Bump Wazuh dashboard to OpenSearch Dashboards 2.8.0

[rauldpm]

Description

It is necessary to adapt the Wazuh dashboard to version 2.8.0 of OpenSearch Dashboards
Request: https://github.com/wazuh/internal-devel-requests/issues/194

Tasks

• Bump OpenSearch Dashboards version

  wazuh-packages/stack/dashboard/base/builder.sh

  Line 19 in 55cfe35

  opensearch_version="2.6.0"

• Build the Wazuh dashboard app for 4.6.0-2.8.0 locally -> tag v4.6.0-2.8.0-alpha1
• Build the package locally using the 2.8.0 app
  • RPM
  • DEB
• Test the package (CentOS/Debian)
  • Install
  • Upgrade
  • Remove
  • Logs
  • Alerts
  • Versions references
• Modify https://github.com/wazuh/wazuh-packages/blob/master/README.md matrix with the new version
• Test the package using the Test_stack pipeline

Validation

• The package presents normal operation and without errors

---

Working branch

• https://github.com/wazuh/wazuh-packages/tree/enhancement/2392-bump-wazuh-dashboard-2.8.0-4.6.0

[juliamagan]

• Branch: fix/2392-bump-2.8.0-dashboard

• Blocked by Bump Wazuh dashboard app to OpenSearch 2.8.0 #2393:

  Updating files: 100% (9491/9491), done.
  + mkdir -p plugin_platform_source/plugins
  + mv plugin_platform_source /tmp/source
  + install_dependencies
  + cd /tmp/source
  + change_node_version '>=14.20.1' '<19'
  ++ node -v
  + installed_node_version=v10.24.1
  + node_version='>=14.20.1'
  + n '>=14.20.1'
  
    Error: invalid version '>=14.20.1'
  

[rauldpm]

Update report

• Creating a Wazuh dashboard app in warehouse-test bucket with revision wp.2392 https://ci.wazuh.info/view/Packages/job/Packages_builder/163579/console
  • https://packages-dev.wazuh.com/warehouse/test/4.6/ui/dashboard/wazuh-4.6.0-wp.2392.zip
• Building a Wazuh dashboard RPM package using the custom app
• Found error

 => ERROR [4/8] RUN yum install -y https://repo.ius.io/ius-release-el$(rpm -E '%{rhel}').rpm       5.2s 
------                                                                                                  
 > [4/8] RUN yum install -y https://repo.ius.io/ius-release-el$(rpm -E '%{rhel}').rpm:                  
#0 1.612 Extra Packages for Enterprise Linux 8 - x86_64   17 MB/s |  16 MB     00:00                    
#0 3.910 Last metadata expiration check: 0:00:03 ago on Thu Aug 31 15:08:12 2023.                       
#0 4.939 [MIRROR] ius-release-el8.rpm: Status code: 404 for https://repo.ius.io/ius-release-el8.rpm (IP: 104.121.19.37)                                                                                         
#0 4.998 [MIRROR] ius-release-el8.rpm: Status code: 404 for https://repo.ius.io/ius-release-el8.rpm (IP: 104.121.19.37)
#0 5.071 [MIRROR] ius-release-el8.rpm: Status code: 404 for https://repo.ius.io/ius-release-el8.rpm (IP: 104.121.19.37)
#0 5.123 [MIRROR] ius-release-el8.rpm: Status code: 404 for https://repo.ius.io/ius-release-el8.rpm (IP: 104.121.19.37)
#0 5.123 [FAILED] ius-release-el8.rpm: Status code: 404 for https://repo.ius.io/ius-release-el8.rpm (IP: 104.121.19.37)
#0 5.130 Status code: 404 for https://repo.ius.io/ius-release-el8.rpm (IP: 104.121.19.37)
------
Dockerfile:10
--------------------
   8 |         glibc-devel libtool perl
   9 |     
  10 | >>> RUN yum install -y https://repo.ius.io/ius-release-el$(rpm -E '%{rhel}').rpm  
  11 |     
  12 |     RUN yum update -y && yum install -y python3
--------------------
ERROR: failed to solve: process "/bin/sh -c yum install -y https://repo.ius.io/ius-release-el$(rpm -E '%{rhel}').rpm" did not complete successfully: exit code: 1

• The base generation also fails due to brotli changes (v1.1.0 tag does not have bootstrap), the tag v1.0.9 will be used

 => ERROR [5/7] RUN cd brotli && chmod +x ./bootstrap && ./bootstrap && ./configure --prefix=/usr  0.3s
------                                                                                                  
 > [5/7] RUN cd brotli && chmod +x ./bootstrap && ./bootstrap && ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib64/brotli --libdir=/usr/lib64/brotli --datarootdir=/usr/share --mandir=/usr/share/man/man1 --docdir=/usr/share/doc     && make && make install:
#0 0.283 chmod: cannot access './bootstrap': No such file or directory

