No API available to connect wazuh

[Ciocoiu Petrisor]

Hi,

 

I’m trying to use the wazuh solution from your website but I have some issues:

 

1. I’ve installed ELK OSS without xpack security and I don’t have any SSL TLS – I’ve installed as a helm chart on kubernetes

 

NAME                      READY   STATUS    RESTARTS   AGE
elasticsearch-0           1/1     Running   0          11h
kibana-7989cc9dd9-jq97m   1/1     Running   0          11h
wazuh-manager-worker-0    1/1     Running   0          16d
wazuh-master-0            1/1     Running   0          16d

 

NAME            TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)
elasticsearch   LoadBalancer   10.247.127.246   <pending>     9200:30020/TCP,9300:30462/TCP   12h
kibana          ClusterIP      10.247.109.44    <none>        5601/TCP                        12h
wazuh-cluster   ClusterIP      None             <none>        1516/TCP                        16d
wazuh-master    ClusterIP      10.247.234.146   <none>        1515/TCP,55000/TCP              16d
wazuh-workers   LoadBalancer   10.247.202.211   <pending>     1514:31640/TCP                  16d

 

 

cat data/wazuh/config/wazuh.yml
hosts:
  - default:
     url: http://10.247.234.146
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

 

1. I’ve installed Wazuh manager also as a helm chart on kubernetes but when I m trying to open kibana/app/wazuh API wazuh is failing to connect..I want to say that I m using http and not https.

Can you please point me out what I did wrong and how can I correct the api connection ?

 

Thank you so much for your help

 

[Ciocoiu Petrisor]

Any answer would be awesome.

Thanks

[Alejandro Ruiz Becerra]

Hi,

Thank you for using Wazuh.

The wazuh.yml file looks correct.

Could you please check that the Wazuh API is accessible? For that, you can use cURL and this guide.

[Ciocoiu Petrisor]

Yes, it's accessible from pod interior but not from the outside:

# outside the pod not working:

[root@wazuh-manager-worker-0 /]# curl -u wazuh-wui:wazuh-wui -k -X GET "https://wazuh-master:55000/security/user/authenticate?raw=true"
curl: (7) Failed connect to wazuh-master:55000; Connection refused

# inside pod is working fine

[root@wazuh-master-0 /]# curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"
{"data": {"title": "Wazuh API REST", "api_version": "4.1.5", "revision": 40114, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.1/LICENSE", "hostname": "wazuh-master-0", "timestamp": "2022-09-12T11:30:33+0000"}, "error": 0}

[Alejandro Ruiz Becerra]

Hi again!

Is the port 55000 open?? Any node (or pod) should be able to communicate with the API if that port is open

Could you please check that out??

Regards,

Alex

[Ciocoiu Petrisor]

Hi,

I fixed the connection but I have other errors:

## 1st issue:

Check Wazuh API version

INFO: Current API in cookie: [1513629884013] INFO: Getting API version data... ERROR: 3000 - Error getting the authorization token: Selected API is no longer available in wazuh.yml

## 2nd Issue:

Check alerts index pattern

INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Getting list of valid index patterns... INFO: Valid index patterns found: 1 INFO: Found default index pattern with title [wazuh-alerts-*]: yes INFO: Checking the app default pattern exists: id [wazuh-alerts-*]... INFO: Default pattern with id [wazuh-alerts-*] exists: yes ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern INFO: Checking the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id exists [wazuh-alerts-*]: yes INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Checking if the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*] INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*] INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: no ERROR: No template found for the selected index-pattern title [wazuh-alerts-*] INFO: Index pattern id in cookie: [wazuh-alerts-*] INFO: Getting index pattern data [wazuh-alerts-*]... INFO: Index pattern data found: [yes] INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]... ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]

[Alejandro Ruiz Becerra]

Hi,

Let's start with the first error:

How did you fix the connection issues??

Please, check that the URL and PORT set at the wazuh.yml, and check that using these values with cURL the connection is succesful

When this problem is solved, we'll move to fix the 2nd error, if it persists.

