Error 3000 Token refused

[Terry]

Hello, i have a wazuh installed on Ubuntu 22.04.

I have a 3 Serveur : 

1 Serveur Manager

1 Serveur Dashboard

1 Serveur Indexer

I have this error when i connect on the Dashboard and this result for wazuh-control :

wazuh-clusterd not running...
wazuh-modulesd not running...
wazuh-monitord not running...
wazuh-logcollector not running...
wazuh-remoted not running...
wazuh-syscheckd not running...
wazuh-analysisd not running...
wazuh-maild not running...
wazuh-execd not running...
wazuh-db not running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid not running...

Error: Error getting the authorization token

3000 - Error getting the authorization token: connect ECONNREFUSED 10.33.252.118:55000

Error: 3000 - Error getting the authorization token: connect ECONNREFUSED 10.33.252.118:55000 at createError (https://wazuh.safe-industry.com/1/bundles/plugin/wazuh/wazuh.plugin.js:2:31654) at settle (https://wazuh.safe-industry.com/1/bundles/plugin/wazuh/wazuh.plugin.js:8:15184) at XMLHttpRequest.onloadend (https://wazuh.safe-industry.com/1/bundles/plugin/wazuh/wazuh.plugin.js:2:29447)

[Ariel Ojeda]

Hi Terry,

I hope this message finds you well, please let me help you with this.

If I understand correctly, you have the Wazuh-dashboard on a separate server from the Wazuh-indexer server, it is usually recommended to install the Wazuh-dashboard service in one of the indexer nodes, unless you have any reason to install it separately. Please make sure that all the required ports are open in each component, you can find a list of them here:

Wazuh - Required ports

I would also like to know if this is a fresh installation and what version of the product have you installed as well as what is the installation guide you followed to perform the installation. The Wazuh-dashboard connects to the Wazuh API and the Wazuh plugin also requests information from the Wazuh API frequently. Have you changed the credentials for the Wazuh API? Make sure the changes are reflected here:

/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

This file is located on the Wazuh-dashboard, if you need to update it, please remember to restart the Wazuh-dashboard service:

systemctl restart wazuh-dashboard

Regarding your issue, from the output of the wazuh-control command that you share, it looks like none of the Wazuh-manager modules are running. Could you please run these commands on the Manager and share the output?

systemctl restart wazuh-manager

grep -i -E "error|warn|crit" /var/ossec/logs/ossec.log

grep -i -E "error|warn|crit" /var/ossec/logs/api.log 

You can also use these on the Wazuh manager node to verify if the API is responding to requests (update the user and password, defaults are wazuh-wui:wazuh-wui):

TOKEN=$(curl -u <user>:<password> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"

You should get something like this from the second command:

{"data": {"title": "Wazuh API REST", "api_version": "4.3.1", "revision": 40311, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.3/LICENSE", "hostname": "wazuh-server", "timestamp": "2023-04-04T13:38:11Z"}, "error": 0}

I hope this helps,

Ariel Ojeda.

[Terry]

I followed the installation given on the Wazuh site, but I was able to restore my server to an earlier date. The server is currently working but since a few weeks we have gone up to more than 1200 Agent and every morning after the connection of the users on their computer the Wazuh api does not work anymore.

I think I should set up a second node to distribute the load