Wazuh Dashboard Problem

1,484 views
Skip to first unread message

Eren

unread,
Nov 16, 2023, 11:00:48 AM11/16/23
to Wazuh | Mailing List
Hello everyone,
I cannot access wazuh Dashboard with the code you have recently run. Also, it does not work properly in the service.
Also, when searching for /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml, it says there is no such directory.
i deleted the dashboard and reinstalled it, it didn't help.
I can follow alerts with Shuffle, but I cannot access wazuh because the dashboard is not working.



The code I ran was intended to uninstall Postfix. Here is the code:
sudo apt-get remove --purge postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

Wazuh was working fine before, so I believe the dashboard configuration file should already be in place.

I followed the steps in this article "Installing the Wazuh dashboard step by step", but it still gives the dashboard service error.

I am also sharing the syslog logs as a .txt file. 

Thank you in advance for your support.
journalctl -u wazuh-dashboard.txt
var-log-syslog.txt

Laura Estefania Cepeda Tamayo

unread,
Nov 16, 2023, 12:11:53 PM11/16/23
to Wazuh | Mailing List
Hello Eren, hope you are doing well,

My name is Laura and I'll be assisting you with this query. I'm reviewing the logs you sent, and found this:

Nov 15 15:10:15 suricata opensearch-dashboards[328068]: {"type":"log","@timestamp":"2023-11-15T15:10:15Z","tags":["fatal","root"],"pid":328068,"message":"Error: ENOENT: no such file or directory, open '/etc/wazuh-dashboard/certs/dashboa> Nov 15 15:10:15 suricata opensearch-dashboards[328068]: Error: ENOENT: no such file or directory, open '/etc/wazuh-dashboard/certs/dashboard-key.pem'

Were the certificates also deployed? And please let me know what is the Indexer and Manager version.

I'll be back with you soon with further information.

Kind regards,
Laura Cepeda

Chahira Maoua

unread,
Nov 16, 2023, 12:25:51 PM11/16/23
to Wazuh | Mailing List
Hello Laura,
can you plz help me ?

Kind regards,

Laura Estefania Cepeda Tamayo

unread,
Nov 16, 2023, 3:58:22 PM11/16/23
to Wazuh | Mailing List
Eren, thanks for your time,

So, we need to make sure that the version running on the Dashboard is the same one on the Indexer and on the Manager. To review the current version you can run:

/var/ossec/bin/wazuh-control -j info

This is the outout I have when running it:

{"error":0,"data":[{"WAZUH_VERSION":"v4.5.4"},{"WAZUH_REVISION":"40510"},{"WAZUH_TYPE":"server"}]}

And it shows that my manager version is 4.5.4.

So I would need to install that same version for the Wazuh-Dashboard, to do so, we can follow this documentation: https://documentation.wazuh.com/4.5/installation-guide/wazuh-dashboard/step-by-step.html
And depending on the distribution, on the step Installing the Wazuh dashboard we could use:

Yum:
yum -y install wazuh-dashboard-4.5.4-1

APT:
apt-get -y install wazuh-dashboard=4.5.4-1

So, you would need to change the version on the command above according to the one that you have.

It is also necessary to review the certificates deployment according to the error in the logs. If you have the dashboard-key.pem and the root-ca.pem key saved, then you can just generate these certificates and deploy them on the Dashboard, however if you don't, it would be necessary to create the certificates again and deploy them, in this case for all the components.

Regarding how to do this, we can check this documentation:

And you would also need to create the Kibana keystores to avoid having the usernames and passwords in plain text. For Instance:

opensearch.username: kibanaserver
opensearch.password: kibanaserver


Setting a keystore in this way:

sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore create
sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add <variable>

ie: sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add DASH_PASS
The secret variables set in the keystore can be used in this way in the configuration file:

opensearch.username: {DASH_USER}
opensearch.password: {DASH_PASS}

If after this the issue persists, please share new logs and we can review it. Please let me know how it goes.

Kind regards,
Laura Cepeda

Eren

unread,
Nov 17, 2023, 5:59:56 AM11/17/23
to Wazuh | Mailing List
Hello Laura, thank you, I hope you are well too.