• Base generation is successful after setting the v1.0.9 tag

Base generation output

─➤  bash generate_base.sh --app-url https://packages-dev.wazuh.com/warehouse/test/4.6/ui/dashboard/wazuh-4.6.0-wp.2392.zip                                                                                    1 ↵
[+] Building 32.9s (12/12) FINISHED                                                                                                                                                                                
 => [internal] load build definition from Dockerfile                                                                                                                                                          0.0s
 => => transferring dockerfile: 907B                                                                                                                                                                          0.0s
 => [internal] load .dockerignore                                                                                                                                                                             0.0s
 => => transferring context: 2B                                                                                                                                                                               0.0s
 => [internal] load metadata for docker.io/library/rockylinux:8.5                                                                                                                                             0.7s
 => [internal] load build context                                                                                                                                                                             0.0s
 => => transferring context: 13.22kB                                                                                                                                                                          0.0s
 => [1/7] FROM docker.io/library/rockylinux:8.5@sha256:5fed5497b568bcf7a90a00965987fc099edbcf44b1179a5ef6d4b47758281ca5                                                                                       0.0s
 => CACHED [2/7] RUN yum clean all && yum update -y                                                                                                                                                           0.0s
 => CACHED [3/7] RUN yum install -y     curl     tar     findutils     git     xz      gcc     make     bc     sed     gzip     autoconf     automake     libtool     python3-devel     python3-pip     jq    0.0s
 => [4/7] RUN git clone https://github.com/google/brotli.git -b v1.0.9                                                                                                                                        4.6s
 => [5/7] RUN cd brotli && chmod +x ./bootstrap && ./bootstrap && ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib64/brotli --libdir=/usr/lib64/brotli --datarootdir=/  25.9s 
 => [6/7] ADD builder.sh /usr/local/bin/builder                                                                                                                                                               0.1s 
 => [7/7] RUN chmod +x /usr/local/bin/builder                                                                                                                                                                 0.4s 
 => exporting to image                                                                                                                                                                                        1.0s 
 => => exporting layers                                                                                                                                                                                       1.0s 
 => => writing image sha256:5d010b35eac7ccd02d43b7cb11013f56156fe208be40116a7d1395acab2eb5c8                                                                                                                  0.0s 
 => => naming to docker.io/library/dashboard_base_builder                                                                                                                                                     0.0s 
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
The directory '/root/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/root/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pathfix.py
  Downloading https://files.pythonhosted.org/packages/1f/83/c0eddbfa9ca88d7900e8cf7a8b622967deef388d972ce21630484a52e842/pathfix.py-0.6.2.tar.gz
Installing collected packages: pathfix.py
  Running setup.py install for pathfix.py ... done
Successfully installed pathfix.py-0.6.2
Archive:  wazuh-4.6.0-wp.2392.zip
  inflating: opensearch-dashboards/wazuh/package.json  
v16.20.0
Removing queryWorkbenchDashboards...
Plugin removal complete
v16.20.0
Removing anomalyDetectionDashboards...
Plugin removal complete
v16.20.0
Removing observabilityDashboards...
Plugin removal complete
v16.20.0
Removing securityAnalyticsDashboards...
Plugin removal complete
v16.20.0
Removing searchRelevanceDashboards...
Plugin removal complete
Base file wazuh-dashboard-base-4.6.0-1-linux-x64.tar.xz added to /wazuh-packages/2392/stack/dashboard/base/output.

• Apparently, the repo.ius.io repository has deprecated version 8, keeping only version 7, the image has been updated to amd64/centos:7, after this, the Wazuh dashboard RPM package shows the following error

error: Installed (but unpackaged) file(s) found:
   /usr/share/wazuh-dashboard/bin/use_node


RPM build errors:
    File listed twice: /usr/share/wazuh-dashboard/node/bin/node
    Installed (but unpackaged) file(s) found:
   /usr/share/wazuh-dashboard/bin/use_node

• Added new file to RPM SPECS file with 750 permissions
• Wazuh dashboard RPM package built success

Wrote: /build/rpmbuild/RPMS/x86_64/wazuh-dashboard-4.6.0-1.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.ks7G7i
+ umask 022
+ cd /build/rpmbuild/BUILD
+ rm -fr /build/rpmbuild/BUILDROOT/wazuh-dashboard-4.6.0-1.x86_64
+ exit 0
Package wazuh-dashboard-4.6.0-1.x86_64.rpm.sha512 added to /wazuh-packages/2392/stack/dashboard/rpm/output.

• Testing Wazuh dashboard Debian package build process
• The Wazuh dashboard Debian package has been built successfully

dpkg-deb: building package 'wazuh-dashboard' in '../wazuh-dashboard_4.6.0-1_amd64.deb'.
 dpkg-genbuildinfo --build=binary
 dpkg-genchanges --build=binary >../wazuh-dashboard_4.6.0-1_amd64.changes
dpkg-genchanges: info: binary-only upload (no source code included)
 dpkg-source --after-build .
dpkg-buildpackage: info: binary-only upload (no source included)

WARNING generated by debuild:
Making debian/rules executable!

Package wazuh-dashboard_4.6.0-1_amd64.deb.sha512 added to /wazuh-packages/2392/stack/dashboard/deb/output.

[rauldpm]

Update report

• The Wazuh dashboard packages have been built using the Packages_builder pipeline, this issue changes to On hold until the issue https://github.com/wazuh/wazuh-jenkins/issues/5596 is completed and the Stack can be tested with the Test_stack pipeline
• Draft PR: Bump Wazuh dashboard to 2.8.0 #2398
  • https://ci.wazuh.info/view/Tests/job/Test_stack_tier/73/ 🔴
• The Wazuh installation assistant shows the following error starting the Wazuh indexer

31/08/2023 21:42:10 INFO: Wazuh indexer post-install configuration finished.
31/08/2023 21:42:10 INFO: Starting service wazuh-indexer.
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /lib/systemd/system/wazuh-indexer.service.
Job for wazuh-indexer.service failed because the control process exited with error code.
See "systemctl status wazuh-indexer.service" and "journalctl -xeu wazuh-indexer.service" for details.
31/08/2023 21:42:10 INFO: wazuh-indexer service started.
31/08/2023 21:42:10 INFO: Initializing Wazuh indexer cluster security settings.

