Vulnerability module issues after upgrading from 4.7.3 to 4.8.0

169 views
Skip to first unread message

Saddique Khan

unread,
Jul 12, 2024, 4:51:47 AM7/12/24
to Wazuh | Mailing List
Hello Team,

   I am running Wazuh on kubernetes cluster. recently i upgrade the wazuh from 4.7.3 to 4.8.0. The upgrade is fine. However, The vulnerability module has stopped working. I have followed the vulnerability documents to add the entries but it is throwing the following warning. 

indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.


Here is ossec.conf :

<vulnerability-detection>

    <enabled>yes</enabled>

    <index-status>yes</index-status>

    <feed-update-interval>60m</feed-update-interval>

  </vulnerability-detection>

 

  <indexer>

    <enabled>yes</enabled>

    <hosts>

        <host>https://wazuh-indexer-0.wazuh-indexer:9200</host>

    </hosts>

    <ssl>

        <certificate_authorities>

          <ca>/etc/ssl/root-ca.pem</ca>

        </certificate_authorities>

        <certificate>/etc/ssl/filebeat.pem</certificate>

        <key>/etc/ssl/filebeat.key</key>

    </ssl>.

Here are the keys: 

location: /etc/ssl/ and i get this location from filebeat.yml file

-rw-r--r--. 1 root  101 1110 Jul 12 08:21 root-ca.pem
-rw-r--r--. 1 root  101 1115 Jul 12 08:21 filebeat.pem
-rw-r--r--. 1 root  101 1708 Jul 12 08:21 filebeat.key

I also added :
/var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
/var/ossec/bin/wazuh-keystore -f indexer -k password -v

after this , i restarted the master and worker both pods.

However, the module is not working.  what would be the cause of the issue.

Regards,
Saddique

Stuti Gupta

unread,
Jul 12, 2024, 5:14:42 AM7/12/24
to Wazuh | Mailing List
Hi @saddique 

Please make sure you mase the changes in both worker node and master node.
Please make sure the indexer ip is same as in the Filebeat config file, For example:
output. elastic search.hosts:
  - <Indexer_ip>:9200

Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
  <host>https://<Indexer_ip>:9200</host>
</hosts>

Additionally, you can use this command to verify the certificate paths, names and indexer ip:
curl -u <user>:<pass> --cacert <path.pem> --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<IP>:9200/_cluster/health"

After that, save the configuration and restart the manager/cluster using the command:
systemctl restart wazuh-manager

Refer: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html


If that does not work I would ask you what you see in the ossec.log file.Also, share the output of the command:
cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12

Hope this helps 

Saddique Khan

unread,
Jul 12, 2024, 9:31:27 AM7/12/24
to Wazuh | Mailing List
Hello Stuti,

   shall I expect any indices for vulnerabilities in wazuh  like : wazuh-states-vulnerabilities-wazuh ? Because it doesn't exist there. I can only see wazuh-alert, wazuh-monitor and wazuh state. Here is the exact error for my configuration:

2024/07/12 10:27:33 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.
Fri, Jul 12 2024 12:27:37 pm2024/07/12 10:27:35 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started

Here is the output:

 <indexer>
    <enabled>yes</enabled>
    <hosts>
        <host>https://wazuh-indexer-0.wazuh-indexer:9200</host>
    </hosts>
    <ssl>
        <certificate_authorities>
          <ca>/etc/ssl/root-ca.pem</ca>
        </certificate_authorities>
        <certificate>/etc/ssl/filebeat.pem</certificate>
        <key>/etc/ssl/filebeat.key</key>
    </ssl>
</indexer>

Saddique Khan

unread,
Jul 12, 2024, 10:49:34 AM7/12/24
to Wazuh | Mailing List
Hello Stuti,

I also tested my end point and it was connecting from my master pod to the indexer.

curl -v --cacert /etc/ssl/root-ca.pem --cert /etc/ssl/filebeat.pem --key /etc/ssl/filebeat.key https://wazuh-indexer-0.wazuh-indexer:9200

This is how I tested it.

Regards,
Saddiqiue

Saddique Khan

unread,
Jul 15, 2024, 4:12:41 AM7/15/24
to Wazuh | Mailing List
Hello Stuti,

I hope you are doing fine.

I tested this again and that the certificate doesn't support the url. 

curl -u "admin:myadmin" --cert "/etc/ssl/filebeat.pem" --key "/etc/ssl/filebeat.key" --cacert "/etc/ssl/root-ca.pem" "https://wazuh-indexer-0.wazuh-indexer:9200"


The error is here.

curl: (60) SSL: certificate subject name '*.wazuh-indexer' does not match target host name 'wazuh-indexer-0.wazuh-indexer'


could you please share the steps to resolve this?

Stuti Gupta

unread,
Jul 17, 2024, 6:23:02 AM7/17/24
to Wazuh | Mailing List

The error you're encountering indicates a mismatch between the certificate's subject name and the target hostname you're trying to connect to
Please make sure the path of the certs is right and the indexer is that you can find at docker-compose.yml

Saddique Khan

unread,
Jul 22, 2024, 7:52:13 AM7/22/24
to Wazuh | Mailing List
Hello Stutti,

   I checked the "filebeat test out". I  see the same elastic search url as I am mentioned it and I am using the same credentials plus certificate to indexer but it is not getting access. secondly, I don't have wazuh-vulnerabilities indicing. I am running wazuh on kubernetes. I could see all three certificates at the same place. could you guide me further?

Regards,
Saddique
Reply all
Reply to author
Forward
0 new messages