Wazuh Installation errors
2,839 views
Skip to first unread message
Bruce Robinson
Feb 9, 2021, 10:40:40 AM2/9/21
to Wazuh mailing list
Hello All,
I am new to wazuh, but I am setting it up in a test environment to see if it will work for our FIM monitoring. I am trying to install the distributed implementation with ElasticSearch and Kibana running on one server. I have been using the unattended installation, following the steps in the installation guide, but keep coming up with the same error.
Check Elasticsearch template: Error
Check index pattern fields
No template found for the selected index-pattern
HealthCheck Error: No matching indices found: No indices match pattern " wazuh alerts-*"
I checked curl http://<elsearchserver-ip>:9200
Curl: (52) Empty reply from server
I also verified host.name in elasticsearch.yml and kibana.yml was set to the server IP.
I have not found much documentation on this issue, does anyone have an idea for how to resolve?
Thanks
Bruce
David Fernández Miranda
Feb 9, 2021, 11:16:44 AM2/9/21
to Wazuh mailing list
Hello Bruce,
This error may be caused because Wazuh and Filebeat haven't been installed. If that's the case, you can find the corresponding script here.
Nevertheless, if you are using a test environment where you will install all the components on the same machine, I recommend you using the all-in-one unattended installation script. In order to use it, you'll need to uninstall the previously installed components (Elasticsearch and Kibana). You can find more information about how to uninstall them in the uninstalling section.
Once uninstalled, you can download and run the script using the following commands:
- curl -so ~/all-in-one-installation.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/unattended-installation/all-in-one-installation.sh && bash ~/all-in-one-installation.sh
This script requires no configuration and is more suitable for your purposes.
If you have any other doubt, do not hesitate to ask.
Regards,
David
Bruce Robinson
Feb 9, 2021, 12:05:58 PM2/9/21
to Wazuh mailing list
HI David,
I have installed the wazuh manager on a separate server. I used the wazuh .ova server file initially to test out basic functionality and configuration. According to the documentation, the distributed install would be the best practice for our organization in production. I was attempting to go through the install process in the test environment to document the procedure in preparation for our production deployment.
The installation I am running is app version 4.0.4 app revision 4016, Wazuh app for KIbana 7.9.1
Is there a way to verify the correct default configuration of the elasticsearch server indices?
Thanks for your help,
Bruce
David Fernández Miranda
Feb 10, 2021, 5:57:02 AM2/10/21
to Wazuh mailing list
Hello Bruce,
Sorry for my misunderstanding. If you have installed Elasticsearch and Kibana using this script, then I assume that you use the Wazuh server unattended installation script to install in a different host both Wazuh and Filebeat. If that's the case, could you share the output of the following commands?
- curl -XGET https://<your_elasticsearch_IP>:9200 -uadmin:admin -k - This must be executed on the Elasticsearch host.
- filebeat test output - This must be executed on the Wazuh host.
These commands will help us to identify the cause of this issue.
Regards,
David
Bruce Robinson
Feb 10, 2021, 11:43:32 AM2/10/21
to Wazuh mailing list
>> curl -XGET https://<your_elasticsearch_IP>:9200 -uadmin:admin -k - This must be executed on the Elasticsearch host.
[root@localhost ~]# curl -XGET https://192.168.0.101:9200 -uadmin:admin -k
{
"name" : "192.168.0.101",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "fQ3pVlStQeW61vn0mue7yw",
"version" : {
"number" : "7.9.1",
"build_flavor" : "oss",
"build_type" : "rpm",
"build_hash" : "083627f112ba94dffc1232e8b42b73492789ef91",
"build_date" : "2020-09-01T21:22:21.964974Z",
"build_snapshot" : false,
"lucene_version" : "8.6.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
{
"name" : "192.168.0.101",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "fQ3pVlStQeW61vn0mue7yw",
"version" : {
"number" : "7.9.1",
"build_flavor" : "oss",
"build_type" : "rpm",
"build_hash" : "083627f112ba94dffc1232e8b42b73492789ef91",
"build_date" : "2020-09-01T21:22:21.964974Z",
"build_snapshot" : false,
"lucene_version" : "8.6.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
>>filebeat test output - This must be executed on the Wazuh host.
[root@localhost ~]# filebeat test output
Error initializing output: 1 error: open /etc/filebeat/certs/filebeat.pem: no such file or directory /etc/filebeat/certs/filebeat.pem
Error initializing output: 1 error: open /etc/filebeat/certs/filebeat.pem: no such file or directory /etc/filebeat/certs/filebeat.pem
lst of the /etc/filebeat/certs/ directory shows root-ca.pem and certs.tar, no other files. I did not recieve any errors when installing the wazuh manager server. I did use the same unattended script you had identified in your email.
Thanks again for looking at this for me.
Bruce
David Fernández Miranda
Feb 11, 2021, 3:44:06 AM2/11/21
to Wazuh mailing list
Hello Burce,
This may have happened because the name of the certificates didn't match with the name given when running the Wazuh server installation script. If you untar the certs.tar file you'll find the corresponding certificates. If you didn't change anything in the config.yml file, these certificates will be named after filebeat.pem and filebeat.key.
This is a common issue some users have had, and I am already working to improve this behavior among other improvements in this issue.
I really would like to know if this works for you, so please keep me informed.
Regards,
David
Reply all
Reply to author
Forward
0 new messages