Wazuh API Connection Showing Offline

[Sanjay J]

Hi Wazuh community,

I am facing an issue with the Wazuh API connection. The dashboard shows the API status as Offline with an error message: “The API connections could be down or inaccessible.”

• Host: https://172.18.0.5

• Port: 55000

• Status: Offline

• Updates status: Error checking updates

Can someone please guide me on how to resolve this issue?

Thanks in advance for your support!

Privileged and Confidential:

This e-mail message and the attachments are for the sole use of the intended recipient(s) and contains confidential and privileged information. Any unauthorized review, use, disclosure, copying or distribution is strictly prohibited. If you are not the intended recipient, please contact the sender by email and destroy all copies of the original message. Kindly note that the email and/or attachments cannot be used as evidence in any court of law and this email should not be construed as a waiver, limitation or relinquishment of any rights and/or remedies that are available to Origin Medical.

[Bony V John]

Hi,

If your issue is related to the Wazuh Manager API, you can follow the troubleshooting steps below:  

Ensure that port 55000 is open on the Wazuh Manager server:  
ss -ltnp | grep ':55000' || sudo lsof -iTCP:55000 -sTCP:LISTEN

• If it is listening, you will see output.

• If not, there will be no output.

You can also verify which process is using port 55000:

ps -fp <pid>

Replace <pid> with the PID shown in the above command.  

Check the Wazuh API status by running the following command on the Wazuh manager:
/var/ossec/bin/wazuh-control status
Verify that the wazuh-apid service is running.

If the API is not running, try restarting the Wazuh manager service, as this may resolve temporary issues:
systemctl restart wazuh-manager

If the issue persists, check the Wazuh API logs for any error messages:
cat /var/ossec/logs/api.log | grep -iE "error|warn|crit|fatal"

Also check the Wazuh manager ossec.log file:
cat /var/ossec/logs/ossec.log | grep -iE "error|warn|crit|fatal"

Verify the API functionality by running the following command:
curl -k -X GET "https://<api_url>:55000/" -H "Authorization: Bearer $(curl -u <api_user>:<api_password> -k -X POST 'https://<api_url>:55000/security/user/authenticate?raw=true')"
Replace <api_url> with the IP address of your Wazuh manager.

Replace <api_user> and <api_password> with the credentials found in:
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

Check the Wazuh Dashboard logs for any related errors:
journalctl -u wazuh-dashboard | grep -iE "error|warn|crit|fatal"

If you need further assistance, please share your findings and the full output of the above commands so we can help you troubleshoot further.

[Sanjay J]

Hi Bony,

Thank you for the guidance. I have run the commands you provided and attached the full output in a text file for your reference.

Could you please advise the next steps based on these results?

Thanks in advance.

[Bony V John]

Hi,

From the shared Wazuh manager status check, it shows that all the daemons are inactive, including the wazuh-apid. Also, the ossec.log indicates that there is an incorrect decoder configuration in the local_decoder.xml file and an incorrect configuration in the Wazuh manager ossec.conf file.

First, check the local_decoder.xml file for any syntax errors in the decoder located at:
/var/ossec/etc/decoders/local_decoder.xml
You can also refer to the Wazuh decoder syntax documentation to validate the decoder syntax.

After resolving the decoder issue, verify if there are any syntax errors in the Wazuh manager ossec.conf file located at:
/var/ossec/etc/ossec.conf
Check if there is any element called api that is incorrectly configured in the ossec.conf file.
You can refer to the Wazuh configuration file documentation for guidance.

After fixing the above issues, restart the Wazuh manager and check the status:
/var/ossec/bin/wazuh-control restart
/var/ossec/bin/wazuh-control status

Check and confirm that all services are running properly.

If you need further assistance in analyzing the decoder and configuration files, please share the complete local_decoder.xml file and ossec.conf file with us for further review.

[Sanjay J]

Hi Bony,

Thank you for your response. I have attached the text document containing the details for your reference.

Currently:

• FortiGate log integration is working fine.

• Seqrite logs are still not being ingested.

• The Wazuh dashboard issue is also persisting.

Please review the attached file and advise on the next steps to resolve the Seqrite log integration and dashboard issues.

Best regards,

[Bony V John]

Hi,

Apologies for the delayed response. After reviewing your shared decoder and rule files, it seems that the issue may be caused by incorrect syntax in your custom decoder and rules configuration. Saving an invalid decoder or rule file on the Wazuh Manager can cause the service to become inactive.  

Issues with your custom decoder (Seqrite logs):

• There is no <decoders> tag in Wazuh decoder syntax.

• For child decoders, you should use the <order> tag to map the field values to field names.

• To extract fields, you must use <regex> instead of <prematch>.

I recommend going through the Wazuh decoder syntax documentation for detailed guidance.
You can also refer to the Wazuh regex documentation to correctly build regex patterns.

Issues with your custom rules:

• There is no <group_config> tag in Wazuh rules syntax.

• In your first custom rule (id="100201"), you set rule 18106 as the parent. This is incorrect because rule 18106 is designed for Windows logon events and cannot be used as a parent for Fortigate events.

• For Fortigate events, you should use rules from: /var/ossec/ruleset/rules/0391-fortigate_rules.xml

• or any other relevant custom rules.

• Please refer to the Wazuh rules syntax documentation for more details.

Steps to resolve the issue:

1. Remove both the custom decoder and rule files from the Wazuh Manager.

2. Restart the Wazuh Manager service:

/var/ossec/bin/wazuh-control restart

       3. Check the service status again:

/var/ossec/bin/wazuh-control status

If you need assistance in creating custom decoders and rules, please share a sample log for the relevant event from your Wazuh Manager archives.json file in a new post. With that, we can help you write the correct custom decoder and rules tailored to your use case.