Aug 31 21:42:10 debian12agent (trypoint)[5746]: wazuh-indexer.service: Failed at step EXEC spawning /usr/share/wazuh-indexer/bin/systemd-entrypoint: Permission denied
Aug 31 21:42:10 debian12agent (trypoint)[5746]: wazuh-indexer.service: Failed to locate executable /usr/share/wazuh-indexer/bin/systemd-entrypoint: Permission denied

[rauldpm]

Update report

• Building new packages for final testing
  • https://packages-dev.wazuh.com/warehouse/test/4.6/rpm/wazuh-dashboard-4.6.0-wp.2392.x86_64.rpm
  • https://packages-dev.wazuh.com/warehouse/test/4.6/rpm/wazuh-indexer-4.6.0-wp.2392.x86_64.rpm
  • https://packages-dev.wazuh.com/warehouse/test/4.6/rpm/wazuh-manager-4.6.0-wp.2392.x86_64.rpm
  • https://packages-dev.wazuh.com/warehouse/test/4.6/deb/wazuh-dashboard_4.6.0-wp.2392_amd64.deb
  • https://packages-dev.wazuh.com/warehouse/test/4.6/deb/wazuh-indexer_4.6.0-wp.2392_amd64.deb
  • https://packages-dev.wazuh.com/warehouse/test/4.6/deb/wazuh-manager_4.6.0-wp.2392_amd64.deb
• Launched: https://ci.wazuh.info/job/Test_stack_tier/78/
• Found error testing the 4.6.0 Wazuh installation assistant in CentOS 7:

01/09/2023 17:31:55 INFO: Initializing Wazuh dashboard web application.
01/09/2023 17:31:55 INFO: Wazuh dashboard web application not yet initialized. Waiting...
01/09/2023 17:32:10 INFO: Wazuh dashboard web application not yet initialized. Waiting...
01/09/2023 17:32:25 INFO: Wazuh dashboard web application not yet initialized. Waiting...
01/09/2023 17:32:40 INFO: Wazuh dashboard web application not yet initialized. Waiting...
01/09/2023 17:32:55 INFO: Wazuh dashboard web application not yet initialized. Waiting...
01/09/2023 17:33:10 INFO: Wazuh dashboard web application not yet initialized. Waiting...
01/09/2023 17:33:25 INFO: Wazuh dashboard web application not yet initialized. Waiting...

Sep 01 17:30:46 centos7 opensearch-dashboards[7973]: Error: ENOENT: no such file or directory, open '/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml'

• Also found an undesired output of the Wazuh app node version, an issue must be created

01/09/2023 17:30:46 INFO: wazuh-dashboard service started.
v16.20.0
01/09/2023 17:31:55 INFO: Initializing Wazuh dashboard web application.

• A Step by Step installation has been done in CentOS 7 and the same error appeared starting the Wazuh dashboard

Sep 01 18:01:52 centos7 opensearch-dashboards[18509]: Error: ENOENT: no such file or directory, open '/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml'

---

• Hypothesis: OpenSearch Dashboards has modified the way it is started internally, possibly breaking change

---

• Service start error

[root@centos7 a]# systemctl status wazuh-dashboard.service 
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2023-09-01 19:26:43 UTC; 26s ago
  Process: 11191 ExecStart=/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /etc/wazuh-dashboard/opensearch_dashboards.yml (code=exited, status=1/FAILURE)
 Main PID: 11191 (code=exited, status=1/FAILURE)

Sep 01 19:26:43 centos7 systemd[1]: Started wazuh-dashboard.
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: v16.20.0
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: node:internal/fs/utils:347
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: throw err;
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: ^
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: Error: ENOENT: no such file or directory, open '/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml'
Sep 01 19:26:43 centos7 systemd[1]: wazuh-dashboard.service: main process exited, code=exited, status=1/FAILURE
Sep 01 19:26:43 centos7 systemd[1]: Unit wazuh-dashboard.service entered failed state.
Sep 01 19:26:43 centos7 systemd[1]: wazuh-dashboard.service failed.

• Journalctl output

-- Logs begin at Fri 2023-09-01 17:23:39 UTC, end at Fri 2023-09-01 19:26:43 UTC. --
Sep 01 19:26:43 centos7 systemd[1]: wazuh-dashboard.service failed.
Sep 01 19:26:43 centos7 systemd[1]: Unit wazuh-dashboard.service entered failed state.
Sep 01 19:26:43 centos7 systemd[1]: wazuh-dashboard.service: main process exited, code=exited, status=1/FAILURE
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: Error: ENOENT: no such file or directory, open '/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml'
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: ^
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: throw err;
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: node:internal/fs/utils:347
Sep 01 19:26:43 centos7 opensearch-dashboards[11191]: v16.20.0
Sep 01 19:26:43 centos7 systemd[1]: Started wazuh-dashboard.
Sep 01 19:21:53 centos7 systemd[1]: wazuh-dashboard.service failed.
Sep 01 19:21:53 centos7 systemd[1]: Unit wazuh-dashboard.service entered failed state.
Sep 01 19:21:53 centos7 systemd[1]: wazuh-dashboard.service: main process exited, code=exited, status=1/FAILURE
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: }
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: path: '/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml'
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: code: 'ENOENT',
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: syscall: 'open',
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: errno: -2,
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at Module.load (node:internal/modules/cjs/loader:1074:32) {
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at Object.Module._extensions..js (node:internal/modules/cjs/loader:1250:10)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at Module._compile (node:internal/modules/cjs/loader:1196:14)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at Object.<anonymous> (/usr/share/wazuh-dashboard/src/cli/dist.js:32:18)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at module.exports (/usr/share/wazuh-dashboard/src/apm.js:58:15)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at exports.loadConfiguration (/usr/share/wazuh-dashboard/node_modules/@osd/apm-config-loader/target/config_loader.js:43:38)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at Object.exports.getConfigFromFiles (/usr/share/wazuh-dashboard/node_modules/@osd/apm-config-loader/target/utils/read_config.js:62:22)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at readYaml (/usr/share/wazuh-dashboard/node_modules/@osd/apm-config-loader/target/utils/read_config.js:37:52)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at Object.readFileSync (node:fs:458:35)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: at Object.openSync (node:fs:590:3)
Sep 01 19:21:53 centos7 opensearch-dashboards[10277]: Error: ENOENT: no such file or directory, open '/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml'