Regards,

Alex

[Ciocoiu Petrisor]

1. I fixed the API connection between kibana and wazuh-master 55000 by removing the node-type Load balancer from the yaml manifest service, i can connect from kibana pod to wazuh-master api pod on 55000, see below the command:

bash-4.4$ curl -u wazuh-wui:wazuh-wui -k -X GET "https://wazuh-master:55000/security/user/authenticate?raw=true"
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjYzMTUzMDc2LCJleHAiOjE2NjMxNTM5NzYsInN1YiI6IndhenVoLXd1aSIsInJ1bl9hcyI6ZmFsc2UsInJiYWNfcm9sZXMiOlsxXSwicmJhY19tb2RlIjoid2hpdGUifQ.95-slO0WQd7XK5WIu2aE2HajPNN1hlGTvpWtAN5hmXQ

On kibana I've added the wazuh.yml to kibana pod

hosts:
  - default:
     url: https://wazuh-master

     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

Is working as you can see:( see details below and the picture attached

INFO: Current API id [1513629884013] 

INFO: Checking current API id [1513629884013]... 

INFO: Set cluster info in cookie

2. Now, other issues i have on the kibana page are:

a. Check alerts index pattern - ERROR: No template found for the selected index-pattern title [wazuh-alerts-*] 

INFO: Index pattern id in cookie: yes [wazuh-alerts-*] 

INFO: Getting list of valid index patterns... 

INFO: Valid index patterns found: 1 

INFO: Found default index pattern with title [wazuh-alerts-*]: yes 

INFO: Checking the app default pattern exists: id [wazuh-alerts-*]... 

INFO: Default pattern with id [wazuh-alerts-*] exists: yes 

ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern 

INFO: Checking the index pattern id [wazuh-alerts-*] exists... 

INFO: Index pattern id exists [wazuh-alerts-*]: yes

INFO: Index pattern id in cookie: yes [wazuh-alerts-*] 

INFO: Checking if the index pattern id [wazuh-alerts-*] exists...

INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*] 

INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*] 

INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: no 

ERROR: No template found for the selected index-pattern title [wazuh-alerts-*] 

INFO: Index pattern id in cookie: [wazuh-alerts-*] 

INFO: Getting index pattern data [wazuh-alerts-*]... 

INFO: Index pattern data found: [yes] 

INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]...

ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]

b. Check Wazuh API version - ERROR: 3000 - Error getting the authorization token: Selected API is no longer available in wazuh.yml

INFO: Current API in cookie: [1513629884013] 

INFO: Getting API version data... 

ERROR: 3000 - Error getting the authorization token: Selected API is no longer available in wazuh.yml

Thank you for your help

Petrisor

[Alejandro Ruiz Becerra]

Hi again

From a previous message, I can see that the API of Wazuh is at version 4.1.5.

However, by the screenshots you shared, I can see that the app is using the new logo, which was introduced in version 4.3

Could you please the app version by navigating to /app/wazuh#/settings?tab=about  ?

The mismatch of versions could be causing these errors. We recommend that the version of every component of Wazuh match, or at least, that their major and minor version numbers match (4.1, 4.2. 4.3, ...).

[Ciocoiu Petrisor]

Hi there,

here are the information:

[API version] Wazuh API and Wazuh App version mismatch. 

API version: 4.1.5. 

App version: 4.3.7. 

At least, major and minor should match.

 Check more info about upgrading Wazuh App here.

Should I use the last version : 4.1.5 ?

[Ciocoiu Petrisor]

Hi, 

Should I use the last version : 4.3.7 , because I am doing this:

plugin kibana installed : wazuh_kibana-4.3.7_7.10.2-1.zip

image: 'wazuh/wazuh-manager:4.3.5'

I don't have nothing from 4.1.5 version on my folder.

Regards,

Petrisor

[Alejandro Ruiz Becerra]

Hi Petrisor

The Wazuh app is at the most recent version (v4.3.7), so that's fine.

However, as seen on the image you shared, the Wazuh manager is reporting v4.1.5, which is way behind the most recent one.

