Wazuh API - Invalid Credentials

[mighty-services]

I have followed your setup guide to a single node Server Instance just like in the docs. The only thi I added was the IP-Address of the Ubuntu 22.04 VM where Wazuh should reside.

After that, the installation went smoothly, and I can use the admin-Password at the end to log into the new dashboard via web browser and HTTPS. Right after that, there's a warning displayed:

the Wazuh API-Details show, that the API has invalid credentials:

INFO: Current API id [default]
INFO: Checking current API id [default]...
INFO: Current API id [default] has some problem: 3002 - Request failed with status code 403
INFO: Getting API hosts...
INFO: API hosts found: 1
INFO: Checking API host id [default]...
INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Limit of login attempts reached. The current IP has been blocked due to a high number of login attempts
INFO: Removed [navigate] cookie
ERROR: No API available to connect

I didn't change these values at any time. The curl-command in the indexer-part worked fine with the password, the output gave at the end of the indexer-installation.

Another error seems to be in the "" section:

INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Getting list of valid index patterns...
INFO: Valid index patterns found: 1
INFO: Found default index pattern with title [wazuh-alerts-*]: yes
INFO: Checking the app default pattern exists: id [wazuh-alerts-*]...
INFO: Default pattern with id [wazuh-alerts-*] exists: yes
ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern
INFO: Checking the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id exists [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Checking if the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*]
INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*]
INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: [wazuh-alerts-*]
INFO: Getting index pattern data [wazuh-alerts-*]...
INFO: Index pattern data found: [yes]
INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]...
ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]
INFO: Getting settings...
INFO: Check Wazuh dashboard setting [timeline:max_buckets]: 200000
INFO: App setting [timeline:max_buckets]: 200000
INFO: Settings mismatch [timeline:max_buckets]: no
INFO: Getting settings...
INFO: Check Wazuh dashboard setting [metaFields]: ["_source","_index"]
INFO: App setting [metaFields]: ["_source","_index"]
INFO: Settings mismatch [metaFields]: no
INFO: Getting settings...
INFO: Check Wazuh dashboard setting [timepicker:timeDefaults]: {"from":"now-24h","to":"now"}
INFO: App setting [timepicker:timeDefaults]: "{\"from\":\"now-24h\",\"to\":\"now\"}"
INFO: Settings mismatch [timepicker:timeDefaults]: no

When I click on the button Go to Settings` I see the guide to check the status of the service

And the defined credentials for wazuh-ui, which match the output I saw within the wazuh-install-files.tar file.

I saw these issue popping up already here #2115 and here #2111. At least the last one is way older than the release 4.7.0 I am using right now.

Since I'm not a Developer, rather a sysadmin desperately needing this awesome tool to work, I don't know ow to debug the API with the curl command like suggested here

[KSroido]

same problem here

[schneich]

Hi @mighty-services,

could you share your yml? I have had the exact same error. In my case, I had changed the volume paths and changed them unknowingly to bind mounts. After figuring this out, the containers were able to connect to each other. For my network settings, have a look here and here.

Chris

[KSroido]

Hi @mighty-services,、

could you share your yml? I have had the exact same error. In my case, I had changed the volume paths and changed them unknowingly to bind mounts. After figuring this out, the containers were able to connect to each other. For my network settings, have a look here and here

Chris 克

I reinstall my VM ubuntu and follow doc then do it again now im all good. I didnt save my yml file in the pase error case

[EricSeastrand]

Hi @mighty-services,

could you share your yml? I have had the exact same error. In my case, I had changed the volume paths and changed them unknowingly to bind mounts. After figuring this out, the containers were able to connect to each other. For my network settings, have a look here and here.

Chris

Wait, bind mounts don’t work? Any idea which paths are affected?
Facing a similar issue with the Docker setup guide. I too changed them to bind mounts out of habit.

[schneich]

Hi @EricSeastrand,

well, I tried to solve it by manually setting the permissions on my bind mounts, but folders are getting created, when a container starts for the first time and then folder permissions are wrong and it does not work...

