Wazuh - API and template not found error

[Jerome Nelson Jayaprakash]

Hi All,

I am facing an issue when configuring Wazuh in a distributed deployment.

I had distributed deployment earlier and the indexer and dashboard got crashed in HDD failure. However, the wazuh-manager server was unaffected as it was deployed somewhere else. Now to restore that, I have installed and configured the indexer and the dashboard afresh and tried connecting with the old Wazuh server. It keeps failing and throws the following error, 

"[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]
[API connection] No API available to connect"

Please help me fix this.

[Jerome Nelson Jayaprakash]

Hi,

Can someone help me with this?

Thanks

[Jerome Nelson Jayaprakash]

Hi,

When trying to authenticate using the curl command, it throws "{"title": "Unauthorized", "detail": "Invalid credentials"}" error, however, the credentials are correct.

[Stuti Gupta]

Hi  Jerome Nelson Jayaprakash
Hope you are doing well.

Can you please let me know what steps you have followed to connect to migrate indexers to another node:
Please verify that you have used the certificate that wazuh generated previously when installing the fresh indexer node
Please run the following command and see if has the same permissions and ownership:
 ls -lrt /etc/filebeat/wazuh-template.json
-rw-r--r-- 1 root root 62776 Jan 12 03:39 /etc/filebeat/wazuh-template.json

Hope to hear from you soon.

Regards

[Jerome Nelson Jayaprakash]

Hi Stuti,

I used assisted installation to configure the indexer and the dashboard. The server was also been configured the same way.

And for the file permission, I get the same result.

"root@xdr-server:~# ls -lrt /etc/filebeat/wazuh-template.json
-rw-r--r-- 1 root root 62776 Feb 29 16:21 /etc/filebeat/wazuh-template.json"

Thanks

[Stuti Gupta]

Check that Filebeat is working properly. Please run the command: filebeat test output
The output should be something similar to:

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
You can also manually add the index by running the following command:
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.7.2/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u indexer user: indexer password -k

You have also mentioned  "I have installed and configured the indexer and the dashboard afresh and tried connecting with the old Wazuh serve" Can you please share the steps that you followed for this. IN any case you have the same certs that was genreted bu previous installation.  for the error :  API connection] No API available to connect"
Please share api.log
Reference: https://documentation.wazuh.com/current/user-manual/files-backup/restoring/index.html

Hope to hear from you soon.

[Jerome Nelson Jayaprakash]

Hi Stuti,

The filebeat is working fine. 

root@xdr-server:~# filebeat test output
elasticsearch: https://172.20.8.167:9200...

  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK

    addresses: 172.20.8.167

    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK

    TLS version: TLSv1.2

    dial up... OK
  talk to server... OK
  version: 7.10.2

root@xdr-server:~#

Earlier I had faced a certification mismatch between the servers as I used a new certificate for the indexer and dashboard which was generated recently and for the server, I had the old certificate which was with my old configuration.

Now, I have reconfigured with the same certificate and the certificate issue seems to have subsided.

Yet, I have API issue. Please help with this.

[Stuti Gupta]

Hi again,

As you can see one of your issues has been resolved that is:

[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]

Let's move to the second issue:
[API connection] No API available to connect"
For that please share the api.log that is located at /var/ossec/logs/api.log

Hope to hear from you soon.

[Jerome Nelson Jayaprakash]

Hi Stuti,

Thanks for the response.

I have attached the api log herewith.

Thanks

[Jerome Nelson Jayaprakash]

Hi Stuti,

Could you please help me fix this sooner? We need the wazuh to be back to live ASAP for various reasons.

Thanks

[Stuti Gupta]

Hi Jerome Nelson Jayaprakash
Sorry for the late response.

There is no error in the api.log file.
Can you please share the ossec.log file?
Please verify that all the wazuh components are of the same version. 
Please check if the Wazuh API is running, try to fetch data using the CLI from the Wazuh dashboard server (default user:pass is wazuh-wui:wazuh:wui)
curl -k -X GET "https://<api_url>:55000/" -H "Authorization: Bearer $(curl -u <api_user>:<api_password> -k -X POST 'https://<api_url>:55000/security/user/authenticate?raw=true')"

 
Hope to hear from you soon.

Regrads

[Jerome Nelson Jayaprakash]

Hi Stuti,

Thanks for the response.

I noticed that there was a version difference between the 3 components and upgraded to the latest release. Now, It works fine.

However, my ldap configurations were lost during the dashboard and indexer failure earlier. 

I tried configuring it but it didn't work. The server fails to authenticate the ldap users. Even the local users like wazuh and wazuh-wui is not authenticated. 

Could you please help me with this?

Thanks

[Stuti Gupta]

Hi  Jerome Nelson Jayaprakash

Please open a new thread for the new issue to trach your query better.

Regards,

[Jerome Nelson Jayaprakash]

Okay, thank you...