Error when Securing Wazuh installation for multinode cluster setup.
azizi hack
09/08/2022 15:46:01 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
09/08/2022 15:46:33 INFO: The password for user admin is turcZY6I8ogf3KCNQ.c.V0DDsmnOUHNI
09/08/2022 15:46:33 INFO: The password for user kibanaserver is +PB63wf.Hn0hkuPCS2Ec*R1m2T51uiOW
09/08/2022 15:46:33 INFO: The password for user kibanaro is .B6f9UAXbXb9AhYWc0zC62taMLzwc8Au
09/08/2022 15:46:33 INFO: The password for user logstash is YQJ.NzPlVO2S4U4.1DvV.*jOe70yXGbj
09/08/2022 15:46:33 INFO: The password for user readall is W1Iboeay.YQ8bLeTj*q*9*Xx7vujCMVc
09/08/2022 15:46:33 INFO: The password for user snapshotrestore is II9FIP66XbLuGEINyLdbyZ0F4e*26LLs
09/08/2022 15:46:33 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
victor....@wazuh.com
Hello azizih,
If we check your indexed error, [API connection] Error connecting to API: 2001 - bad indentation of a mapping entry at line 214 it seems that there is an indentation error in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml, probably in the following block
hosts:
- default:
url: https://172.31.3.120
port: 55000
username: wazuh-wui
password: wazuh-wui
run_as: false
Maybe the error was introduced during the changing of the default Wazuh API credentials. Please check that the indentation is correct, and also, that the password correspond to the new one specifiying in this step. Then restart your dashboard:
systemctl restart wazuh-dashboard
If the problem persists, please, share with us the following information:
- Did you follow all the previous installation steps for the rest of the components?
- Share the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
Regarding your script warning, if you want to change the API credentials, you need to use -au, and -apparameters in order to provide the API admin user and password:
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all -au wazuh-wui -ap wazuh-wui
If you have any doubt do not hesitate to ask
azizi hack
#curl -k -X PUT "https://192.168.50.201:55000/security/users/1" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
{
"password": "P@ssword123?"
}'
#curl -k -X PUT "https://192.168.50.201:55000/security/users/2" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
{
"password": "P@ssword123?"
}'
#vi /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
hosts:
- production:
url: https://192.168.50.201
port: 55000
username: wazuh-wui
password: P@ssword123?
run_as: false
#systemctl restart wazuh-dashboard
#/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all -au wazuh-wui -ap P@ssword123? <----- I added this as per your advice.
09/08/2022 19:30:38 INFO: The password for user admin is O4IfsYxQXgv53lRPvldW.f4C+jF1naQR
09/08/2022 19:30:38 INFO: The password for user kibanaserver is hcDyW6Ou5bdp4XYhcoXZrMYq+4MDokkq
09/08/2022 19:30:38 INFO: The password for user kibanaro is qa*k?k*MUbAiF+1.XNzMM5fQBURcG.vA
09/08/2022 19:30:38 INFO: The password for user logstash is +rXetgQ68JhCGd+qxsAo290JCcZ*hIE4
09/08/2022 19:30:38 INFO: The password for user readall is iU*2j49?BeXS7pDtDcR80edn*8BrTJXD
09/08/2022 19:30:38 INFO: The password for user snapshotrestore is 9kU.jIP+i+ZWcW*R8yTmbz18zy701qhg
09/08/2022 19:30:38 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
I run this on every wazuh servers:
#echo O4IfsYxQXgv53lRPvldW.f4C+jF1naQR | filebeat keystore add password --stdin --force
#systemctl restart filebeat
#filebeat test output
elasticsearch: https://192.168.50.101:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.50.101
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://192.168.50.102:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.50.102
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://192.168.50.103:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.50.103
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
I run this on the dashboard server:
#echo hcDyW6Ou5bdp4XYhcoXZrMYq+4MDokkq | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
#systemctl restart wazuh-dashboard
Unfortunately, i still got the same error, :(
victor....@wazuh.com
I have replicated your steps in my environment without success, all the environment seems to work correctly.
In this case, if you are getting the same error, Bad indentation of a mapping entry, I suggest sending back your complete /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file. The error should be there.