API Timeout

[συνολική αντίκτυπο]

Hi team,

I have a problem with the Wazuh api.

I have multiple custom rule to add to my wazuh (about 750) when i reached 500/ 600 rule added, and when i try to add more, i get this error message : "3013 - Timeout executing API request".

I tried to modify timeout_api_exe in wazuh manager and worker

after that when i tried to save the rules i get this error message : "3013 Error communicating with socket: time out"

I changed "api_socket.settimeout(10)" to 30

And after that the rules was correctly added.

But when i restart the cluster to apply the rule, after 30 second i stay stuck on "check wazuh api connection" :

And :

I'm stuck here, i can send you my rules if you want to test it.

I work on 2 workstations with docker (20.10.2) :

- first one: elasticsearch opendistro 4 nodes (1.13.2) / kibana-wazuh (4.1.5)

- seconde one: Wazuh master(4.1.5) / Wazuh worker (4.1.5)  / nginx

Thanks in advance

[Franco Charriol]

Hi, thanks for using Wazuh!

there is a configuration in Wazuh app that let you increase the timeout of the request, you can find it in Wazuh / Settings / Configuration under de name Request timeout

please try increasing this value.

If this doesn't work, you can perform some curl to the Wazuh API from the Kibana server, in order to check if only the app is getting timeout or is an issue with the API in general?
you can do these request
1 - to get the API token
TOKEN= curl -u wazuh-wui:wazuh-wui -k -X GET "https://<your-api-ip>:55000/security/user/authenticate" - replace wazuh-wui with your custom user and pass if it's necessary

2 - get manager info or gent antes list
curl -k -X GET "https://<HOST_IP>:55000/manager/info" -H "Authorization: Bearer $TOKEN"
or
curl -k -X GET "https://<HOST_IP>:55000/agents" -H "Authorization: Bearer $TOKEN"

Here is more info about the Wazuh API request

Please, let us know if this was useful.
Best!

[συνολική αντίκτυπο]

Hi,

Thanks for your help !

I tried to increase request timeout with no success :

After that i tried to curl from kibana (and from others place) an i get same result than before :

Daemon not running ossec-analysisd->failed etc...

Regards

[Maximiliano Ibarra]

Hi, Thanks for your reply.
Let's gonna try something else.
Please, disabled the NVD provider  in your /var/ossec/etc/ossec.conf file in your managers:

<provider name="nvd">
<enabled>no</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>

Then restart your manager:
systemctl restart wazuh-manager

If you are not using NVD,  then you can check for errors inside the ossec.log file in your managers:

grep -E "ERR|WARN" /var/ossec/logs/ossec.log
Please, try those steps and tell me how it was.

Also, Could you tell me if you have any Wazuh managers with a version earlier than 4.1.5?

Thank you.
Best regards

[συνολική αντίκτυπο]

Hi, thanks for your reply,

i tried to disable nvd feature with no sucess,

I see nothing special in ossec.log

I only have 1 wazuh manager and 1 worker 4.1.5 both, maybe remplace my worker to a second manager can help to solve this issue?

I have test on another workstation with different cluster configuration ( i used docker non-production deployment) with same rules and i got same error than currently, i can send you my ruleset if you want.

I think it's due to timeout error in ossec-analysed, thats always him who faild to restart when i use "ossec-control restart" , i have tried to modified all timeout value in cluster.json and manager.py with no result :/

Thank you for your time.
Best regards

[Maximiliano Ibarra]

Hi, It's strange that you have the same issue in different environments.

Can you copy your rulesets in this thread? I gonna try to reproduce your issue.

Also, run this command to see the ossec logs: grep -E "ERR|WARN" /var/ossec/logs/ossec.log
Thanks you

[συνολική αντίκτυπο]

When i run your command i have no result because i had no ERR or WARN in ossec.log, i send you a part of this file.

I have already tried to increse verbosity of ossec-analysed to 2 with no more result :/

I send you my ruleset, tell me if you can load all the set without problem !

Thank you for your help !

[Maximiliano Ibarra]

Hi, I've been looking at their logs and they say modules, analysisd and remoted are failing.
We will gonna try to put the analysisd in debug mode to see if we find information in your logs.
Please, run this command in your manager environment.
       /var/ossec/bin/ossec-analysisd -fdd
You can find more information about analysisd at https://documentation.wazuh.com/current/user-manual/reference/daemons/ossec-analysisd.html.

This command sets your analysisd module in debugging and foreground mode. In this mode, the module should give us more information.

    grep -E "ERR|WARN" /var/ossec/logs/ossec.log

Sorry, but I've been researching your bug and asking other teams to try and give you the best possible solution.
Thanks for your patience. 
Best Regards

[συνολική αντίκτυπο]

Hi,

i ran ossec-analysisd in debug mode and i got no error or warning message , same with grep ossec.log, i have no warning or error in this file.

I tried to find "analysisd" error message in all my system with :  grep -r "analysisd" * | grep "error" with no success

The only return i have is this  (./ossec-control restart) :

But i found very interresting thread in github : https://github.com/wazuh/wazuh/issues/8719     /       https://github.com/wazuh/wazuh/pull/9378

I have very similar problem with ossec-analysisd...

Best regards

[συνολική αντίκτυπο]

Hi,

i hope 4.2 release fix that bug, do you know the date of the update ?

Regards

[Maximiliano Ibarra]

Hi, Thanks for your patience. 
We are working to launch the 4.2 release as soon as possible.

Thank you again.
Best regards