Wazuh Kibana app could not connect to Wazuh RESTful API

[Mihailo Vicanović]

Hi,

I've installed new Wazuh with enjoyment but some issues emerged.

 Versions are: 

- Wazuh 2.0.2 installed from sourced with some minor modifications (added some custom directories for rootcheck, emailing info etc.),

- ELK installed from repos, Kibana version 5.4.0 

- Wazuh API 2.0

- Kibana App 5.4.0 from stable branch.

All components are installed on the same server. 

I've configured API to listen at 127.0.0.1 on default port 55000 without TLS.

So, the issue is known, in Wazuh app displayed times for last syscheck and rootcheck are stale, but the Wazuhapp works great otherwise!

When I have updated API to version 2.0.1 I got this error in Kibana app : Could not connect with Wazuh RESTful API. Then I tried to create new API in the Kibana app and got this error: The given URL does not contains a valid Wazuh RESTful API installation.

Strange thing is that when I try to use API with curl everything works great. I've configured API to listen at 127.0.0.1 on default port 55000.

Logs are showing just regular requests with HTTP 200 codes, no 4xx, 5xx in kibana and apache2 logs... 

I'm just confused at the moment. Is there any  compatibility matrix between the versions of API, Wazuh, KibanaApp?

[Santiago Bassett]

Hi,

you probably have done this, but have tried running curl?

 curl -s -u foo:bar -k -X GET "http://127.0.0.1:55000/"

{"error":0,"data":"Welcome to Wazuh HIDS API"}

On the other hand, in Kibana configuration settings for Wazuh plugin, what do you have under URL field? You should have something like this:

http://127.0.0.1

Hopefully that helps,

Santiago.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/32c71808-6ef0-469d-827a-74c565c091c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mihailo Vicanović]

Hi,

I think I know what's the issue here!

On KibanaApp in file kibana/wazuh/server/api/wazuh-api.js there is version validation and the validation logic seems to be a bit wrong (lines 12 to 51).

Here is what I think is the cause:

 

API version is parsed as  an array of three elements, let's say v2.0.2 is written as [2,0,2]. That array is then checked to be between or equal MIN_VERSION = [2,0,0] and MAX_VERSION = [3,0,0]. So checking the first element goes fine (2 is equal to 2), second element as well (0 is equal to 0) but third elements fails because it is 2 and has to fulfill condition (MIN_VERSION[i] <= tmp) && (tmp <= MAX_VERSION[i]) i.e. (0 <= 2) AND (2 <= 0) == FALSE. 

Can you validate this?

[Jesus Linares]

Hi Mihailo,

we are fixing this issue right now. Thanks for the feedback.

We will get back to you as soon as possible.

Regards.

[Jesus Linares]

Hi Mihailo,

there were 2 errors:

• The way to check the API version as you mentioned.
• These variables (1, 2) should be equal to the API version that you are using.

It is already fixed and it will be released in 2.0.1.

Meanwhile, you could install:

• Wazuh-Api 2.0.1(un-released, no stable): https://github.com/wazuh/wazuh-api/releases/tag/v2.0.1
• Wazuh App: I generated a temporary package with the Wazuh App from the 2.0 branch, including the necessary fix to solve this issue. Link: https://drive.google.com/open?id=0Bx75KsPzHxO_N25fVEVWNHl6dVE

Just to remember: we can guarantee that everything works only if you use the stable branch of each repository.

I hope it helps.

Thanks again for the feedback.

Regards.

[Mihailo Vicanović]

Hi Jesus,

Thank you for clarification. 

I guess I'll switch to stable versions for production and play around with latest ones on testing environment.