Docker Community recommended this: https://dev.to/rimelek/everything-about-docker-volumes-1ib0#custom-volume-path-overview
You basically use Docker Volumes, but bind them to a custom path. It feels the same as a simple bind mount, but its technically different, as folder permissions are handled by the container, as it is with Volumes.

Have a look at my yaml and how I defined the custom volume paths.

Good luck,
Chris

[EricSeastrand]

Thank you for this clue! I was able to get up and running by using volumes as recommended. Even better: I've found a way to still use bind mounts! At least, I think; it's working so far.

Disclaimer: This is almost certainly an unsupported configuration, but if you have some hard req about bind mounts, this may help.

Process goes like:

1. Use the "stock" docker-compose.yml from wazuh official repo (which uses volumes not bind mounts)
2. Start the stack one time the containers with docker volumes one time (to populate the volumes with files). Then stop the stack.
3. Using a separate container, mount those volumes + bind-mount a directory to be the long-term home of the Wazuh files.
4. rsync -av all the files in those volumes to the bind mount, taking care to preserve all the permissions and ownership (-a flag).
5. Edit the docker-compose.yml, and replace all the docker volumes with regular bind mounts in your newly rsync'd directory.
6. Start the stack again, test thoroughly.
7. (maybe reqd?) Set node.max_local_storage_nodes=3 in wazuh.indexer.yml. *See below
8. (optional) Do review @schneich's docker-compose.yml as it does many things "better" than the official one imo. Ex: set a timezone, give the stack and containers more concise names, restart: unless-stopped

For me, it was very important to use bind mounts because I regularly migrate containers/stacks between several hosts using Portainer. My storage layer is backed by GlusterFS (mounted as OS level; not using any docker plugins). I first tried @schneich approach, but when I tried migrating the stack from HostA to HostB, all 3 containers "started" but had errors and the Wazuh frontend would not load. Presumably because HostA created the volume, and now HostB is being told "create a volume in this dir, which already contains files and metadata". Using bind mounts solves all of that, because docker isn't expecting to have full control over the volume dir. Yes, permissions become a PiTA, but I'm OK with that tradeoff.

• I set node.max_local_storage_nodes=3 to overcome an opensearch error about failure to acquire a file lock (which broke the whole Wazuh app just moments after starting the stack and seeing it "work"). This setting seemed safe because I never plan to have two of these running at once (much less doing concurrent writes). Still, this feels dirty and dangerous and I don't like it. Next step will be to run standalone opensearch node on each host, and handle redundancy at the application level. Besides: Directly connected NVMe is likely better for this workload than GlusterFS (as much as I love it).

Hope this helps someone and saves them the days-long debugging expedition I just returned from :)

[victornavorskie]

I have the same problem with this setup.

version: '3.7'
 services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.8.2
    hostname: wazuh.manager
    restart: unless-stopped
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
       - "1514:1514"
       - "1515:1515"
       - "514:514/udp"
      - "55000:55000"
    environment:
      INDEXER_URL: https://wazuh.indexer:9200
      INDEXER_USERNAME: admin
      INDEXER_PASSWORD: admin
      FILEBEAT_SSL_VERIFICATION_MODE: full
      SSL_CERTIFICATE_AUTHORITIES: /etc/ssl/root-ca.pem
      SSL_CERTIFICATE: /etc/ssl/filebeat.pem
      SSL_KEY: /etc/ssl/filebeat.key
      API_USERNAME: wazuh-wui
      API_PASSWORD: MyS3cr37P450r.*-
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
    networks:
      - backend
      - proxy

