Admn Password to my Wazuh servers keep changing.
106 views
Skip to first unread message
Brad Nelson
Sep 18, 2025, 9:35:27 AM9/18/25
to Wazuh | Mailing List
Over the past 1–2 years I’ve encountered a recurring issue with multiple Wazuh servers where I suddenly lose the ability to log in as the admin user. I manage credentials via 1Password and can successfully log in hundreds of times without issue, but then—seemingly at random—I begin receiving the error:
"Invalid username or password, try again"
In the past, my only workaround has been to wipe and rebuild the Wazuh Linux server (thinking it was compromised) from scratch. This most recently occurred on two separate Wazuh servers (in different datacenters) on July 1, 2025.
Both servers are deployed behind WatchGuard firewalls with IPS and other security measures enabled. I also placed reverse proxies in front of them after the July incident, which worked until recently when the same login issue resurfaced on both servers.
At this point, I suspect either:
This has occurred approximately 6–8 times in the past year.
For verification, I extracted the stored admin credentials with:
tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1
The password in the file matches the one stored in 1Password, so the credentials themselves appear consistent.
Has anyone else seen this behavior, or are there known issues/exploits that could explain recurring credential corruption on Wazuh?
"Invalid username or password, try again"
In the past, my only workaround has been to wipe and rebuild the Wazuh Linux server (thinking it was compromised) from scratch. This most recently occurred on two separate Wazuh servers (in different datacenters) on July 1, 2025.
Both servers are deployed behind WatchGuard firewalls with IPS and other security measures enabled. I also placed reverse proxies in front of them after the July incident, which worked until recently when the same login issue resurfaced on both servers.
At this point, I suspect either:
- A possible exploit in Wazuh that allows modification of credentials,
- or a bug that resets or corrupts the admin account credentials.
This has occurred approximately 6–8 times in the past year.
For verification, I extracted the stored admin credentials with:
tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1
The password in the file matches the one stored in 1Password, so the credentials themselves appear consistent.
Has anyone else seen this behavior, or are there known issues/exploits that could explain recurring credential corruption on Wazuh?
Dennis Ariel Gamboa Veliz
Sep 18, 2025, 10:33:53 AM9/18/25
to Wazuh | Mailing List
Hi Brad Nelson,
Thanks for sharing all the details. Based on what you described, this doesn’t seem to be an exploit that changes the admin password. The stored credentials remain the same, which usually indicates the issue is related to upgrades or re-deployments.
To better understand what’s happening, could you please provide the following information?
Logs:
Thanks for sharing all the details. Based on what you described, this doesn’t seem to be an exploit that changes the admin password. The stored credentials remain the same, which usually indicates the issue is related to upgrades or re-deployments.
To better understand what’s happening, could you please provide the following information?
Logs:
- Manager: cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
- Indexer: cat /var/log/wazuh-indexer/<WAZUH_INDEXER_CLUSTER_NAME>.log | grep -E "ERROR|WARN|Caused"
- Dashboard: journalctl -u wazuh-dashboard | grep -i -E "error|warn"
Upgrade:
- Did you recently upgrade Wazuh, or only specific components (e.g., Dashboard, Indexer, Manager)?
- Did the issue start after an upgrade or configuration change?
Documentation: Please verify that all necessary configurations are in place.
- Password: https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/troubleshooting.html#invalid-password
- Install Indexer: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html
- Install Server: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
- This is important, please make sure this is configured:
- echo admin | filebeat keystore add username --stdin --force
- echo admin | filebeat keystore add password --stdin --force
- This is important, please make sure this is configured:
- Certificates: https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/certificate-deployment.html
We can determine whether the issue is caused by incorrect credentials or a misconfiguration that occurred during updates.
Brad Nelson
Sep 19, 2025, 8:59:13 AM9/19/25
to Wazuh | Mailing List
Dennis,
I got it fixed on both. The error message (invalid username or password is VERY misleading) it had nothing to do with the user/pw.
On server 1, the issue was that the indexer wouldnt start. this was due to a permission issue with "/etc/wazuh-indexer/backup" which was owned by Root, changed that to Wazuh and the indexer started and i was able to log in, any idea why the indexper/backup location would all of a sudden be owned by root after working correctly for 3 months?
On server 1, the issue was that the indexer wouldnt start. this was due to a permission issue with "/etc/wazuh-indexer/backup" which was owned by Root, changed that to Wazuh and the indexer started and i was able to log in, any idea why the indexper/backup location would all of a sudden be owned by root after working correctly for 3 months?
On server 2, I dont recall what i did to fix it, but it is working now too.
My suggiestion is could you fix it so if for example the indexer isnt running, when logging in instead of saying invalid username, it could say Index not running, which would have lead me down a differrnt troubleshooting path?
Dennis Ariel Gamboa Veliz
Oct 3, 2025, 8:30:19 AM10/3/25
to Wazuh | Mailing List
Hi Brad,
Thank you for sharing the solution you found. This is very helpful for us and the community.
Regarding the ownership issue with /etc/wazuh-indexer/backup, this usually happens when files or directories are manipulated as root. During updates, removals, or manula operations, ownership or permissions may change and prevent the Indexer from starting properly. That's why we always recommend reviewing our documentation when installing, upgrading, or removing Wazuh components to ensure the correct configuration and ownership are preserved.
Your suggestion about improving the error message is very valuable. We'll take this feedback into account, since a clearer message(for example, indicating that the Indexer is not running) would definitely simplify troubleshooting in these scenarios.
Thank you for sharing the solution you found. This is very helpful for us and the community.
Regarding the ownership issue with /etc/wazuh-indexer/backup, this usually happens when files or directories are manipulated as root. During updates, removals, or manula operations, ownership or permissions may change and prevent the Indexer from starting properly. That's why we always recommend reviewing our documentation when installing, upgrading, or removing Wazuh components to ensure the correct configuration and ownership are preserved.
Your suggestion about improving the error message is very valuable. We'll take this feedback into account, since a clearer message(for example, indicating that the Indexer is not running) would definitely simplify troubleshooting in these scenarios.
We appreciate your input and collaboration in improving Wazuh.
Dennis Ariel Gamboa Veliz
Oct 3, 2025, 11:10:53 AM10/3/25
to Wazuh | Mailing List
Hi Brad,
Thanks again for your valuable feedback. To properly track your suggestion about improving the error messages, we kindly ask you to open an issue in our GitHub repository:
https://github.com/wazuh/wazuh
To do so, please:
Thanks again for your valuable feedback. To properly track your suggestion about improving the error messages, we kindly ask you to open an issue in our GitHub repository:
https://github.com/wazuh/wazuh
To do so, please:
- Go to the Issues section
- Click on New Issue
- Select the appropriate Issue template(it can be Issue)
- Fill in the required information mentioned in the description section
- Add your suggestion about improving the error messages/logs so it can be reviewed by the development team
Best regards,
Wazuh - Dennis Gamboa
Reply all
Reply to author
Forward
0 new messages