Upgraded Wazuh 4.2 now Kibana says API is Offline, curls disagrees

[nbent...@gmail.com]

Hi,

I upgraded from 3.12 to 4.2 following this guide: https://documentation.wazuh.com/current/upgrade-guide/ and noticed my API user wazuh-api was gone so I used the user wazuh:wazuh to stand it back up again:

curl -k -X POST "https://localhost:55000/security/users" -H  "Authorization: Bearer ..." -H  "Content-Type: application/json" -d "{\"username\":\"wazuh-api\",\"password\":\"password\"}"

Now Kibana is reporting the API is down due to invalid credentials: 3099 - ERROR3099 - Invalid credentials

My Kibana setup is this:

hosts:

  - default:

     url: https://wazuh-server.DOMAIN.local

     port: 55000

     user: wazuh-api

     password: password

     run_as: false

The api.log on the wazuh manager reports:

2021/08/31 00:11:31 INFO: unknown_user 10.10.10.33 "GET /security/user/authenticate" with parameters {} and body {} done in 0.004s: 401

If it matters I used Elasticsearch basic because I was currently running that already.

How can I get Kibana working with Wazuh again?

[Alejandro Cuellar]

Hi nbentzinger,

Let's check first if wazuh-manager could be down or any of their process, we can check it with some of the following commands in the wazuh-manager host:

- systemctl status wazuh-manager

or

- service wazuh-manager status

If it is running correctly, we can try changing in the wazuh.yml, which you can find in your kibana host/data/wazuh/config/wazuh.yml, where you can change the username and the password to the default credentials for the api that are wazuh-wui for both.

Then, please, try to access again to Wazuh and comment me what happens.

Regards,

Alejandro.

[Alejandro Cuellar]

Hi Nathaniel,

Forgive my oversight, but it seems to me that we have already found one of the possible errors.

When we moved from Wazuh 3.x to 4.x, in wazuh.yml we stopped using user to use username. In addition to the use of the username and password: "wazuh-wui". You can check this information here if you have Elastic basic license and in case you use OpenDistro, you can check here. In both cases, the changes are the same for this case.

With respect to creating your own user for this, remember that it will need the pertinent permissions to be able to work correctly.

I also want to tell you what the use of run_as is for. The run_as of the API host configuration, makes the user permissions depend on the authentication context, which will be given by the user with which he/she logs into Kibana. These permissions can be added/edited/deleted using Policies, Roles, and RoleMapping. Here I leave you a link explaining everything in more detail, remember that you can do it with API calls or with the UI.

And finally, I wanted to ask you that for the future, if possible, send the answers to the threads to everyone and not only to the person who is helping you, so that if another user has the same doubt, it could be very interesting to find this thread.

Regards,
Alejandro.