You're using Kubernetes, right? I'll check the image `wazuh/wazuh-manager:4.3.5` and check there is no issue from our side.

Please, standby, I'll be back soon.

Alex

[Alejandro Ruiz Becerra]

Hello again Petrisor

I check the images, and its version is correct (v4.3.5)

In order to double-check that your container is at the correct version, please use the following command (inside the wazuh-manager container): /var/ossec/bin/wazuh-control -j info

You should see something similar to this:

{"error":0,"data":[{"WAZUH_VERSION":"v4.3.5"},{"WAZUH_REVISION":"40317"},{"WAZUH_TYPE":"server"}]}

Regards,

Alex

[Ciocoiu Petrisor]

Hi,

I've installed the v.4.3.5 but the user:pass for api are different that  : wazuh-wui:wazuh-wui, right?

root$wazuh-master-0:/# /var/ossec/bin/wazuh-control -j info
{"error":0,"data":[{"WAZUH_VERSION":"v4.3.5"},{"WAZUH_REVISION":"40317"},{"WAZUH_TYPE":"server"}]}root@wazuh-master-0:/#


root$wazuh-master-0:/# curl -u wazuh-wui:wazuh-wui -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"
curl: (7) Failed to connect to localhost port 55000: Connection refused

Thank you

[Ciocoiu Petrisor]

Hi,

So what api user: pass should I use for " v4.3.5" ?

Thank you

[Alejandro Ruiz Becerra]

According to that, the wazuh-master is at version 4.3.5. So I don't know how is the API reporting v4.1.5...

The user is the same, either wazuh:wazuh or wazuh-wui:wazuh-wui

That same request is working for me:

root@-:/# curl -u wazuh-wui:wazuh-wui -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjYzMjQxMzc0LCJleHAiOjE2NjMyNDIyNzQsInN1YiI6IndhenVoLXd1aSIsInJ1bl9hcyI6ZmFsc2UsInJiYWNfcm9sZXMiOlsxXSwicmJhY19tb2RlIjoid2hpdGUifQ.AbVXUHKNDxcCzpoYloFD49ATisvp4nxElLWCaATCbn4NAVAuqUvVWmS8xLwma8Xjv536eI279cgv_qzwIfoowTUWARzOD4KIRC3YTDgCfm5ll2cvt59J77NVSlTKJAZVli001ENAGfMI2bXe7P5jT5f-oYvxLk-_TMFV8RH7urbrkdfq

Could you check if the API service is running?

/var/ossec/bin/wazuh-control status

[Ciocoiu Petrisor]

Hi,

I think the problem is the wazuh-manager:4.3.5

root@wazuh-master-0:/# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd not running...
wazuh-monitord not running...
wazuh-logcollector not running...
wazuh-remoted not running...
wazuh-syscheckd not running...
wazuh-analysisd not running...
wazuh-maild not running...
wazuh-execd not running...
wazuh-db not running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid not running...

Thanks

Petrisor

[Alejandro Ruiz Becerra]

Every Wazuh service is down.

Could you please start them manually? 

You can use /var/ossec/bin/wazuh-control start

Here is the reference guide: https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-control.html

You can also check the logs in this file: /var/ossec/logs/ossec.log

[Ciocoiu Petrisor]

root@wazuh-master-0:/var/ossec# /var/ossec/bin/wazuh-control start
2022/09/15 12:14:56 wazuh-analysisd: CRITICAL: (1226): Error reading XML file 'etc/ossec.conf':  (line 0).
wazuh-analysisd: Configuration error. Exiting

[Alejandro Ruiz Becerra]

Great, we're enclosing the error.

There are errors in your ossec.conf.

