API error connection in 4.8.0 Alpha2 testing

[davidcr01]

Wazuh	Rev	Browser
4.8.0	40802 (Alpha2)	Chrome

Description

In the Wazuh installation assistant testing of the 4.8.0 Alpha2, we have found an error in the Wazuh web interface related to the Wazuh manager API connection.

Preconditions

1. The system is RHEL9
2. The Wazuh stack has been installed using the Wazuh installation assistant.

Consider that this problem has been reproduced in a RHEL9 system, so maybe the problem is also reproduced in other RHEL systems (in the mentioned issue, the same test was performed in Amazon Linux 2 and this was not reproduced).

Steps to reproduce

1. Download the 4.8.0 Alpha 2 Wazuh installation assistant. curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
2. Install the Wazuh stack. bash wazuh-install.sh -a -i

Expected Result

1. No related errors in the /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log logfile.

[root@ip-172-31-46-45 ec2-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
{"date":"2024-01-12T15:26:42.750Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
{"date":"2024-01-12T15:27:11.308Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
{"date":"2024-01-12T15:30:00.418Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
{"date":"2024-01-12T15:45:00.852Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
{"date":"2024-01-12T16:00:00.753Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
[root@ip-172-31-46-45 ec2-user]# 

2. No error message in the Wazuh web interface.

Note: the warning message of the VD index is not related to this.

Actual Result
The error and log messages mentioned previously

Additional context

I checked the Wazuh API and it was running and available. Related: https://documentation.wazuh.com/current/user-manual/api/getting-started.html

[root@ip-172-31-46-45 ec2-user]# curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"

{"data": {"title": "Wazuh API REST", "api_version": "4.8.0", "revision": 40802, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/v4.8.0/LICENSE", "hostname": "ip-172-31-46-45.ec2.internal", "timestamp": "2024-01-12T16:51:35Z"}, "error": 0}[root@ip-172-31-46-45 ec2-user]# 

The /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file had the correct content:

hosts:
  - default:
      url: https://localhost
      port: 55000
      username: wazuh-wui
      password: "UEEq8k1zB2m?Yy?et4IVoOc1+pQUEOQi"
      run_as: false

[rauldpm]

Source issue: wazuh/wazuh#21361

The same behavior has been found in Fedora 38, but the deployment of a single component in different nodes does not show this behavior, see: wazuh/wazuh#21361 (comment)

• wazuhapp.log

[root@ip-172-31-39-248 fedora]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log 
{"date":"2024-01-15T14:46:51.410Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-01-15T14:46:51.411Z","level":"info","location":"initialize","message":"App revision: 02"}
{"date":"2024-01-15T14:46:51.411Z","level":"info","location":"initialize","message":"Total RAM: 7826MB"}
{"date":"2024-01-15T14:46:51.821Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
{"date":"2024-01-15T14:47:03.884Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-01-15T14:47:03.885Z","level":"info","location":"initialize","message":"App revision: 02"}
{"date":"2024-01-15T14:47:03.885Z","level":"info","location":"initialize","message":"Total RAM: 7826MB"}
{"date":"2024-01-15T14:47:04.266Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}

• ossec.log

[root@ip-172-31-39-248 fedora]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log  | wc -l
0

• Wazuh manager service

[root@ip-172-31-39-248 fedora]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Mon 2024-01-15 14:45:36 UTC; 16min ago
      Tasks: 164 (limit: 9348)
     Memory: 321.2M
        CPU: 26.221s
     CGroup: /system.slice/wazuh-manager.service
             ├─3637 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─3677 /var/ossec/bin/wazuh-authd
             ├─3691 /var/ossec/bin/wazuh-db
             ├─3714 /var/ossec/bin/wazuh-execd
             ├─3726 /var/ossec/bin/wazuh-analysisd
             ├─3736 /var/ossec/bin/wazuh-syscheckd
             ├─3803 /var/ossec/bin/wazuh-remoted
             ├─3841 /var/ossec/bin/wazuh-logcollector
             ├─3858 /var/ossec/bin/wazuh-monitord
             ├─3868 /var/ossec/bin/wazuh-modulesd
             ├─4126 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─4129 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             └─4132 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

Jan 15 14:45:32 ip-172-31-39-248.ec2.internal env[3581]: Started wazuh-analysisd...
Jan 15 14:45:33 ip-172-31-39-248.ec2.internal env[3581]: Started wazuh-syscheckd...

---

Temporary fix

• Modifying the localhost to the public instance IP in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml fixed (apparently) the connection issue

[gdiazlo]

I could not reproduce this with the mentioned system under local virtualization. As I see from the tests, the settings from firewalld might have impacted the test.

Also, the cloudinit script from AWS might do some initialization to the system, which cannot be simulated properly under other virtualization platforms. We will test if the default usage of IPV6 in these machines is causing the problem.

[gdiazlo]

Being worked on wazuh/wazuh-packages#2771

[davidcr01]

The error was again reported here: wazuh/wazuh#21799 (comment)

[root@ip-172-31-39-137 ec2-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
{"date":"2024-02-07T13:26:44.748Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
{"date":"2024-02-07T13:27:43.560Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
[root@ip-172-31-39-137 ec2-user]# 

Although the configuration of the wazuh.yml is correct and the health check is also correct:

hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "+ghIh1et+rIFYNN391E+4S*hgOgBeexC"
      run_as: false