Wazuh_Terraform_Setup
82 views
Skip to first unread message
Shihab Hossain Shifat
Feb 3, 2026, 7:12:19 AMFeb 3
to Wazuh | Mailing List
I want to install a wazuh docker setup with persistent storage.
Here I have attached the script file for your analysis.
Problem:
Every first time terraform apply it works but when I destroy the EC2 instance and re-apply Terraform, the Wazuh dashboard starts showing API connection errors.
AxiosError: Error getting the authorization token
3000 - Error getting the authorization token: API host with host ID [1513629884013] could not check the ability to use the run as. Ensure the API host is accesible and the internal user has the minimal permissions to check this capability.
3000 - Error getting the authorization token: API host with host ID [1513629884013] could not check the ability to use the run as. Ensure the API host is accesible and the internal user has the minimal permissions to check this capability.
regars
shifat
musbau....@wazuh.com
Feb 3, 2026, 8:42:44 AMFeb 3
to Wazuh | Mailing List
Hi,
The reason you get this error "AxiosError: Error getting the authorization token" is because when you reuse persistent data on EBS but recreate the EC2 instance, you are reusing Wazuh internal security state that is tied to the old API host ID and node identity. This causes the Wazuh Dashboard to start successfully. The Dashboard then tries to authenticate to Wazuh API, the API rejects the request because the stored RBAC run-as capability metadata references an old API host ID and the new container identity no longer matches what’s persisted. It’s state mismatch caused by persisting too much.
From your script, these directories are critical:
# /var/lib/wazuh/wazuh-api-configuration
# /var/lib/wazuh/wazuh-etc
# /var/lib/wazuh/wazuh-indexer-data
They contain the API internal users & RBAC cache, API host ID (api.yaml, internal metadata), Dashboard -> API trust state, Indexer security plugin metadata
When the instance is destroyed using terraform destroy command and the apply command is used again the EC2 instance ID, Container IDs, Network identity changes but the API security metadata does not. Wazuh API thinks it’s still running on the old node.
The files below are safe to persist
* wazuh-indexer-data (alerts, indices)
* wazuh-logs
* wazuh-queue
* wazuh-var-multigroups
* wazuh-active-response
* wazuh-integrations
* wazuh-wodles
* filebeat-*
while the files below could cause issues when it persist across EC2 rebuilds
* wazuh-api-configuration
* wazuh-etc (partially)
* wazuh-dashboard-config (auth cache)
* Indexer security plugin state
you can wipe identity-bound state on every fresh EC2 boot, before docker-compose up, add this once per new instance to force API to regenerate host ID, Dashboard to re-bootstrap auth, RBAC to be rebuilt cleanly. Don't wipe indexer data unless you want to lose alerts.
rm -rf /var/lib/wazuh/wazuh-api-configuration/*
rm -rf /var/lib/wazuh/wazuh-dashboard-config/*
I would advise that for long term, don’t persist API config at all. Remove the bind mount entirely
/var/lib/wazuh/wazuh-api-configuration:/var/ossec/api/configuration
Regards,
The reason you get this error "AxiosError: Error getting the authorization token" is because when you reuse persistent data on EBS but recreate the EC2 instance, you are reusing Wazuh internal security state that is tied to the old API host ID and node identity. This causes the Wazuh Dashboard to start successfully. The Dashboard then tries to authenticate to Wazuh API, the API rejects the request because the stored RBAC run-as capability metadata references an old API host ID and the new container identity no longer matches what’s persisted. It’s state mismatch caused by persisting too much.
From your script, these directories are critical:
# /var/lib/wazuh/wazuh-api-configuration
# /var/lib/wazuh/wazuh-etc
# /var/lib/wazuh/wazuh-indexer-data
They contain the API internal users & RBAC cache, API host ID (api.yaml, internal metadata), Dashboard -> API trust state, Indexer security plugin metadata
When the instance is destroyed using terraform destroy command and the apply command is used again the EC2 instance ID, Container IDs, Network identity changes but the API security metadata does not. Wazuh API thinks it’s still running on the old node.