• Possible fix, change path in OpenSearch code
  • Path: /usr/share/wazuh-dashboard/node_modules/@osd/utils/target/path/index.js
  • Value to change
    • path_1.join(cross_platform_1.REPO_ROOT, 'config/opensearch_dashboards.yml'),
    • path_1.join('/etc/wazuh-dashboard/', 'opensearch_dashboards.yml'),
• After this change, the Wazuh dashboard start normally

• Found an error related to the index template, reported: Unattended installer accurate URL for filebeat template #2404

ERROR: No template found for the selected index-pattern title [wazuh-alerts-*]

• Needed to push the template, but no alerts registered, maybe related to the 4.6.0 template

# curl -XPUT -k -u admin:admin 'https://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @template.json
{"acknowledged":true}

---

• Debian and RPM AIO deployments success
• No alerts show in the Wazuh dashboard, probably related to the wazuh/wazuh template
• Test_stack builds are terminating in a SUCCESS state

[rauldpm]

Update report

• The issue is On hold due to Wazuh indexer errors
• Changed ETA from 09/01/2023 to 09/05/2023 due to password change and template errors

[rauldpm]

Update report

• Found error upgrading Wazuh dashboard from 4.5.1

root@debian11:/home/vagrant# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2023-09-04 15:54:42 UTC; 7s ago
    Process: 101158 ExecStart=/usr/share/wazuh-dashboard/bin/opensearch-dashboards (code=exited, status=1/FAILURE)
   Main PID: 101158 (code=exited, status=1/FAILURE)
        CPU: 2.200s

Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at InnerSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/InnerSubscriber.js:28:21)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at InnerSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at DistinctUntilChangedSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Main process exited, code=exited, status=1/FAILURE
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Failed with result 'exit-code'.
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Consumed 2.200s CPU time.

Full upgrade output

root@debian11:/home/vagrant# curl -sO https://packages.wazuh.com/4.5/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i
04/09/2023 15:36:51 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.1
04/09/2023 15:36:51 INFO: Verbose logging redirected to /var/log/wazuh-install.log
04/09/2023 15:36:59 WARNING: Hardware and system checks ignored.
04/09/2023 15:37:00 INFO: --- Dependencies ----
04/09/2023 15:37:00 INFO: Installing apt-transport-https.
04/09/2023 15:37:01 INFO: Installing software-properties-common.
04/09/2023 15:37:10 INFO: Wazuh repository added.
04/09/2023 15:37:10 INFO: --- Configuration files ---
04/09/2023 15:37:10 INFO: Generating configuration files.
04/09/2023 15:37:10 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
04/09/2023 15:37:11 INFO: --- Wazuh indexer ---
04/09/2023 15:37:11 INFO: Starting Wazuh indexer installation.
04/09/2023 15:38:04 INFO: Wazuh indexer installation finished.
04/09/2023 15:38:04 INFO: Wazuh indexer post-install configuration finished.
04/09/2023 15:38:04 INFO: Starting service wazuh-indexer.
04/09/2023 15:38:31 INFO: wazuh-indexer service started.
04/09/2023 15:38:31 INFO: Initializing Wazuh indexer cluster security settings.
04/09/2023 15:38:41 INFO: Wazuh indexer cluster initialized.
04/09/2023 15:38:41 INFO: --- Wazuh server ---
04/09/2023 15:38:41 INFO: Starting the Wazuh manager installation.
04/09/2023 15:39:14 INFO: Wazuh manager installation finished.
04/09/2023 15:39:14 INFO: Starting service wazuh-manager.
04/09/2023 15:39:30 INFO: wazuh-manager service started.
04/09/2023 15:39:30 INFO: Starting Filebeat installation.
04/09/2023 15:39:33 INFO: Filebeat installation finished.
04/09/2023 15:39:34 INFO: Filebeat post-install configuration finished.
04/09/2023 15:39:34 INFO: Starting service filebeat.
04/09/2023 15:39:35 INFO: filebeat service started.
04/09/2023 15:39:35 INFO: --- Wazuh dashboard ---
04/09/2023 15:39:35 INFO: Starting Wazuh dashboard installation.
04/09/2023 15:40:16 INFO: Wazuh dashboard installation finished.
04/09/2023 15:40:16 INFO: Wazuh dashboard post-install configuration finished.
04/09/2023 15:40:16 INFO: Starting service wazuh-dashboard.
04/09/2023 15:40:17 INFO: wazuh-dashboard service started.
04/09/2023 15:40:37 INFO: Initializing Wazuh dashboard web application.
04/09/2023 15:40:38 INFO: Wazuh dashboard web application initialized.
04/09/2023 15:40:38 INFO: --- Summary ---
04/09/2023 15:40:38 INFO: You can access the web interface https://<wazuh-dashboard-ip>
    User: admin
    Password: v6w5wLoRWRykbXt4LNTf+EeVzcASt?CI
04/09/2023 15:40:38 INFO: Installation finished.
You have mail in /var/mail/root
root@debian11:/home/vagrant# systemctl stop filebeat
systemctl stop wazuh-dashboard
root@debian11:/home/vagrant# curl -X PUT "https://localhost:9200/_cluster/settings"  -u admin:v6w5wLoRWRykbXt4LNTf+EeVzcASt?CI -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}root@debian11:/home/vagrant# 
root@debian11:/home/vagrant# curl -X POST "https://localhost:9200/_flush/synced" -u admin:v6w5wLoRWRykbXt4LNTf+EeVzcASt?CI -k
{"_shards":{"total":7,"successful":7,"failed":0}}root@debian11:/home/vagrant# systemctl stop wazuh-indexer
root@debian11:/home/vagrant# yum install https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-indexer/wazuh-indexer_4.6.0-wp.2392_amd64.deb
bash: yum: command not found
root@debian11:/home/vagrant# yum install https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-indexer/wazuh-indexer_4.6.0-wp.2392_amd64.deb^C
root@debian11:/home/vagrant# apt install https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-indexer/wazuh-indexer_4.6.0-wp.2392_amd64.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-indexer
root@debian11:/home/vagrant# wget https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-indexer/wazuh-indexer_4.6.0-wp.2392_amd64.deb
--2023-09-04 15:44:03--  https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-indexer/wazuh-indexer_4.6.0-wp.2392_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 143.204.231.40, 143.204.231.78, 143.204.231.67, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|143.204.231.40|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 685485530 (654M) [binary/octet-stream]
Saving to: ‘wazuh-indexer_4.6.0-wp.2392_amd64.deb’

