (I will leave an example of the log below):

2022/06/28 11:55:00 INFO: wazuh-wui 127.0.0.1 "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.033s: 200
2022/06/28 11:55:00 INFO: wazuh-wui 127.0.0.1 "GET /manager/stats/analysisd" with parameters {"pretty": ""} and body {} done in 0.023s: 200
2022/06/28 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /cluster/status" with parameters {} and body {} done in 0.122s: 200
2022/06/28 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.096s: 200
2022/06/28 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /manager/stats/analysisd" with parameters {"pretty": ""} and body {} done in 0.098s: 200
2022/06/28 12:00:01 INFO: wazuh-wui 127.0.0.1 "GET /agents" with parameters {"offset": "0", "limit": "1", "q": "id!=000"} and body {} done in 0.174s: 200
2022/06/28 12:00:01 INFO: wazuh-wui 127.0.0.1 "GET /agents" with parameters {"offset": "0", "limit": "500", "q": "id!=000"} and body {} done in 0.027s: 200
2022/06/28 12:05:01 INFO: unknown_user 127.0.0.1 "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.012s: 401
2022/06/28 12:05:01 INFO: unknown_user 127.0.0.1 "GET /security/user/authenticate" with parameters {} and body {} done in 0.005s: 400
2022/06/28 12:10:00 INFO: unknown_user 127.0.0.1 "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.002s: 401
2022/06/28 12:10:00 INFO: unknown_user 127.0.0.1 "GET /manager/stats/analysisd" with parameters {"pretty": ""} and body {} done in 0.005s: 401
2022/06/28 12:10:00 INFO: unknown_user 127.0.0.1 "GET /security/user/authenticate" with parameters {} and body {} done in 0.004s: 400
2022/06/28 12:10:00 INFO: unknown_user 127.0.0.1 "GET /security/user/authenticate" with parameters {} and body {} done in 0.003s: 400
2022/06/28 12:15:00 INFO: unknown_user 127.0.0.1 "GET /cluster/status" with parameters {} and body {} done in 0.003s: 401

 if anyone can help me I will be grateful.

Julio Gasco

unread,
Jun 28, 2022, 1:11:34 PM6/28/22
to Wazuh mailing list

Hi Raony,
Thanks for using our community!

This is error was reported back due to issues with vulnerability detector. Can you please share the Wazuh-manager version you are using ?
Usually taking the Wazuh-manager to the latest stable version fixes this issue, as vulnerability detector issues are fixed in our latest release.
So for example if you have Wazuh manager on 4.2.5 version, upgrading the manager to 4.2.7 should fix this issue, which is related to vulnerability detector generating segfault errors when receiving information from agents
If you run the following command after the API is failling:

/var/ossec/bin/wazuh-control status

You should see that wazuh-modulesd is not running.

Could you please share the actual manager version you are using ? I can refer to the exact steps you need to upgrade the manager that way. Below is a link to the upgrade guide for 4.2.X
https://documentation.wazuh.com/4.2/upgrade-guide/upgrading-wazuh.html
Take into account to solve this you would only need to upgrade the wazuh-manager package and the Wazuh Kibana plugin. No need to upgrade the other components.

Please test to disable vulnerability detector (if it is enabled) to test if API problem stops, this is acheived by editing /var/ossec/etc/ossec.confon the manager locate the vulnerability detector tag and put enabled in no as shown below

<vulnerability-detector> 
<enabled>no</enabled>

Changing this is just a temporary fix to have the app running without failing, but ideally you need to upgrade to the latest stable version of your release.

Let me know if this helps
Regards!

sekhar reddy

unread,
Jun 28, 2022, 2:26:02 PM6/28/22
to Wazuh mailing list
Hi,

I am also facing the same issue for a temporary fix I create a crontab that restarts wazuh manager every 15min.
I am using 4.2.5 when checked /var/ossec/bin/wazuh-control status I could see everything is running except wazuh-dbd and wazuh-csyslogd 

I have installed the setup through Ansible ( wazuh-production-ready.yml) where my current setup contains wazuh-master/worker and 3 ES Nodes and 1 Kibana. 

Do I need to update the entire setup or just wazuh manager and worker node ??  

Thanks & Regards,
A. Sekhar
wazuh_status.JPG

Raony Jose

unread,
Jun 30, 2022, 10:30:05 AM6/30/22
to Wazuh mailing list
hello everyone, i updated my wazuh to the latest version and the problem was solved, i believe this is the best solution! thank you all.

Tech Master

unread,
Jun 30, 2022, 11:35:45 AM6/30/22
to Wazuh mailing list
I had the same problem with Wazuh Docker 4.2.6
I switched to 4.3.5.
Reply all
Reply to author
Forward
0 new messages