The fasted way to solve is to make a backup and use the default configuration, which can be found here: https://raw.githubusercontent.com/wazuh/wazuh/v4.3.5/etc/ossec.conf

In terms of commands, do the following:

# Stop Wazuh

/var/ossec/bin/wazuh-control stop (safely ignore any error)

# Rename you config file

mv /var/ossec/etc/ossec.conf /var/ossec/etc/ossec-backup.conf

# Download the default configuration

curl https://raw.githubusercontent.com/wazuh/wazuh/v4.3.5/etc/ossec.conf --output /var/ossec/etc/ossec.conf

# Start Wazuh

/var/ossec/bin/wazuh-control start

[Ciocoiu Petrisor]

Yes, but this should be done from the dockerfile, is a waste doing this manually on kubernetes

[Ciocoiu Petrisor]

Hi,

Finally I installed the 4.1.5 version wazuh with kibana plugin( see the picture attached)

Now, basically I need to test it with an agent installed on a random node?

[Alejandro Ruiz Becerra]

Hi again Petrisor

Yes, you need to install a Wazuh agent v4.1.5 at any node, then register it to any manager node as seen in the docs: https://documentation.wazuh.com/4.1/user-manual/registering/index.html

Installation docs: https://documentation.wazuh.com/4.1/installation-guide/wazuh-agent/

[Ciocoiu Petrisor]

Could you please tell me on wazuh-agents , it says that we need to add the WAZUH_MANAGER variable that contain my Wazuh manager IP address or hostname.( which one of the wazuh is ? master or workers?)

wazuh-cluster   ClusterIP      None             <none>                       1516/TCP                        14m
wazuh-master    ClusterIP      10.247.174.9     <none>                       1515/TCP,55000/TCP              14m
wazuh-workers   LoadBalancer   10.247.149.254   192.168.0.237,90.84.18.128   1514:31761/TCP                  14m

Which wazuh ip should I put?

# WAZUH_MANAGER="10.247.174.9" apt-get install wazuh-agent=4.1.5-1 

OR

# WAZUH_MANAGER="10.247.174.254" apt-get install wazuh-agent=4.1.5-1 

[Alejandro Ruiz Becerra]

Hello again Petrisor,

You can use any of the managers, worker or master, it doesn't matter. Use the one you prefer.

Regards,

Alex

[Ciocoiu Petrisor]

Hi,

I'v e pointed the agent to the wazuh-workers but when I've opened the kibana gui wazuh I have an erorr: Elasticsearch template ErrorCheck.

Check Wazuh API connection Ready

Check for Wazuh API version Ready

Check Elasticsearch index pattern Ready

Check Elasticsearch template Error

Check index pattern fields Ready

Check Monitoring index pattern Ready

Check Statistics index pattern Ready

No template found for the selected index-pattern.

Thank you

Petrisor

[Ciocoiu Petrisor]

Hi,

I fixed the elasticsearch template, I've added the wazuh-agents but I don't see any Total Agent or Active Agent on the GUI :) . On the agent side the wazuh-agent is working fine, the curl from agent to worker is ok.

### wazuh-agent service

● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-09-19 10:57:24 UTC; 9s ago
  Process: 20429 ExecStop=/usr/bin/env ${DIRECTORY}/bin/ossec-control stop (code=exited, status=0/SUCCESS)
  Process: 20483 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
    Tasks: 25 (limit: 1110)
   CGroup: /system.slice/wazuh-agent.service
           ├─20519 /var/ossec/bin/ossec-execd
           ├─20530 /var/ossec/bin/ossec-agentd
           ├─20543 /var/ossec/bin/ossec-syscheckd
           ├─20556 /var/ossec/bin/ossec-logcollector
           └─20572 /var/ossec/bin/wazuh-modulesd

### The curl command:

root@wazuh-agent:/home/cloud# curl 192.168.0.237:1514
curl: (52) Empty reply from server

[Ciocoiu Petrisor]

Hi, 

Found the reason, you said that agent can connect anywhere but seems that is connecting to wazuh-master 1515  not to worker 1514.