wazuh-indexer_4.6.0-wp.2392_amd64.deb                               100%[==================================================================================================================================================================>] 653.73M  26.3MB/s    in 26s     

2023-09-04 15:44:35 (25.3 MB/s) - ‘wazuh-indexer_4.6.0-wp.2392_amd64.deb’ saved [685485530/685485530]

root@debian11:/home/vagrant# apt install ./wazuh-indexer_4.6.0-wp.2392_amd64.deb 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'wazuh-indexer' instead of './wazuh-indexer_4.6.0-wp.2392_amd64.deb'
The following packages will be upgraded:
  wazuh-indexer
1 upgraded, 0 newly installed, 0 to remove and 53 not upgraded.
Need to get 0 B/685 MB of archives.
After this operation, 1,739 kB disk space will be freed.
Get:1 /home/vagrant/wazuh-indexer_4.6.0-wp.2392_amd64.deb wazuh-indexer amd64 4.6.0-wp.2392 [685 MB]
Reading changelogs... Done
(Reading database ... 186868 files and directories currently installed.)
Preparing to unpack .../wazuh-indexer_4.6.0-wp.2392_amd64.deb ...
Unpacking wazuh-indexer (4.6.0-wp.2392) over (4.5.1-1) ...
Setting up wazuh-indexer (4.6.0-wp.2392) ...
Installing new version of config file /etc/wazuh-indexer/opensearch-notifications-core/notifications-core.yml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/log4j2.xml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca_cluster_manager.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca_idle_cluster_manager.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-security/config.yml ...
root@debian11:/home/vagrant# systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer
root@debian11:/home/vagrant# curl -k -u admin:v6w5wLoRWRykbXt4LNTf+EeVzcASt?CI https://localhost:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           12          97   8    0.83    0.56     0.35 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
root@debian11:/home/vagrant# curl -X PUT "https://localhost:9200/_cluster/settings" -u admin:v6w5wLoRWRykbXt4LNTf+EeVzcASt?CI -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}
'
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}root@debian11:/home/vagrant#
root@debian11:/home/vagrant# curl -k -u admin:v6w5wLoRWRykbXt4LNTf+EeVzcASt?CI https://localhost:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           16          97   1    0.28    0.45     0.33 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
root@debian11:/home/vagrant# wget https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-manager/wazuh-manager_4.6.0-wp.2392_amd64.deb
--2023-09-04 15:49:46--  https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-manager/wazuh-manager_4.6.0-wp.2392_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 143.204.231.40, 143.204.231.67, 143.204.231.78, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|143.204.231.40|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 171353850 (163M) [binary/octet-stream]
Saving to: ‘wazuh-manager_4.6.0-wp.2392_amd64.deb’

wazuh-manager_4.6.0-wp.2392_amd64.deb                               100%[==================================================================================================================================================================>] 163.42M  25.8MB/s    in 7.1s    