The files below are safe to persist
* wazuh-indexer-data (alerts, indices)
* wazuh-logs
* wazuh-queue
* wazuh-var-multigroups
* wazuh-active-response
* wazuh-integrations
* wazuh-wodles
* filebeat-*
while the files below could cause issues when it persist across EC2 rebuilds
* wazuh-api-configuration
* wazuh-etc (partially)
* wazuh-dashboard-config (auth cache)
* Indexer security plugin state
you can wipe identity-bound state on every fresh EC2 boot, before docker-compose up, add this once per new instance to force API to regenerate host ID, Dashboard to re-bootstrap auth, RBAC to be rebuilt cleanly. Don't wipe indexer data unless you want to lose alerts.
rm -rf /var/lib/wazuh/wazuh-api-configuration/*
rm -rf /var/lib/wazuh/wazuh-dashboard-config/*
I would advise that for long term, don’t persist API config at all. Remove the bind mount entirely
/var/lib/wazuh/wazuh-api-configuration:/var/ossec/api/configuration
Regards,
Shihab Hossain Shifat
Feb 4, 2026, 7:03:32 AMFeb 4
to musbau....@wazuh.com, Wazuh | Mailing List
Hi,
I have applied as per your suggestions . Attached the script here.
rm -rf /var/lib/wazuh/wazuh-api-configuration/*
rm -rf /var/lib/wazuh/wazuh-dashboard-config/*
rm -rf /var/lib/wazuh/wazuh-dashboard-config/*
Still I'm facing this issue. Could you please assist more?
regards
shifat
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ccIffnDLDqo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/2a9eb4d1-5283-42f0-8e3a-b68a9be31d0en%40googlegroups.com.
Shihab Hossain Shifat Junior DevOps Engineer MF Asia Ltd Mobile: +88 (0) 1683461361 Office (BD): +88 (0) 2 4896 4500 | ||||
MF Asia Ltd, 21 Sonargaon Janapath, Sector 7, Uttara, Dhaka 1230 • Registered in Bangladesh Reg. No. C-46167 This email is private and confidential. If you received it in error, please notify us and delete it from your system. | ||||
musbau....@wazuh.com
Feb 4, 2026, 8:56:48 AMFeb 4
to Wazuh | Mailing List
Hi Shifat,
Thank you for sharing the updated script and for applying the previous recommendations.
I can see that the API and Dashboard reset steps were implemented correctly. Since the issue still persists even after wiping the API and Dashboard identity state, the Wazuh Indexer security metadata is still being reused from persistent storage. This security state contains internal users, role mappings, and run-as permissions that are tied to the previous node identity. When the EC2 instance is recreated, the API host ID changes, but the Indexer security metadata does not, which results in the authorization failure you are seeing.
The Indexer security plugin state must also be reset after an EC2 rebuild.
Please add the following step before running docker-compose up:
# rm -rf /var/lib/wazuh/wazuh-indexer-data/plugins/security/*
This will force the Wazuh Indexer to regenerate its internal users and role mappings and realign authorization between the Dashboard, API, and Indexer. Existing alert data will remain intact.
This command below will cause for a clean start, but all historical alerts will be lost.
# rm -rf /var/lib/wazuh/wazuh-indexer-data/*
Regards,
Thank you for sharing the updated script and for applying the previous recommendations.
I can see that the API and Dashboard reset steps were implemented correctly. Since the issue still persists even after wiping the API and Dashboard identity state, the Wazuh Indexer security metadata is still being reused from persistent storage. This security state contains internal users, role mappings, and run-as permissions that are tied to the previous node identity. When the EC2 instance is recreated, the API host ID changes, but the Indexer security metadata does not, which results in the authorization failure you are seeing.
The Indexer security plugin state must also be reset after an EC2 rebuild.
Please add the following step before running docker-compose up:
# rm -rf /var/lib/wazuh/wazuh-indexer-data/plugins/security/*
This will force the Wazuh Indexer to regenerate its internal users and role mappings and realign authorization between the Dashboard, API, and Indexer. Existing alert data will remain intact.
This command below will cause for a clean start, but all historical alerts will be lost.
# rm -rf /var/lib/wazuh/wazuh-indexer-data/*
Regards,
Shihab Hossain Shifat
Feb 6, 2026, 10:03:47 AMFeb 6
to musbau....@wazuh.com, Wazuh | Mailing List
Hi,
Thanks for you reply I can't find any directory like /var/lib/wazuh/wazuh-indexer-data/plugins/security/*
Below attached full directory hierarchy .
To view this discussion visit https://groups.google.com/d/msgid/wazuh/643f7e65-9330-405e-af51-3c505ad5160bn%40googlegroups.com.
Shihab Hossain Shifat
Feb 24, 2026, 8:26:05 AM (2 days ago) Feb 24
to Wazuh | Mailing List
Hi,
I have resolved the previous issue. It was caused by directory permissions changing each time Terraform destroy and apply were executed.
However, I am now facing another problem. Whenever I run Terraform destroy and then recreate the instance using Terraform apply, the previous logs appear duplicated.
Could you please advise how to prevent old logs from reappearing or being duplicated after the instance is recreated?
Regards,
Shifat
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ccIffnDLDqo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/1da330e9-52f6-4655-9192-033c7a7ecd6an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages