Issues in new installation Wazuh-Docker: "Empty reply from server" and Alerts Not Displayed on Dashboard
108 views
Skip to first unread message
Mustiff Martinez
Aug 22, 2024, 12:28:23 AM8/22/24
to Wazuh | Mailing List
Hello everyone,
I am facing a problem with my new Wazuh installation in Docker. After performing a clean installation following the official documentation and deploying the agents, I am encountering difficulties with Elasticsearch and the visualization of alerts on the dashboard. Here are the details:
Environment Setup:
- Docker Compose version: 3.7
- Elasticsearch image used: wazuh/wazuh-indexer:4.8.1
- Elasticsearch container name: single-node-wazuh.indexer-1
- Other containers: Wazuh Manager and Wazuh Dashboard
Issue:
Accessing Elasticsearch: When I try to access Elasticsearch from outside the container using curl, I get the following error:
curl -X GET "http://10.30.11.2:9200/_cat/indices?v" curl: (52) Empty reply from serverWhen I try to access it from inside the container, I also get the same error:
docker exec -it single-node-wazuh.indexer-1 /bin/bash curl -X GET "http://localhost:9200/_cat/indices?v" curl: (52) Empty reply from serverAlerts on the Dashboard: I have deployed the agents and I receive alerts in the alerts.json file, but these alerts are not displayed on the Wazuh dashboard.
Actions Taken:
- Verified that the container is running with docker ps.
- Checked the container logs with docker logs single-node-wazuh.indexer-1 and did not find clear errors.
- Reviewed the docker-compose.yml configuration and ensured that port 9200 is mapped correctly.
- Conducted network tests and confirmed that the container is connected to the single-node_default network.
- Tried accessing Elasticsearch from another container in the same network with curl and received the same error.
- Restarted the container and Docker service, but the issue persists.
Additional Details:
- The opensearch.yml (or elasticsearch.yml) configuration file is correctly set up.
- Checked the availability of resources in the container and on the host.
Has anyone encountered similar issues or has any suggestions on how to resolve these problems?
I appreciate any help or advice you can offer.
Thank you in advance.
Olusegun Adenrele Oyebo
Aug 23, 2024, 8:39:36 AM8/23/24
to Wazuh | Mailing List
Hello Mustiff,
Have you verified from the Threat Hunting page (screenshot attached) that the alerts are not being displayed?
Also ensure that the agents are active and reporting on the Wazuh dashboard.
For you to be able to access the Wazuh indexer, you'll need to enter into the Wazuh indexer container by running the below commands accordingly:
If issue still persists, enter into the Wazuh manager container and check and see if filebeat can communicate with the indexer by running command filebeat test output
If filebeat test is successful, assist with the below logs for further review:
Have you verified from the Threat Hunting page (screenshot attached) that the alerts are not being displayed?
Also ensure that the agents are active and reporting on the Wazuh dashboard.
For you to be able to access the Wazuh indexer, you'll need to enter into the Wazuh indexer container by running the below commands accordingly:
- docker exec -it --user root single-node-wazuh.indexer-1 apt-get update
- Install curl: docker exec -it --user root single-node-wazuh.indexer-1 apt-get install curl -y
- Enter the container: docker exec -it --user root single-node-wazuh.indexer-1 bash
- curl -k -u admin:<admin_password> -X GET "https://localhost:9200/_cat/indices?v". Replace <admin_password> with the password of the admin user. By default it's SecretPassword. You should get something similar to the attached screenshot after running the command.
If issue still persists, enter into the Wazuh manager container and check and see if filebeat can communicate with the indexer by running command filebeat test output
If filebeat test is successful, assist with the below logs for further review:
- Wazuh dashboard: cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn|crit"
- Wazuh indexer: cat /var/log/wazuh-indexer/opensearch.log | grep -i -E "error|warn|crit"
Best regards.
Mustiff Martinez
Aug 26, 2024, 1:13:36 AM8/26/24
to Wazuh | Mailing List
Buenos días, muchas gracias por tu respuesta, te cuento que la sección de threathunting en realidad aparece vacía.
En relación a la prueba de filebeat, adjunto la foto, estoy esperando instrucciones de cómo podría continuar, muchas gracias.
En relación a la prueba de filebeat, adjunto la foto, estoy esperando instrucciones de cómo podría continuar, muchas gracias.
Olusegun Adenrele Oyebo
Aug 26, 2024, 12:10:03 PM8/26/24
to Wazuh | Mailing List
Hello Mustiff,
The ERROR 401 Unauthorized: Unauthorized could be because the user or password of Wazuh indexer does not match with the username or password in the file /etc/filebeat/filebeat.yml. Filebeat uses those credentials to connect to the Wazuh indexer.
Can you also share with me the below logs for further review:
- Wazuh dashboard: cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn|crit"
- Wazuh indexer: cat /var/log/wazuh-indexer/opensearch.log | grep -i -E "error|warn|crit"
Best regards.
Message has been deleted
Mustiff Martinez
Aug 28, 2024, 7:13:24 AM8/28/24
to Wazuh | Mailing List
wazuhapp.log
bash-5.2$ cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log
{"date":"2024-08-21T12:26:08.118Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-08-21T12:26:08.119Z","level":"info","location":"initialize","message":"App revision: 04"}
{"date":"2024-08-21T12:26:08.120Z","level":"info","location":"initialize","message":"Total RAM: 15903MB"}
{"date":"2024-08-21T12:26:08.118Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-08-21T12:26:08.119Z","level":"info","location":"initialize","message":"App revision: 04"}
{"date":"2024-08-21T12:26:08.120Z","level":"info","location":"initialize","message":"Total RAM: 15903MB"}
opensearch.log
[2024-08-28T07:26:35,778][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:27:13,054][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:28:12,392][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:03,891][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:44,800][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
bash-5.2$ y failed for admin from 172.18.0.3:43416
[2024-08-28T07:27:13,054][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:28:12,392][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:03,891][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:44,800][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:27:13,054][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:28:12,392][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:03,891][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:44,800][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
bash-5.2$ y failed for admin from 172.18.0.3:43416
[2024-08-28T07:27:13,054][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:28:12,392][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:03,891][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
[2024-08-28T07:29:44,800][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] Authentication finally failed for admin from 172.18.0.3:43416
Mustiff Martinez
Aug 29, 2024, 8:46:18 AM8/29/24
to Wazuh | Mailing List
Olusegun Adenrele Oyebo
Aug 29, 2024, 1:47:20 PM8/29/24
to Wazuh | Mailing List
Hello Mustiff,
I'm glad to hear that the filebeat issue has been resolved.
With regards to your second query, you can check your /var/ossec/logs/alerts/alerts.json file to see if the alerts appear there. If present, you can set up a recovery script that will forward them to your Wazuh indexer. Kindly check the below documentation and use as guide:
I hope this helps. If you're still having issue with this, will suggest that you start a new thread on it since it is different from the initial query that was logged.
We remain attentive to your queries.
Best regards.
Reply all
Reply to author
Forward
0 new messages