root@wazuh-agent:/var/ossec/logs# tail -f ossec.log
2022/09/19 10:57:21 wazuh-modulesd:syscollector: INFO: Module started.
2022/09/19 10:57:21 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/09/19 10:57:21 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/09/19 10:57:21 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/09/19 10:57:21 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/09/19 10:57:22 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/09/19 10:59:28 ossec-agentd: ERROR: Unable to connect to 192.168.0.237:1515
2022/09/19 10:59:33 ossec-agentd: INFO: Requesting a key from server: 192.168.0.237
2022/09/19 11:01:43 ossec-agentd: ERROR: Unable to connect to 192.168.0.237:1515
2022/09/19 11:01:53 ossec-agentd: INFO: Requesting a key from server: 192.168.0.237
2022/09/19 11:04:03 ossec-agentd: ERROR: Unable to connect to 192.168.0.237:1515

[Ciocoiu Petrisor]

Hi,

I've fixed the connection between agent server and master node:

root@wazuh-agent:/var/ossec/logs# tail -f ossec.log

2022/09/19 11:14:40 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/09/19 11:14:40 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/09/19 11:14:40 wazuh-modulesd:syscollector: INFO: Module started.
2022/09/19 11:14:40 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/09/19 11:14:41 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/09/19 11:14:45 ossec-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/09/19 11:14:47 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/09/19 11:14:49 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/09/19 11:14:49 sca: INFO: Security Configuration Assessment scan finished. Duration: 9 seconds.
2022/09/19 11:15:01 rootcheck: INFO: Ending rootcheck scan.

### Thus, I have a small warning:

Error getting alerts from compliances

Your environment may not have any index with Wazuh's alerts.

[Alejandro Ruiz Becerra]

Hi again Petrisor

Good news that you were able to set up the environment, and my apologies for saying that the agents can be connected to any manager, forgot that we were at Wazuh 4.1.5. This feature was included in newer versions.

Could you go to the app miscellaneous tab at the app's settings and run a manual healthcheck??

[Ciocoiu Petrisor]

Hi,

I don't have Settings -> Miscellaneous option

### For Wazuh API log I have this:

App log messages

Refresh

Log file located at /usr/share/kibana/data/wazuh/logs/wazuhapp.log

Sep 16, 2022 @ 18:18:31 INFO Kibana index: .kibana 

Sep 16, 2022 @ 18:18:31 INFO App revision: 4108 

Sep 16, 2022 @ 18:18:31 INFO Total RAM: 64264MB 

Sep 16, 2022 @ 18:18:31 ERROR getaddrinfo ENOTFOUND wazuh-master wazuh-master:55000 

Sep 19, 2022 @ 13:29:22 ERROR Cannot set property 'extensions' of undefined 

Sep 19, 2022 @ 13:29:22 ERROR Cannot set property 'extensions' of undefined 

Sep 19, 2022 @ 13:30:01 ERROR Error searching or creating 'wazuh-statistics-2022.38w' due to 'resource_already_exists_exception'

 Sep 19, 2022 @ 14:10:01 INFO [object Object] Sep 19, 2022 @ 14:10:01 INFO [object Object]

Thank you

Petrisor

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a56666ae-24f2-4566-b568-363f556c31e4n%40googlegroups.com.

[Alejandro Ruiz Becerra]

What's shown in the `About`section?

[Ciocoiu Petrisor]

here is the About Info:

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7de9e551-bb69-4acf-a975-3fae2e61be76n%40googlegroups.com.

[Ciocoiu Petrisor]

Hi,

Could you please let me know what is not working here for error: "Error getting alerts for compliances..."

Regards,

Petrisor

[Alejandro Ruiz Becerra]

Hello again Petrisor

I've never seen that error message myself. I'll talk to my colleagues about this. Furthermore, I've also set up an environment with Wazuh 4.1.5 in order to guide you through the app better, as that version is a bit old already.

Could you please navigate to the Kibana's dev tools and check the indices? As follows:

[Ciocoiu Petrisor]

Hi,

Seems that wazuh-alerts index is missing..

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bc1dad77-dd12-457a-8ca1-cb0a91b8beb3n%40googlegroups.com.

[Alejandro Ruiz Becerra]

Let me investigate how to solve it.

In the meantime, could you please check if the filebeat service is working properly??

