Delete customer leaves all the provisioning data on all the systems

[SecurityArsenal]

When I delete a customer from Copilot, it leaves all the provisioning data and the Customer can't be added or the name can't be used as it didn't clean up the systems.

How do I remove the all the provisioning data for a customer? It seems it keeps putting the files back even if I manually remove them from each server.

[SecurityArsenal]

Failed to send DELETE request to /api/system/indexer/indices/wazuh-c1_0 with error: The current deflector target index (wazuh-c1_0) cannot be deleted When I try to delete it within Copilot.

Is there a way to reset the all customer settings so it can be done clean without having to reinstall to get around this.

I can't seem to provision any customers, the process never completes

Is there a version of Grafana we should use? I noticed 11 doesn't work, 10.4.3 maybe that is not compatible either. I couldn't find any info about what versions we should use in the blogs.

[taylorwalton]

Hey @SecurityArsenal i'm sorry to hear you are having difficulties. I'll do my best to address each of your questions as it sounds like there is a misunderstanding as to what Copilot is performing.

1. Delete customer from Copilot Can you help me understand what you mean by putting the files back? What files are getting put onto what servers? To do a full customer deletion you would first, deprovision the customer, then once the customer is deprovisioned, delete the customer.

2. Delete index It sounds like wazuh-c1_0 is the current active index. Graylog does not allow the deletion of the currently active index. You can only delete indexes that are no longer active. You can always manually rotate the index within the Graylog UI. This would create new index wazuh-c1_1 and allow you to delete the wazuh-c1_0 index.

3. Connector Settings You can update each of the connector's settings through the Connectors tab within CoPilot

4. Grafana 11 Can you provide the errors you are seeing with Grafana 11? I am using Grafana 11 myself and have not seen any issues

[ioscanner]

I see it. I found all the places it leaves items to remove if something happens when trying to provision and it fails, because you have to manually go back thru and remove it on all of the systems to try again. Would be nice if it cleaned up or had a delete option to ensure anything with that index or name will not interfere with provisioning.

Grafana 11 I notice the data source for wazuh gives me this when I looked inside it: WAZUH Type OpenSearch Alerting Not supported Type: undefined

It did the same thing for 10.4.3. It turns out that is no longer included you must run this command to get the plugin: grafana-cli plugins install grafana-opensearch-datasource

After that all is good. So it works. You should add that to your docs and video. So now, this is a feature request. A clean up option to remove a clients that fail and all the settings Copilot add to allow a system to be restored to new and add new users and wazuh agents, or do you already have cli program to do this, either would be great.

[ioscanner]

Ok seems there is still a bug. Grafana 11, it will load sometimes say the summary board, but then refresh and it will give an

error: Templating Failed to upgrade legacy queries

This seems to be random and times where it will never do the normal searching before loading the dashboard just the error. Sometimes restarting grafana and it works.

Have you seen this?

[taylorwalton]

I have not seen that error before...is your wazuh-indexer cluster healthy? As this seems to be an issue with Grafana rather than Copilot, I am closing this issue