2023-09-04 15:49:54 (22.9 MB/s) - ‘wazuh-manager_4.6.0-wp.2392_amd64.deb’ saved [171353850/171353850]

root@debian11:/home/vagrant# apt install ./wazuh-manager_4.6.0-wp.2392_amd64.deb 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'wazuh-manager' instead of './wazuh-manager_4.6.0-wp.2392_amd64.deb'
Suggested packages:
  expect
The following packages will be upgraded:
  wazuh-manager
1 upgraded, 0 newly installed, 0 to remove and 53 not upgraded.
Need to get 0 B/171 MB of archives.
After this operation, 1,731 kB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-manager_4.6.0-wp.2392_amd64.deb wazuh-manager amd64 4.6.0-wp.2392 [171 MB]
Reading changelogs... Done        
(Reading database ... 186872 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_4.6.0-wp.2392_amd64.deb ...
Unpacking wazuh-manager (4.6.0-wp.2392) over (4.5.1-1) ...
Setting up wazuh-manager (4.6.0-wp.2392) ...
root@debian11:/home/vagrant# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
sudo: unable to resolve host debian11: Name or service not known
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/module.yml
root@debian11:/home/vagrant# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.6.0/extensions/elasticsearch/7.x/wazuh-template.json
root@debian11:/home/vagrant# chmod go+r /etc/filebeat/wazuh-template.json
root@debian11:/home/vagrant# systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable filebeat
root@debian11:/home/vagrant# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-09-04 15:47:51 UTC; 4min 7s ago
       Docs: https://documentation.wazuh.com
   Main PID: 56982 (java)
      Tasks: 65 (limit: 4675)
     Memory: 2.2G
        CPU: 20.194s
     CGroup: /system.slice/wazuh-indexer.service
             └─56982 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTr>

Sep 04 15:47:37 debian11 systemd[1]: Starting Wazuh-indexer...
Sep 04 15:47:39 debian11 systemd-entrypoint[56982]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 04 15:47:39 debian11 systemd-entrypoint[56982]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
Sep 04 15:47:39 debian11 systemd-entrypoint[56982]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Sep 04 15:47:39 debian11 systemd-entrypoint[56982]: WARNING: System::setSecurityManager will be removed in a future release
Sep 04 15:47:44 debian11 systemd-entrypoint[56982]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 04 15:47:44 debian11 systemd-entrypoint[56982]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
Sep 04 15:47:44 debian11 systemd-entrypoint[56982]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Sep 04 15:47:44 debian11 systemd-entrypoint[56982]: WARNING: System::setSecurityManager will be removed in a future release
Sep 04 15:47:51 debian11 systemd[1]: Started Wazuh-indexer.
You have new mail in /var/mail/root
root@debian11:/home/vagrant# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2
root@debian11:/home/vagrant# wget https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-dashboard/wazuh-dashboard_4.6.0-wp.2392_amd64.deb
--2023-09-04 15:52:31--  https://packages-dev.wazuh.com/staging/apt/pool/main/w/wazuh-dashboard/wazuh-dashboard_4.6.0-wp.2392_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 143.204.231.78, 143.204.231.122, 143.204.231.40, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|143.204.231.78|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178660768 (170M) [binary/octet-stream]
Saving to: ‘wazuh-dashboard_4.6.0-wp.2392_amd64.deb’

wazuh-dashboard_4.6.0-wp.2392_amd64.deb                             100%[==================================================================================================================================================================>] 170.38M  26.2MB/s    in 7.3s    

2023-09-04 15:52:44 (23.3 MB/s) - ‘wazuh-dashboard_4.6.0-wp.2392_amd64.deb’ saved [178660768/178660768]

root@debian11:/home/vagrant# apt install ./wazuh-dashboard_4.6.0-wp.2392_amd64.deb 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'wazuh-dashboard' instead of './wazuh-dashboard_4.6.0-wp.2392_amd64.deb'
The following packages will be upgraded:
  wazuh-dashboard
1 upgraded, 0 newly installed, 0 to remove and 53 not upgraded.
Need to get 0 B/179 MB of archives.
After this operation, 152 MB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-dashboard_4.6.0-wp.2392_amd64.deb wazuh-dashboard amd64 4.6.0-wp.2392 [179 MB]
Reading changelogs... Done
(Reading database ... 186885 files and directories currently installed.)
Preparing to unpack .../wazuh-dashboard_4.6.0-wp.2392_amd64.deb ...
Unpacking wazuh-dashboard (4.6.0-wp.2392) over (4.5.1-1) ...
Setting up wazuh-dashboard (4.6.0-wp.2392) ...
Installing new version of config file /etc/systemd/system/wazuh-dashboard.service ...

Configuration file '/etc/wazuh-dashboard/opensearch_dashboards.yml'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** opensearch_dashboards.yml (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/wazuh-dashboard/opensearch_dashboards.yml ...
root@debian11:/home/vagrant# systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard
root@debian11:/home/vagrant# systemctl status wazuh-dashboard_4.6.0-wp.2392_amd64.deb 
Unit wazuh-dashboard_4.6.0-wp.2392_amd64.deb.service could not be found.
root@debian11:/home/vagrant# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2023-09-04 15:54:42 UTC; 7s ago
    Process: 101158 ExecStart=/usr/share/wazuh-dashboard/bin/opensearch-dashboards (code=exited, status=1/FAILURE)
   Main PID: 101158 (code=exited, status=1/FAILURE)
        CPU: 2.200s

Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at InnerSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/InnerSubscriber.js:28:21)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at InnerSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at DistinctUntilChangedSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Main process exited, code=exited, status=1/FAILURE
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Failed with result 'exit-code'.
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Consumed 2.200s CPU time.