Filebeat is installed along the Wazuh manager (same node). In there, please run the following command in a terminal: filebeat test output

[Ciocoiu Petrisor]

Hi,

My filebeat is the problem, I m using the ELK OSS distribution and the filebeat should be also the OSS version. For changing the Filebeat to OSS filebeat I need to do it from dockerfile wazuh, because I'm using the pods kurbernetes. Can you provide me the wazuh dockerfile source 4.1.5 ?

[root@wazuh-master-0 filebeat]# filebeat test output
elasticsearch: http://elasticsearch:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.247.196.81
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... ERROR Connection marked as failed because the onConnect callback failed: Filebeat requires the default distribution of Elasticsearch. Please update to the default distribution of Elasticsearch for full access to all free features, or switch to the OSS distribution of Filebeat.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/75c0c542-3aa5-4aa4-8e71-4d68984b3a59n%40googlegroups.com.

[Alejandro Ruiz Becerra]

You can use these images:

• image: wazuh/wazuh-odfe:4.1.5 
• image: amazon/opendistro-for-elasticsearch:1.13.2 
• image: wazuh/wazuh-kibana-odfe:4.1.5       

which correspond to:

• Wazuh manager + filebeat (ODFE distribution)
• Elasticsearch (ODFE distribution)
• Kibana + Wazuh + ODFE plugins

I hope that helps

Keep me updated.

Regards,

Alex

[Ciocoiu Petrisor]

1. After installing wazuh odf 4.1.5 I have the error : Check index patter fields

2. Filebeat test output is ok now:

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/653f5bde-f6be-4f5a-8e9c-ffddda7d9277n%40googlegroups.com.

[Ciocoiu Petrisor]

The "GET /_cat/indices" shows few indexes:

green open wazuh-monitoring-2022.09.20 6g9EJkj9R-WBI8rI2GM5Ag 2 0 2  0 33.5kb 33.5kb
green open .kibana_1                   WwrKPpSsRGiSwOT2QL3wBg 1 0 8 16 53.5kb 53.5kb
green open wazuh-statistics-2022.38w   BW2M_xxSRGaCPaDMl5vs5A 2 0 2  0 22.6kb 22.6kb

[Ciocoiu Petrisor]

I fixed the problem with the filebeat but now it's seems a problem with api login from kibana ui, i don't know why.

The 55000 api is reachable from the kibana and i receive the token wihen i m curling:

bash-4.4$ curl -u wazuh-wui:wazuh-wui -k -X GET "https://wazuh-master:55000/security/user/authenticate?raw=true"

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjYzNjg2NjExLCJleHAiOjE2NjM2ODc1MTEsInN1YiI6IndhenVoLXd1aSIsInJ1bl9hcyI6ZmFsc2UsInJiYWNfcm9sZXMiOlsxXSwicmJhY19tb2RlIjoid2hpdGUifQ.19mzLHugVcGWfc5XhzbHRlmOuRA_N8EYz9l5Fy84ME0bash-4.4$

 wazuh.yml  config seems fine

hosts:
  - default:
     url: https://wazuh-master
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

Filebeat is ok 

[Ciocoiu Petrisor]

this wazuh is killing me :

[Ciocoiu Petrisor]

Other warning, the wazuh is going crazy

[Alejandro Ruiz Becerra]

Hi again Petrisor

I'm really sorry to see that you're all having all these problems. Wazuh is usually much, much easier to set up.

At this point, I think that your environment is so polluted that's getting harder and harder to get it right, so my advice is to destroy everything and start from scratch, I think it will be much easier.
Don't you worry, I'll be side by side with you, as a guide through the whole process.

From what we've talked, your goal is to set up Wazuh in a Kubernetes cluster. I've been able to install Kubernetes, minikube and a local cluster of Wazuh deployed in Kubernetes in less than an hour, and this is my first experience with Kubernetes, so I've been reading during the last hour about it, and about how to set the whole thing up.

In the following screenshots, you can see a successful deployment of Wazuh 4.3.8 (latest) in Kubernetes:

For this, I followed the official Wazuh documentation for a deployment in Kubernetes and the instructions to deploy a local environment hosted at our Github repository. In there, there are also instructions for a cloud environment in EKS.

