Kibana login failed
132 views
Skip to first unread message
Flek Kontrec
May 3, 2023, 6:34:52 AM5/3/23
to Wazuh mailing list
Hi,
I'm using Wazuh 7.10.2 installed on one Ubuntu 20.04 server. Wazuh was running ok, I was able to login to Kibana, data was visible, but this changed few days ago and I'm not able to log in anymore. When I try to log in, using admin/wazuh/mine users, it says 'Loading Elastic' and after a few seconds just reloads the login screen and asks for user/pass again. Kibana is complaining about SSL certificate not being valid.
I've chosen to proceed to login screen even it's not safe.
I've checked the certificate, expiry date and it seems ok.
What to check to solve this issue? Is it possible that certificate problem is preventing access?
Regards
Marcos Javier Bonacci
May 3, 2023, 6:55:42 AM5/3/23
to Wazuh mailing list
Hi Fleck,
Thank you for using Wazuh.
To determine the cause of the problem, you could share the following logs:
cat /var/log/elasticsearch/<elasticsearch-cluster-name>.log | grep -i -E "error|warn"
cat /var/log/log/filebeat/filebeat/filebeat | grep -i -E "error|warn"
(Please check and hide sensitive information)
And if possible you could share with us the output of:
cat /usr/share/kibana/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Do you remember if any passwords have been changed (admin, kibana, etc)?
I look forward to your comments,
Javier
Thank you for using Wazuh.
To determine the cause of the problem, you could share the following logs:
cat /var/log/elasticsearch/<elasticsearch-cluster-name>.log | grep -i -E "error|warn"
cat /var/log/log/filebeat/filebeat/filebeat | grep -i -E "error|warn"
(Please check and hide sensitive information)
And if possible you could share with us the output of:
cat /usr/share/kibana/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Do you remember if any passwords have been changed (admin, kibana, etc)?
I look forward to your comments,
Javier
Message has been deleted
Message has been deleted
Flek Kontrec
May 3, 2023, 7:21:33 AM5/3/23
to Wazuh mailing list
Hi,
cat /var/log/elasticsearch/<elasticsearch-cluster-name>.log | grep -i -E "error|warn"
For example:
[2023-05-03T08:01:41,629][ERROR][c.a.o.s.a.BackendRegistry]
[node-1] Cannot retrieve roles for User [name=wazuh,
backend_roles=[admin], requestedTenant=null] from ldap due to
ElasticsearchSecurityException[ElasticsearchSecurityException[No user
wazuh found]]; nested: ElasticsearchSecurityException[No user wazuh
found];
[2023-05-03T08:58:34,509][ERROR][c.a.o.s.a.BackendRegistry] [node-1] Cannot retrieve roles for User [name=kibanaserver, backend_roles=[], requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[No user kibanaserver found]]; nested: ElasticsearchSecurityException[No user kibanaserver found];
[2023-05-03T08:58:34,509][ERROR][c.a.o.s.a.BackendRegistry] [node-1] Cannot retrieve roles for User [name=kibanaserver, backend_roles=[], requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[No user kibanaserver found]]; nested: ElasticsearchSecurityException[No user kibanaserver found];
These are entries when trying to login:
[2023-05-03T13:06:01,712][WARN
][c.a.o.s.a.BackendRegistry] [node-1] Authentication finally failed for
admin from 127.0.0.1:57592
[2023-05-03T13:06:28,982][WARN ][c.a.o.s.a.BackendRegistry] [node-1] Authentication finally failed for admin from 127.0.0.1:57592
[2023-05-03T13:07:04,935][ERROR][c.a.o.s.a.BackendRegistry] [node-1] Cannot retrieve roles for User [name=admin, backend_roles=[admin], requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[No user admin found]]; nested: ElasticsearchSecurityException[No user admin found];
[2023-05-03T13:06:28,982][WARN ][c.a.o.s.a.BackendRegistry] [node-1] Authentication finally failed for admin from 127.0.0.1:57592
[2023-05-03T13:07:04,935][ERROR][c.a.o.s.a.BackendRegistry] [node-1] Cannot retrieve roles for User [name=admin, backend_roles=[admin], requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[No user admin found]]; nested: ElasticsearchSecurityException[No user admin found];
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Nothing is returned.
cat /usr/share/kibana/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
Attached in out1.txt.
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
...
2023/05/03 03:21:23 wazuh-logcollector: ERROR: Discarding audit message because of invalid syntax.
2023/05/03 03:21:23 wazuh-logcollector: ERROR: Discarding audit message because of invalid syntax.
2023/05/03 11:45:59 wazuh-logcollector: ERROR: Discarding audit message because of invalid syntax.
2023/05/03 11:45:59 wazuh-logcollector: ERROR: Discarding audit message because of invalid syntax.
2023/05/03 03:21:23 wazuh-logcollector: ERROR: Discarding audit message because of invalid syntax.
2023/05/03 11:45:59 wazuh-logcollector: ERROR: Discarding audit message because of invalid syntax.
2023/05/03 11:45:59 wazuh-logcollector: ERROR: Discarding audit message because of invalid syntax.
Passwords
were not changed. Just to add, Wazuh is integrated with LDAP but users
admin/wazuh are local Wazuh users, not LDAP users.
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
Message has been deleted
0 new messages