  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.8.2
    hostname: wazuh.indexer
    restart: unless-stopped
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    ports:
       - "9200:9200"
    environment:
      OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g"
      bootstrap.memory_lock: "true"
      NODE_NAME: "wazuh.indexer"
      CLUSTER_INITIAL_MASTER_NODES: "wazuh.indexer"
      CLUSTER_NAME: "wazuh-cluster"
      PATH_DATA: /var/lib/wazuh-indexer
      PATH_LOGS: /var/log/wazuh-indexer
      HTTP_PORT: 9200-9299
      TRANSPORT_TCP_PORT: 9300-9399
      COMPATIBILITY_OVERRIDE_MAIN_RESPONSE_VERSION: "true"
      PLUGINS_SECURITY_SSL_HTTP_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      PLUGINS_SECURITY_SSL_HTTP_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
      PLUGINS_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
      PLUGINS_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      PLUGINS_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
      PLUGINS_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
      PLUGINS_SECURITY_SSL_HTTP_ENABLED: "true"
      PLUGINS_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION: "false"
      PLUGINS_SECURITY_SSL_TRANSPORT_RESOLVE_HOSTNAME: "false"
      PLUGINS_SECURITY_AUTHCZ_ADMIN_DN: "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
      PLUGINS_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES: "true"
      PLUGINS_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE: "true"
      PLUGINS_SECURITY_NODES_DN: "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
      PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED: '["all_access", "security_rest_api_access"]'
      PLUGINS_SECURITY_SYSTEM_INDICES_ENABLED: "true"
      PLUGINS_SECURITY_SYSTEM_INDICES_INDICES: '[".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]'
      PLUGINS_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX: "true"
      CLUSTER_ROUTING_ALLOCATION_DISK_THRESHOLD_ENABLED: "false"
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      #  if you need mount a custom opensearch.yml, uncomment the next line and delete the environment variables
      # - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml

    networks:
      - backend
      - proxy

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.8.2
    hostname: wazuh.dashboard
    restart: unless-stopped
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
     ports:
       - 443:5601
    environment:
      WAZUH_API_URL: https://wazuh.manager
      DASHBOARD_USERNAME: kibanaserver
      DASHBOARD_PASSWORD: kibanaserver
      API_USERNAME: wazuh-wui
      API_PASSWORD: MyS3cr37P450r.*-
      SERVER_HOST: 0.0.0.0
      SERVER_PORT: 5601
      OPENSEARCH_HOSTS: https://wazuh.indexer:9200
      OPENSEARCH_SSL_VERIFICATIONMODE: certificate
      OPENSEARCH_REQUESTHEADERSALLOWLIST: '["securitytenant","Authorization"]'
      OPENSEARCH_SECURITY_MULTITENANCY_ENABLED: "false"
      SERVER_SSL_ENABLED: "true"
      OPENSEARCH_SECURITY_READONLY_MODE_ROLES: '["kibana_read_only"]'
      SERVER_SSL_KEY: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
      SERVER_SSL_CERTIFICATE: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
      OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: '["/usr/share/wazuh-dashboard/certs/root-ca.pem"]'
      UISETTINGS_OVERRIDES_DEFAULTROUTE: /app/wz-home
    volumes:
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/wazuh.yml:/wazuh-config-mount/data/wazuh/config/wazuh.yml
      #  if you need mount a custom opensearch-dashboards.yml, uncomment the next line and delete the environment variables
      # - ./config/wazuh_dashboard/opensearch_dashboards.yml:/wazuh-config-mount/config/opensearch_dashboards.yml
    labels:
    - traefik.enable=true
    - traefik.http.routers.wazuh.entrypoints=https
    - traefik.http.routers.wazuh.rule=Host(`wazuh.x.x.de`)
    - traefik.http.routers.wazuh.tls=true
    - traefik.http.routers.wazuh.tls.certresolver=cloudflare
    - traefik.http.services.wazuh-service.loadbalancer.server.port=5601
    - traefik.http.services.wazuh-service.loadbalancer.server.scheme=https
    networks:
      - backend
      - proxy
    depends_on:
      - wazuh.indexer
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager

volumes:
  wazuh_api_configuration:
  wazuh_etc:
  wazuh_logs:
  wazuh_queue:
  wazuh_var_multigroups:
  wazuh_integrations:
  wazuh_active_response:
  wazuh_agentless:
  wazuh_wodles:
  filebeat_etc:
  filebeat_var:
  wazuh-indexer-data:
  wazuh-dashboard-config:
  wazuh-dashboard-custom:

networks:
  backend:
    internal: true
  proxy:
    external: true

Any help will be appreciated.