indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities

[Shujaat Ali]

Hi there, 

Initialy I upgraded wazuh  from 4.7 to 4.8 and encountered issues with it, so installed it on a fresh machine but it is still not working

I am having all wazuh services on one server (Indexer, dhashboard, manager)

/var/ossec/logs/ossec.log

# tried wt=with 0.0.0.0 and 127.

 <vulnerability-detection>

    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://127.0.0.1:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>

curl -k -u admin:mypassword https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "7YOuWK1cQz2ziORSwUsI-A",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"

}

I tried to follow the previous tips shared, such as ensuring crednetial for indexer( username and password). I actually supplied admin user with the password that I can login with to wazuh Manager, but still no benefits

/var/ossec/bin/wazuh-keystore -f indexer -k username -v admin

/var/ossec/bin/wazuh-keystore -f indexer -k password -v myadminPassword

The wazuh indexer seems to be running fine .

Any help would be greatly appreciated.

Thank you very much

[Tomas Sarquis]

Hi Shujaat Ali

Given the recurrent problems (mostly related to the indexer connection) that 4.8 brought, we created a troubleshoot document with the most common fixes. Please, take a look at it (although I believe you already did):

- https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html

Some other things to check:

- If the Indexer is installed on the same host as the manager, use the 127.0.0.1 IP address in the ossec.conf file. Don't use 0.0.0.0.

- The certificate path in the ossec.conf is correctly pointing to the certificate.
- Check that the IP address in the certificate is the same as in the ossec.conf and the correct one. Execute: openssl x509 -in <path_to_cert> -text -noout | grep IP

- Filebeat runs OK. Execute: filebeat test output

Lastly, if you don't encounter the problem, you can always enable debug for Vulnerability Detection. This is helpful to see more details about the errors.

To do so, edit the /var/ossec/etc/internal_options.conf file and set wazuh_modules.debug=0 to 2. Then restart the manager. After that, check if the error persists and see if any DEBUG logging appears.

Give it a try and let me know if this was useful.

[Shujaat Ali]

Hi Tomas,

Thank you for responding to my question, please below, I have highlighted the text in red that needs attention:

root@srv:/home/myuser-# openssl x509 -in /etc/filebeat/certs/filebeat.pem -text -noout | grep IP
                IP Address:127.0.0.1

root@srv:/home/myuser-# openssl x509 -in /etc/filebeat/certs/root-ca.pem -text -noout | grep IP
root@srv:/home/myuser-# did not display any associated IP  when select root-ca.pem

Actually, it has started to work. I cannot see FIM and Complaince related events. I made sure syscheck is enabled. 

root@srv:/home/myuser-# curl -X GET "https://127.0.0.1:9200/_cluster/health?pretty" --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/filebeat.pem --key /etc/filebeat/certs/filebeat-key.pem -u " Wazuhadmin : WazuhAdminPassword  "
{
  "cluster_name" : "wazuh-cluster",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 22,
  "active_shards" : 22,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 2,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 91.66666666666666
}

root@srv:/home/myuser-# ls /etc/filebeat/certs/
filebeat-key.pem  filebeat.pem  root-ca.pem
root@srv:/home/myuser-# openssl x509 -in /etc/filebeat/certs/root-ca.pem -text -noout | grep IP
root@srv:/home/myuser-# ls /etc/filebeat/certs/
filebeat-key.pem  filebeat.pem  root-ca.pem
root@srv:/home/myuser-# openssl x509 -in /etc/filebeat/certs/filebeat.pem -text -noout | grep IP
                IP Address:127.0.0.1
root@srv:/home/myuser-# cat /etc/filebeat/
cat: /etc/filebeat/: Is a directory
root@srv:/home/myuser-# ls /etc/filebeat/filebeat.yml
/etc/filebeat/filebeat.yml
root@srv:/home/myuser-# cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /var/ossec/logs/alerts/alerts.json
    json.add_error_key: true
    json.message_key: log
    processors:
      - decode_json_fields:
          fields: ["message"]
          process_array: true
          max_depth: 1
          target: ""
          overwrite_keys: true

output.elasticsearch:
  hosts: ["https://127.0.0.1:9200"]
  username: "Wazuhadmin"  # Ensure this is set in your environment or replace with actual username
  password: "WazuhAdminPassword"  # Ensure this is set in your environment or replace with actual password
  ssl.certificate_authorities: ["/etc/filebeat/certs/root-ca.pem"]
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
    - action: allow
      names:
        - rseq
root@srv:/home/myuser-#

log file

2024/06/20 12:03:44 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/06/20 12:03:44 wazuh-syscheckd: INFO: FIM sync module started.
2024/06/20 12:03:54 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian12.yml'
2024/06/20 12:03:54 sca: INFO: Security Configuration Assessment scan finished. Duration: 12 seconds.
2024/06/20 12:03:57 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-xdr.
2024/06/20 12:04:31 rootcheck: INFO: Ending rootcheck scan.
2024/06/20 12:12:26 indexer-connector: WARNING: Failed to sync agent '001' with the indexer.
2024/06/20 12:12:51 indexer-connector: WARNING: Failed to sync agent '003' with the indexer.

I would greatly appreciate your help.

Regards

Shujaat

[Tomas Sarquis]

Hi again.

Thanks for the information, although there are some missing checks that I'd need to properly diagnostic your problem:

- The ossec.conf indexer IP address

- The output of the command filebeat test output

- Debug log messages in the ossec.log file. There should be a debug message after the "failed to sync" warning. Source code.

To enable debug logging:

> To do so, edit the /var/ossec/etc/internal_options.conf file and set wazuh_modules.debug=0 to 2. Then restart the manager. After that, check if the error persists and see if any DEBUG logging appears.

[Shujaat Ali]

Hi Toman, 

Thank you , I reinstalled wazuh and it works this time. However, I am trying to find a way to plot source & distination ip addresses on a coordinated map. 

Regards 

Shujaat

[Tomas Sarquis]

Hi again Shujaat Ali

I don't understand your last question. Could you explain it further?

Is this related to the Vulnerability Detection or Indexer Connector modules?

[Shujaat Ali]

Hi Tomas,

Sorry it is not related to vulnerability, I have created a coordinated map in wazuh 4.8, but I would like to see source and destination IP address and any other details for the traffic such as port details. I guess I should post a separate question for this. 

Currently it shows count on the map which is not very useful.

Regards 

Shunaat

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e1ebff5d-5961-426d-9764-68a08a16bbc6n%40googlegroups.com.

[Tomas Sarquis]

Ok good.

Yes, it's important to us to have different threads for different issues. So please, open a new thread and you will be helped as soon as possible.

[syed saifulla]

Hi Thomas, 

I do have a similar issue, so thought of merging here.

2024/06/26 14:37:58 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-SERVER-01', retrying until the connection is successful.

Also when I see the file in that path it is different,
 

I tried to match the names, but it didn''t work. 

Can you please suggest me here?

[syed saifulla]

After Matching the File names, it started working but the complete Dashboard is not working 

[Tomas Sarquis]

Hi syed saifulla

Glad you solved your issue with VD.

For the dashboard problem, create another thread, please, so that we keep our community channels organized.

Thanks!

[César Neves]

Hello guys

I had a same issue they i solved was to include the admin user to the keystore

/var/ossec/bin/wazuh-keystore -f indexer -k username -v admin

/var/ossec/bin/wazuh-keystore -f indexer -k password -v <admin password>