• Apparently related to certificate error

root@debian11:/home/vagrant# journalctl -r -u wazuh-dashboard
-- Journal begins at Mon 2023-09-04 15:35:47 UTC, ends at Mon 2023-09-04 16:05:01 UTC. --
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Consumed 2.200s CPU time.
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Failed with result 'exit-code'.
Sep 04 15:54:42 debian11 systemd[1]: wazuh-dashboard.service: Main process exited, code=exited, status=1/FAILURE
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at DistinctUntilChangedSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at InnerSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at InnerSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/InnerSubscriber.js:28:21)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at CombineLatestSubscriber.notifyNext (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/observable/combineLatest.js:97:34)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:49:35)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at MapSubscriber.project (/usr/share/wazuh-dashboard/src/core/server/http/http_service.js:61:177)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at new HttpConfig (/usr/share/wazuh-dashboard/src/core/server/http/http_config.js:175:16)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at new SslConfig (/usr/share/wazuh-dashboard/src/core/server/http/ssl_config.js:131:18)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at readFile (/usr/share/wazuh-dashboard/src/core/server/http/ssl_config.js:181:31)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at readFileSync (node:fs:458:35)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]:     at Object.openSync (node:fs:590:3)
Sep 04 15:54:42 debian11 opensearch-dashboards[101158]: Error: ENOENT: no such file or directory, open '/etc/wazuh-dashboard/certs/dashboard-key.pem'

• Related to configuration file update (certificate name changed due to AIO deployment. Expected)
• A new error has been found when accessing the Wazuh dashboard UI

Check Wazuh API connection

INFO: Current API id [default]
INFO: Checking current API id [default]...
INFO: Current API id [default] has some problem: 3002 - Request failed with status code 403
INFO: Getting API hosts...
INFO: API hosts found: 1
INFO: Checking API host id [default]...
INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Limit of login attempts reached. The current IP has been blocked due to a high number of login attempts
INFO: Removed [navigate] cookie
ERROR: No API available to connect

• Maybe related (from Wazuh dashboard journalctl output)

Sep 04 16:10:00 debian11 opensearch-dashboards[101215]: {"type":"log","@timestamp":"2023-09-04T16:10:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":101215,"message":"AxiosError: Request failed with status code 403"}
Sep 04 16:10:00 debian11 opensearch-dashboards[101215]: {"type":"log","@timestamp":"2023-09-04T16:10:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":101215,"message":"AxiosError: Request failed with status code 403"}
Sep 04 16:15:01 debian11 opensearch-dashboards[101215]: {"type":"log","@timestamp":"2023-09-04T16:15:01Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":101215,"message":"AxiosError: Request failed with status code 401"}
Sep 04 16:15:01 debian11 opensearch-dashboards[101215]: {"type":"log","@timestamp":"2023-09-04T16:15:01Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":101215,"message":"AxiosError: Request failed with status code 401"}

• The Wazuh API shows the following errors

2023/09/04 16:08:58 INFO: wazuh-wui 127.0.0.1 "POST /security/user/authenticate" with parameters {} and body {} done in 0.001s: 403
2023/09/04 16:09:00 WARNING: IP blocked due to exceeded number of logins attempts: 127.0.0.1
2023/09/04 16:10:00 WARNING: IP blocked due to exceeded number of logins attempts: 127.0.0.1
2023/09/04 16:10:00 INFO: wazuh-wui 127.0.0.1 "POST /security/user/authenticate" with parameters {} and body {} done in 0.001s: 403
2023/09/04 16:10:00 WARNING: IP blocked due to exceeded number of logins attempts: 127.0.0.1
2023/09/04 16:10:00 INFO: wazuh-wui 127.0.0.1 "POST /security/user/authenticate" with parameters {} and body {} done in 0.001s: 403
2023/09/04 16:15:00 INFO: wazuh-wui 127.0.0.1 "POST /security/user/authenticate" with parameters {} and body {} done in 0.178s: 401

• The upgrade also changes the Wazuh dashboard IP as the opensearch.hosts value was replaced from 127.0.0.1 to localhost, after this value has been restored, the Wazuh dashboard service has failed with the following message:

DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.

• The 401 and 403 errors related to the Wazuh API are related to a bug when upgrading the Wazuh manager, reported at wazuh and wazuh-wui user passwords are reset after upgrading the Wazuh manager to 4.6.0 wazuh#18771

---

• The upgrade is successful if the following steps are taken into account
  • The certificate names are changed in the configuration file if the file is overwritten (expected)
  • The Wazuh dashboard configuration file must use localhost or a DNS
  • The Wazuh dashboard wazuh.yml configuration file password must be restored to wazuh-wui default password (Related to the Wazuh API bug already reported)

---

• Due to the impossibility of using IPs in the Wazuh dashboard configuration, we are looking for a way to bypass said configuration, since this means that many users will have problems when upgrading the component.
• The @wazuh/frontend team has been asked about this in case they have more information about this change since they are in charge of the final fork. The solution proposals by modifying the /etc/wazuh-dashboard/node.options file does not work. Research continues.

[Deblintrake09]

Update report

• The documentation for the deprecation of IP usage in the configuration, states that FQDNs should be used instead. when trying to use a FQDN in the configuration the connection to the indexer was refused:

Configuration block

server.host: 0.0.0.0
opensearch.hosts: https://FQDN:9200/
server.port: 443
opensearch.ssl.verificationMode: certificate
# opensearch.username: kibanaserver
# opensearch.password: kibanaserver
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
opensearch_security.cookie.secure: true

