Admn Password to my Wazuh servers keep changing.
32 views
Skip to first unread message
Brad Nelson
Sep 18, 2025, 9:35:27 AM (4 days ago) Sep 18
to Wazuh | Mailing List
Over the past 1–2 years I’ve encountered a recurring issue with multiple Wazuh servers where I suddenly lose the ability to log in as the admin user. I manage credentials via 1Password and can successfully log in hundreds of times without issue, but then—seemingly at random—I begin receiving the error:
"Invalid username or password, try again"
In the past, my only workaround has been to wipe and rebuild the Wazuh Linux server (thinking it was compromised) from scratch. This most recently occurred on two separate Wazuh servers (in different datacenters) on July 1, 2025.
Both servers are deployed behind WatchGuard firewalls with IPS and other security measures enabled. I also placed reverse proxies in front of them after the July incident, which worked until recently when the same login issue resurfaced on both servers.
At this point, I suspect either:
This has occurred approximately 6–8 times in the past year.
For verification, I extracted the stored admin credentials with:
tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1
The password in the file matches the one stored in 1Password, so the credentials themselves appear consistent.
Has anyone else seen this behavior, or are there known issues/exploits that could explain recurring credential corruption on Wazuh?
"Invalid username or password, try again"
In the past, my only workaround has been to wipe and rebuild the Wazuh Linux server (thinking it was compromised) from scratch. This most recently occurred on two separate Wazuh servers (in different datacenters) on July 1, 2025.
Both servers are deployed behind WatchGuard firewalls with IPS and other security measures enabled. I also placed reverse proxies in front of them after the July incident, which worked until recently when the same login issue resurfaced on both servers.
At this point, I suspect either:
- A possible exploit in Wazuh that allows modification of credentials,
- or a bug that resets or corrupts the admin account credentials.
This has occurred approximately 6–8 times in the past year.
For verification, I extracted the stored admin credentials with:
tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1
The password in the file matches the one stored in 1Password, so the credentials themselves appear consistent.
Has anyone else seen this behavior, or are there known issues/exploits that could explain recurring credential corruption on Wazuh?
Dennis Ariel Gamboa Veliz
Sep 18, 2025, 10:33:53 AM (4 days ago) Sep 18
to Wazuh | Mailing List
Hi Brad Nelson,
Thanks for sharing all the details. Based on what you described, this doesn’t seem to be an exploit that changes the admin password. The stored credentials remain the same, which usually indicates the issue is related to upgrades or re-deployments.
To better understand what’s happening, could you please provide the following information?
Logs:
Thanks for sharing all the details. Based on what you described, this doesn’t seem to be an exploit that changes the admin password. The stored credentials remain the same, which usually indicates the issue is related to upgrades or re-deployments.
To better understand what’s happening, could you please provide the following information?
Logs:
- Manager: cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
- Indexer: cat /var/log/wazuh-indexer/<WAZUH_INDEXER_CLUSTER_NAME>.log | grep -E "ERROR|WARN|Caused"
- Dashboard: journalctl -u wazuh-dashboard | grep -i -E "error|warn"
Upgrade:
- Did you recently upgrade Wazuh, or only specific components (e.g., Dashboard, Indexer, Manager)?
- Did the issue start after an upgrade or configuration change?
Documentation: Please verify that all necessary configurations are in place.
- Password: https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/troubleshooting.html#invalid-password
- Install Indexer: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html
- Install Server: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
- This is important, please make sure this is configured:
- echo admin | filebeat keystore add username --stdin --force
- echo admin | filebeat keystore add password --stdin --force
- This is important, please make sure this is configured:
- Certificates: https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/certificate-deployment.html
We can determine whether the issue is caused by incorrect credentials or a misconfiguration that occurred during updates.
Brad Nelson
Sep 19, 2025, 8:59:13 AM (3 days ago) Sep 19
to Wazuh | Mailing List
Dennis,
I got it fixed on both. The error message (invalid username or password is VERY misleading) it had nothing to do with the user/pw.
On server 1, the issue was that the indexer wouldnt start. this was due to a permission issue with "/etc/wazuh-indexer/backup" which was owned by Root, changed that to Wazuh and the indexer started and i was able to log in, any idea why the indexper/backup location would all of a sudden be owned by root after working correctly for 3 months?
On server 1, the issue was that the indexer wouldnt start. this was due to a permission issue with "/etc/wazuh-indexer/backup" which was owned by Root, changed that to Wazuh and the indexer started and i was able to log in, any idea why the indexper/backup location would all of a sudden be owned by root after working correctly for 3 months?
On server 2, I dont recall what i did to fix it, but it is working now too.
My suggiestion is could you fix it so if for example the indexer isnt running, when logging in instead of saying invalid username, it could say Index not running, which would have lead me down a differrnt troubleshooting path?
Reply all
Reply to author
Forward
0 new messages