Wazuh Api Error

[Nu Man]

Hi,

I have installed Wazuh on a ubuntu server 22.04 - It was working fine until a couple of days back, as we have resumed our work after the weekend I'm getting the below-mentioned error and not able to connect to my wazuh dashboard. 

[API connection] No API available to connect

Could someone please help me on resolving the issue, as I referred other documents the configurations mentioned do not match my current version of wazuh(4.4).

Best Regards,

Numan

[Antonio Kim]

Hi,

Thank you for using Wazuh.

The wazuh.yml file looks correct.

Could you please check that the Wazuh API is accessible? For that, you can use cURL and this guide.

[Nu Man]

Hi Antonio, 

Thank you for the prompt response.

When I'm checking for accessibility of Wazuh API, I'm getting the below response I have attached. The response I have received is not as same the expected response. Could you please suggest me on how do I work down on resolving the issue.

Thanks in advance,

Numan

[Antonio Kim]

Hi Nu Man.

It seems that between all daemons, 1 is stopped and another has an error.
Let's try using:

systemctl restart wazuh-manager

and I would appreciate if you share me some information of:

cat /var/ossec/logs/ossec.log

Antonio

[Nu Man]

Hi Antonio,

I'm really grateful and appreciate your support to resolve my issue, When I try systemctl restart wazuh-manager I'm getting the response as follows:

"Job for wazuh-manager.service failed because the control process exited with error code.

See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details."

I'm not able to find any relevant details by running the above commands.

Please find the ossec.log file attached below for your reference.

[Antonio Kim]

You are welcome Nu Man.
I can see in the logs that:

wazuh-remoted: CRITICAL: (1206): Unable to Bind port '514' due to [(99)-(Cannot assign requested address)]

is repetead several times and it is related with the API response that you had before.

Could you share the remote block of the /var/ossec/etc/ossec.conf file ?

It is possible that you have used the local_ip tag incorrectly.

Did you make any change just before this error started to appear?

Antonio

[Nu Man]

I have attached a snapshot of the  remote block of the /var/ossec/etc/ossec.conf file.

No, I did not make any changes before the error has started. I was trying to onboard logs from a cisco router through a rsyslog linux server. 

Please find the error and the conf file attached for your reference.

[Antonio Kim]

Ok Nu Man.

Everything seems ok without misconfigurations.

Just before moving forward, is your port 514 available for use?

You can check the status using the following command:

cat /etc/services | grep 514

and

netstat -tulnp

If all those ports are working correctly, the next step will be to try to use remote in debug mode and double-check its behavior.

Antonio

[Nu Man]

Thank you for verifying my ossec.conf file Antonio.

Please find the response I received after running the mentioned commands.

Can you please help me on how to work on resolving the issue further.

[Antonio Kim]

Ok Nu Man,

It seems that 514 ports are being used, then when remote is trying to bind the service to those ports it is having the issue.
Do you need to use udp conexion and 514 for some specific reason?
The default config for remote is

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

I would recommend to try this port and setting.
Restart the manager and recheck if everything works properly.

Antonio