Connection error found on restart

sep 04 22:34:15 ip-172-31-15-4.ec2.internal systemd[1]: Started wazuh-dashboard.
sep 04 22:34:15 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: v16.20.0
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["info","plugins-service"],"pid":11411,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"}
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["info","plugins-service"],"pid":11411,"message":"Plugin \"dataSource\" is disabled."}
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["info","plugins-service"],"pid":11411,"message":"Plugin \"visTypeXy\" is disabled."}
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["info","plugins-service"],"pid":11411,"message":"Plugin \"mlCommonsDashboards\" is disabled."}
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["info","plugins-system"],"pid":11411,"message":"Setting up [44] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,notificationsDashboards,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuh,bfetch]"}
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["info","savedobjects-service"],"pid":11411,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["error","opensearch","data"],"pid":11411,"message":"[ConnectionError]: connect ECONNREFUSED 172.31.15.4:9200"}
sep 04 22:34:18 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:18Z","tags":["error","savedobjects-service"],"pid":11411,"message":"Unable to retrieve version information from OpenSearch nodes."}
sep 04 22:34:21 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:21Z","tags":["error","opensearch","data"],"pid":11411,"message":"[ConnectionError]: connect ECONNREFUSED 172.31.15.4:9200"}
sep 04 22:34:23 ip-172-31-15-4.ec2.internal opensearch-dashboards[11411]: {"type":"log","@timestamp":"2023-09-04T22:34:23Z","tags":["error","opensearch","data"],"pid":11411,"message":"[ConnectionError]: connect ECONNREFUSED 172.31.15.4:9200"}

• While trying to apply the workaround to ignore deprecation warning, adding the --no-warnings option in the script /usr/share/wazuh-dashboard/bin/opensearch-dashboards used by the wazuh-dashboard service, the deprecation warning was still present.

sep 04 22:45:25 ip-172-31-15-4.ec2.internal systemd[1]: Started wazuh-dashboard.
sep 04 22:45:25 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: v16.20.0
sep 04 22:45:28 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:28Z","tags":["info","plugins-service"],"pid":11533,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"}
sep 04 22:45:28 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:28Z","tags":["info","plugins-service"],"pid":11533,"message":"Plugin \"dataSource\" is disabled."}
sep 04 22:45:28 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:28Z","tags":["info","plugins-service"],"pid":11533,"message":"Plugin \"visTypeXy\" is disabled."}
sep 04 22:45:28 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:28Z","tags":["info","plugins-service"],"pid":11533,"message":"Plugin \"mlCommonsDashboards\" is disabled."}
sep 04 22:45:28 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:28Z","tags":["info","plugins-system"],"pid":11533,"message":"Setting up [44] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,notificationsDashboards,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuh,bfetch]"}
sep 04 22:45:29 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:29Z","tags":["info","savedobjects-service"],"pid":11533,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
sep 04 22:45:29 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:29Z","tags":["info","savedobjects-service"],"pid":11533,"message":"Starting saved objects migrations"}
sep 04 22:45:29 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:29Z","tags":["info","plugins-system"],"pid":11533,"message":"Starting [44] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,notificationsDashboards,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuh,bfetch]"}
sep 04 22:45:29 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:29Z","tags":["listening","info"],"pid":11533,"message":"Server running at https://0.0.0.0:443"}
sep 04 22:45:29 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: {"type":"log","@timestamp":"2023-09-04T22:45:29Z","tags":["info","http","server","OpenSearchDashboards"],"pid":11533,"message":"http server running at https://0.0.0.0:443"}
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: (node:11533) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: (Use `node --trace-deprecation ...` to show where the warning was created)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: Node.js process-warning detected:
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at Object.connect (node:_tls_wrap:1678:15)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at HttpsAgent.createConnection (node:https:147:22)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at HttpsAgent.createSocket (/usr/share/wazuh-dashboard/node_modules/agentkeepalive/lib/_http_agent.js:265:26)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at HttpsAgent.createSocket (/usr/share/wazuh-dashboard/node_modules/agentkeepalive/lib/agent.js:77:11)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at HttpsAgent.addRequest (/usr/share/wazuh-dashboard/node_modules/agentkeepalive/lib/_http_agent.js:239:10)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at new ClientRequest (node:_http_client:335:16)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at Object.request (node:https:357:10)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at HttpConnector.request (/usr/share/wazuh-dashboard/node_modules/elasticsearch/src/lib/connectors/http.js:182:23)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at sendReqWithConnection (/usr/share/wazuh-dashboard/node_modules/elasticsearch/src/lib/transport.js:263:35)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at Object.utils.applyArgs (/usr/share/wazuh-dashboard/node_modules/elasticsearch/src/lib/utils.js:188:19)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at wrapper (/usr/share/wazuh-dashboard/node_modules/lodash/lodash.js:5255:19)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]:     at processTicksAndRejections (node:internal/process/task_queues:78:11)
sep 04 22:46:05 ip-172-31-15-4.ec2.internal opensearch-dashboards[11533]: Terminating process...
sep 04 22:46:05 ip-172-31-15-4.ec2.internal systemd[1]: wazuh-dashboard.service: Main process exited, code=exited, status=1/FAILURE
sep 04 22:46:05 ip-172-31-15-4.ec2.internal systemd[1]: wazuh-dashboard.service: Failed with result 'exit-code'.

[rauldpm]

Update report

• The error related to not being able to use IP in the OpenSearch configuration will be investigated by @wazuh/frontend, in the meantime, names should be used

[uhlhosting]

Guys...

This is terrible!

Version 2.6.0 Its since February 2023.

Latest current release its on 2.11.0, and soon to be 2.12.0 .

Yet I see here you guys are stuck at version 2.8.0 .

May I ask, what is going on?

Have you had issues with https://github.com/opensearch-project/opensearch-build ? Address them there, do not chase rabbits here while it seems you go in circles.

A bit more than shameful for a security stack, to be so much left behind in versioning with one of the most crucial part of the whole product. Beside OSSEC...