Regards,

Alex

[Ciocoiu Petrisor]

Hi,

You don't have any agent added in your wazuh to see the behaviour.

I am using on my project ELK stack and not opensearch.

The problem is with the Kibana wazuh Plugin, doesn't store correctly the credentials for the api wazuh:

bash-4.4$ tail -f /usr/share/kibana/data/wazuh/logs/wazuhapp.log
{"date":"2022-09-20T20:16:41.167Z","level":"error","location":"wazuh-api:checkAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:16:43.737Z","level":"error","location":"wazuh-api:checkAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:16:59.364Z","level":"error","location":"wazuh-api:checkAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:17:51.221Z","level":"error","location":"wazuh-api:checkAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:17:56.789Z","level":"error","location":"wazuh-api:checkAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:17:59.019Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:17:59.912Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:18:03.898Z","level":"error","location":"wazuh-api:checkAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:21:48.838Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 401"}
{"date":"2022-09-20T20:21:58.173Z","level":"error","location":"wazuh-api:checkStoredAPI","message":"Request failed with status code 401"}

[root@wazuh-master-0 /]# /var/ossec/bin/wazuh-analysisd -f
2022/09/20 20:27:10 wazuh-analysisd: INFO: Total rules enabled: '3882'
2022/09/20 20:27:10 wazuh-analysisd: INFO: Started (pid: 1947).
2022/09/20 20:27:10 wazuh-analysisd: INFO: (7200): Logtest started

I've used the "wazuh/wazuh:4.2.7" and the wazuh-kibana-4.2.7.

Same error, 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2205c093-8a26-4c5e-9a59-12015d6710dbn%40googlegroups.com.

[Ciocoiu Petrisor]

other logs from kibana:

{"date":"2022-09-20T20:40:01.218Z","level":"info","location":"Cron-scheduler","data":{"message":"Request failed with status code 401","stack":"Error: Request failed with status code 401\n    at createError (/usr/share/kibana/plugins/wazuh/node_modules/axios/lib/core/createError.js:16:15)\n    at settle (/usr/share/kibana/plugins/wazuh/node_modules/axios/lib/core/settle.js:17:12)\n    at IncomingMessage.handleStreamEnd (/usr/share/kibana/plugins/wazuh/node_modules/axios/lib/adapters/http.js:269:11)\n    at IncomingMessage.emit (events.js:203:15)\n    at endReadableNT (_stream_readable.js:1145:12)\n    at process._tickCallback (internal/process/next_tick.js:63:19)","config":{"url":"https://wazuh-master:55000/manager/stats/remoted?pretty","method":"get","data":"{}","params":{}}}}

[Ciocoiu Petrisor]

I used the docker container image - wazuh/wazuh-manager:4.3.8 but I need to change the hosts - output elasticsearch to "http://elasticsearch:9200" and is not working form ENV kubernete deployment config.

output.elasticsearch:
  hosts: ['https://wazuh.indexer:9200']

[Ciocoiu Petrisor]

Nevermind, i found the dockerfile - https://github.com/wazuh/wazuh-docker/tree/master/build-docker-images/wazuh-manager

[Alejandro Ruiz Becerra]

Hi Petrisor

Please update me with your latest status, so I can help you out.

By default, the user of the Wazuh API is wazuh, and the password is wazuh.

[Ciocoiu Petrisor]

Hi,

I fixed it, do you know how? 

When wazuh kibana giving me the command for adding the wazuh agents is adding an argument : WAZUH_PROTOCOL='UDP' 

curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.8-1_amd64.deb && sudo WAZUH_MANAGER='192.168.0.237' WAZUH_PROTOCOL='UDP' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent.deb

The fixing is to remove the argument "WAZUH_PROTOCOL='UDP'  from the line and run it without it and now it;s working.

Other issue that i have is why doesn't show me the ICON for wazuh?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4b86c787-5c88-40ad-8407-60ec404feb97n%40googlegroups.com.

[Alejandro Ruiz Becerra]

Great news you could solve it

About the icon, please check in browser's dev tools if there is any failed request related to the images. See the image for reference (in Chrome)