Wazuh API failing to start

[Martin S]

Hi There,

Hope you can find on an issue we noticed today.

We have Wazuh 4.1.5 and we haven't done any changes or upgrades recently.

However we noticed that the wazuh-manager service crashed and when we attempted to started it always produce an error:

wazuh-apid did not start correctly

If you go to the UI and check the API status it return an error and presents -

3005 - Cannot read property 'data' of undefined

Error getting the authorization token: connect ECONNREFUSED is also present.

The api.log doesn't show any errors and it just stopped recording, the only strange thing there seem to be entries related to unknown_user, example below:

2022/01/21 13:45:00 INFO: unknown_user IP "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.006s: 401

2022/01/21 13:45:00 INFO: unknown_user IP "GET /manager/stats/analysisd" with parameters {"pretty": ""} and body {} done in 0.003s: 401

2022/01/21 13:45:00 INFO: unknown_user IP "GET /cluster/status" with parameters {} and body {} done in 0.002s: 401

Any advice how to proceed with this further?

Regards,

Martin

[Manuel Camona Perez]

Hi Martin,



Check that the API configuration is OK in /usr/share/kibana/data/wazuh/config/wazuh.yml.

The configuration may not be wrong because as you said, Wazuh stopped working and no changes had been done before, but if we find the unkwnown_user string in the API logs, it means that the login failed. Could you please have a look at the authentication log (request to GET /security/user/authenticate)? If it failed, the wazuh-wui password may have been changed or the user could have been deleted (or the password/username in wazuh.yml are not the correct ones).

You can also check the API is working by login by yourself and making an API request:

TOKEN=$(curl -u wazuh-wui:wazuh-wui -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"

If everything is correct and the error persists, could you see if there are any errors in /usr/share/kibana/data/wazuh/logs/wazuhapp.log?

Other users having this same issue had problems related to shards. Have a look at the  /var/log/elasticsearch/wazuh-cluster.log log to see if it is your case too.