Wazuh App: API configuration: Manager hostname

[Aleksandr Zaldak]

Hi Guys,

Just FYI, It seems Kibana Wazuh App doesn't reflect manager hostname changes at all. Let me explain in more details.

1. I have changed the hostname of the wazuh server to reflect company naming. I also have hostname reflected in /etc/hosts file
2. I noticed that Overview >> General and other tabs are empty now. It seems default "manager.name: localhost.localdomain". I have removed and readded the Wazuh App: API configuration and used server name (API URL), opposite to localhost, but GUI names manager as localhost.localdomain. OverView >> Discover tab also shows "manager.name: localhost.localdomain" by default too.

Great work guys!

[Aleksandr Zaldak]

#Update

False alarm :)

Restarted the server and re-added the API config. All good now!

[Pedro Sanchez]

HI Aleksandr,

In general terms, Manager hostname is used to filter all the events on Wazuh App, that way we support multi-manager, every alert must has the field "manager.name: %hostname%".

Wazuh App extract the "manager name" by making a request to /agents/000 and extracting the "name" field which must coincide with manager.name field.

Like you said, you must restart all the services to apply changes, also re-added the API at App settings, keep in mind your previous alerts won't show on Kibana App because the manager name was different.

As usual, thanks for your feedback, you are doing great contributions to Wazuh.

Regards,

Pedro Sanchez.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a24b70e-d3ba-4fd2-bda2-ec6e6159150b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[lmfigue...@gmail.com]

Hi guys,

I have the same problem,but i can´t resolv the issue.I dont see the /agents/000, only see a file 000-*.db with name of server.

Can you help or told me the steps for change this?

Thx in advance, and great work .

[Santiago Bassett]

Hi,

try restarting wazuh-manager and wazuh-api services. Then delete your existing app configuration and configure it again:

I hope that helps

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5ab15e68-ec15-486a-8139-ab9819281080%40googlegroups.com.

[Pedro Sanchez]

Hi,

The manager name used on the App is extracted from agents/000 request, it must match the same manager.name displayed on the alerts.

To confirm both fields are equal, you could try:

curl -XGET localhost:55000/agents/000

Example output

{"error": 0,"data": {"status": "Active","name": "ossec-manager","ip": "127.0.0.1","dateAdd": "2016-12-22 11:59:07","version": "Wazuh v2.0","lastKeepAlive": "9999-12-31 23:59:59","os": "Linux ossec-manager 3.13.0-57-generic #95-Ubuntu SMP Fri Jun 19 09:28:15 UTC 2015 x86_64","id": "000"}}

Now compare the "name" with field "manager.name" in the alerts, if they are the same, everything should be fine, just re-add the API in Setting tab, as Santiago said.

Regards,

Pedro.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

[lmfigue...@gmail.com]

Hi, its all ok now. I just need remove the API config at the web.

I think if remove this doesn´t work properly, but now its fine.

Thanks for all and sorry my poor english.

all the best !