I distributed certificates, even "/etc/wazuh-dashboard/opensearch_dashboards.i'm also adding the yml" screenshot.

Wazuh versions with you.i'm sharing it in the txt file.

Thank you for your support.

16 Kasım 2023 Perşembe tarihinde saat 20:11:53 UTC+3 itibarıyla Laura Estefania Cepeda Tamayo şunları yazdı:
opensearch_dashboards.png
wazuh_version.txt

Eren

unread,
Nov 17, 2023, 8:58:01 AM11/17/23
to Wazuh | Mailing List
/var/ossec/bin/wazuh-control -j info komutunun çıktısı;
{"error":0,"data":[{"WAZUH_VERSION":"v4.6.0"},{"WAZUH_REVISION":"40603"},{"WAZUH_TYPE":"server"}]}root@suricata:/home/suricata#

There seems to be no problem with the version.

16 Kasım 2023 Perşembe tarihinde saat 23:58:22 UTC+3 itibarıyla Laura Estefania Cepeda Tamayo şunları yazdı:

Laura Estefania Cepeda Tamayo

unread,
Nov 21, 2023, 8:04:27 AM11/21/23
to Wazuh | Mailing List
Eren, thanks for your response, in that case you can go ahead and install the latest version and use:

apt-get -y install wazuh-dashboard

For the certificates, please share the lists for cd /etc/wazuh-dashboard/certs

Please let me know if you followed the other steps, and if there were any other changes, if that is the case and is still not working, please share logs.

Eren

unread,
Nov 21, 2023, 8:17:04 AM11/21/23
to Wazuh | Mailing List
Hi Laura, the certificate lists are as follows;

certs.png

Unfortunately, when I try to install the dashboard again, it happens this way.

apt-get -y install wazuh-dashboard.png

I'm waiting for your precious return, thank you for your support.

21 Kasım 2023 Salı tarihinde saat 16:04:27 UTC+3 itibarıyla Laura Estefania Cepeda Tamayo şunları yazdı:

Laura Estefania Cepeda Tamayo

unread,
Nov 22, 2023, 3:08:25 PM11/22/23
to Wazuh | Mailing List
Eren, thanks for your response,

Please keep in mind that this is a public consult, please hide the sensitive information you may have when sharing screenshots and documents with us. I have reviewed the information sahred, and it seems there is a FATAL Error with the key Karya2023*. It is important to create the Kibana keystores to avoid having the usernames and passwords in plain text. For Instance:

opensearch.username: kibanaserver
opensearch.password: kibanaserver

This documentation can help you:

Setting a keystore in this way:
sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore create
sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.username (then type kibanaserver)
sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.password (then paste the password you were using for kibanaserver)

Usually the passwords can be found in the wazuh-passwords.txt file inside the wazuh-install-files.tar archive. To print them, you can run the following command:

# tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Otherwise, you can also change it, to change the password for a single Wazuh indexer user, run the script with the -u option and indicate the new password with the option -p. The password must have a length between 8 and 64 characters and contain at least one upper case letter, one lower case letter, a number and one of the following symbols: .*+?-. If no password is specified, the script will generate a random one.

bash wazuh-passwords-tool.sh -u admin -p Secr3tP4ssw*rd

This would be the output:
INFO: Generating password hash
WARNING: Password changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.

You can find further information about Password management here: https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html

In Wazuh Dashboard, the opensearch.username and opensearch.password settings are stored in the Wazuh dashboard keystore.
You can verify that with the following command:
   /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root list

The expected output is:
   opensearch.username
   opensearch.password

After changing the kibanaserver password, you need the opensearch.password with the following command:
    /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.password

It will ask you if you want to overwrite the existing configuration and after that, to enter the new password. Once you change that setting, you need to restart the wazuh-dashboard.

The secret variables set in the keystore can be used in this way in the configuration file:

opensearch.username: {DASH_USER}
opensearch.password: {DASH_PASS}

Please let me know if there is any issue following this and please also share the opensearch-dashboard.yml to check the configuration. 
Reply all
Reply to author
Forward
0 new messages